[SCAP-On-Apple] [OVAL-DEVELOPER-LIST] OVAL 5.11 Release Goals and Timeline

Haynes, Dan dhaynes at mitre.org
Wed Nov 7 11:58:33 PST 2012

Hi Peter,

Great question!

As a little background for those who may not have seen the announcement go by, Shawn Geddis of Apple recently launched the SCAP-On-Apple project on MacOSForge (http://scap-on-apple.macosforge.org/) which is a community driven project with the following mission.

“The SCAP-On-Apple Open Source Project engages and empowers the SCAP community to strengthen the awareness, knowledge and collaboration on SCAP Content, Tools and Solutions with authoritative data for the Apple Platforms (​OSX and ​iOS).”

The SCAP-On-Apple project is meant to be a collaborative place for those interested in having SCAP support for Apple products and is meant to complement existing efforts.  As you mentioned, I don’t think there are any explicit ground rules so I will give my thoughts on how I see the project fitting in from an OVAL perspective.

From an OVAL perspective, the major benefit will be the authoritative information and reach back into Apple that Shawn Geddis will provide as well as the domain expertise and experience from members of the community who are focused on supporting Apple products.  This is very helpful because we (the OVAL team at MITRE) are not domain experts in all platforms (and cannot be from a resources perspective) and we will be actively looking to the SCAP-On-Apple community help drive support for Apple products in OVAL.

With regards to content development, I think a lot of the discussion (e.g. what settings to check in a security guide, how to check for vulnerabilities, etc.), development, and review would occur on the SCAP-On-Apple mailing lists.  When complete, the SCAP-On-Apple project could then host that content on the project site and make it available to the community.  Or, the project could decide that they want to have an existing repository to host the content.  Both are valid approaches, however, this is a decision that the SCAP-On-Apple project will have to make.  Although from the Contribute page on the wiki (http://scap-on-apple.macosforge.org/trac/wiki/contribute/), it sounds like the project will be maintaining a repository of content specific to Apple products.

As far as the OVAL Language is concerned, I could see the SCAP-On-Apple project as being the incubator for discussing and developing new features needed to fully check Apple platforms with OVAL.  The SCAP-On-Apple project should feel free to use the OVAL Language Sandbox (http://oval.mitre.org/language/sandbox.html) if they would like to implement schema changes.  Once developed, the SCAP-On-Apple project could submit these features to the broader OVAL community (oval-developer-list) for review, discussion, and integration into an official release of OVAL.  I also see it as the go to place when there are questions related to Apple platforms.

Lastly, for tools, it will be a good place to ask questions about how to best implement features as it pertains to Apple products and provide a central location to share code and utilities with other members of the community who are interested in supporting Apple products.

Anyways, those are my thoughts on how it would fit in.  It would be great to hear what others think.



From: Link, Peter R. [mailto:link1 at llnl.gov]
Sent: Tuesday, November 06, 2012 9:16 AM
To: Haynes, Dan
Subject: Re: [OVAL-DEVELOPER-LIST] OVAL 5.11 Release Goals and Timeline


How are you going to integrate OVAL work on OSX/iOS with Apple's SCAP-on-Apple project? I haven't seen any information on what the ground rules are.

On Nov 5, 2012, at 12:50 PM, "Haynes, Dan" <dhaynes at MITRE.ORG<mailto:dhaynes at MITRE.ORG>> wrote:

During the 2012 4th Quarter OVAL Board Meeting and the weeks following, we worked with the OVAL Board to develop goals and a timeline for the OVAL 5.11 release.  Meeting minutes can be found here (http://oval.mitre.org/community/archives/boardminutes/20121015.pdf).  The goals were developed based on what we have been hearing from the community.
3.      Improve Apple support such that the Apple Security Guides and DISA STIGs are fully automatable for OSX and iOS

Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94551-0808
link1 at llnl.gov<mailto:link1 at llnl.gov>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/scap-on-apple/attachments/20121107/7cbc9c87/attachment.html>

More information about the SCAP-On-Apple mailing list