[SCAP-On-Apple] tickets 42-52, file should not have an extended ACL

Peter Link plink53 at mac.com
Mon Aug 12 07:31:25 PDT 2013

http://scap-on-apple.macosforge.org/trac/report/8 I wasn't looking at the tickets, only the Wiki page, so didn't realize there's been lots of progress made.

Regarding tickets 42-52, I've seen something similar to identifying whether a program/application/executable/file has a particular setting in other OS testing. I presume these were identified by Shawn as files that shouldn't have an extended ACL configured for some reason. I am guessing the person who argued against requiring these tests is Jeffrey Blank, who stated there are thousands of files that could be tested with no real reason for testing them.

OSX has the ability to verify and repair disk permissions using Disk Utility. This process goes through the entire disk, comparing file (and maybe ACL) permissions against a file containing the correct permissions. It includes non-Apple files so it gets updated when non-Apple applications are installed. Having all files properly configured is extremely important since it's an obvious way for malware to attack a system, therefore, I feel file settings are critical to a properly configured Mac. How it's done is up for discussion. 

1. Do we create a CCE entry for every check Disk Utility performs when verifying file permissions?

2. Do we create a CCE entry for the Disk Utility file permissions verification process and leave it at that?

How are people intending to use the information gathered by the ACL checks? Would we need a separate OVAL test for each ACL check listed in tickets 42-52 or could we have one CCE and one OVAL test that simply runs:

diskutil verifyVolume MountPoint|DiskIdentifier|DeviceNode

This will return lots of information while running (when using the terminal) but the expected result would be:

The volume MacFusHD appears to be OK 

	(had fun replacing my 2009 iMac's hard drive with an OWC SSD and larger HD, then creating a Fusion drive) 

Would this result, or one that says it needs repairing, be enough to satisfy everyone's desire to validate the proper settings for all OSX program files?

Peter Link
LLNL retired
plink53 at mac.com

More information about the SCAP-On-Apple mailing list