[SCAP-On-Apple] [SCAP-On-Apple-Dev] Mac OS X proposed pkginfo OVAL Test.
Ron Colvin
Ron.Colvin at nasa.gov
Fri Jul 12 08:44:13 PDT 2013
We have already seen many instances where our patch management solution
reports the inventory for all applications including those on backup
drives. If I am trying to plumb the inventory to look at vulnerability
data I don't really need to see the back-up versions of the now patched
MS Office, Adobe Reader, Safari, Firefox etc if they are unlikely to be
used. I am all for a full list of all the exectuables but I need to be
able to tell between boot volumes and other volumes, especially if they
are rarely mounted.
On 7/12/13 10:34 AM, Shane Shaffer wrote:
>
> On Thu, Jul 11, 2013 at 1:14 PM, Jacobsen, Jasen W. <jasenj1 at mitre.org
> <mailto:jasenj1 at mitre.org>> wrote:
>
> Great points Shane. Comments inline below.
>
> From: Shane Shaffer <shane.shaffer at g2-inc.com
> <mailto:shane.shaffer at g2-inc.com>>
> Date: Thursday, July 11, 2013 12:49 PM
> To: MITRE Employee <jasenj1 at mitre.org <mailto:jasenj1 at mitre.org>>
> Cc: "scap-on-apple-dev at lists.macosforge.org
> <mailto:scap-on-apple-dev at lists.macosforge.org>"
> <scap-on-apple-dev at lists.macosforge.org
> <mailto:scap-on-apple-dev at lists.macosforge.org>>,
> "scap-on-apple at lists.macosforge.org
> <mailto:scap-on-apple at lists.macosforge.org>"
> <scap-on-apple at lists.macosforge.org
> <mailto:scap-on-apple at lists.macosforge.org>>, oval-developer-list
> OVAL Developer List/Closed Public Discussion
> <oval-developer-list at lists.mitre.org
> <mailto:oval-developer-list at lists.mitre.org>>
> Subject: Re: [SCAP-On-Apple] Mac OS X proposed pkginfo OVAL Test.
>
> Since the target volume can often be specified during
> installation, it seems that we would need to specify the volume.
> However that is going to require the ability to enumerate the
> volumes via OVAL, and an existing way to do that isn't jumping out
> at me.
>
> Jasen: I think there are two "volumes" in play here. One is the
> command option "--volume" which tells pkgutil which volume's
> receipt database to check (I'm pretty sure). Second is the volume
> reported by "--pkg-info" which is the volume the package is
> installed on. So something installed to a different volume could
> have its receipt info on the boot volume. Would OVAL need/want to
> check the receipt database on multiple volumes? Or is the boot
> volume sufficient? Clarification from Apple or someone else who
> really knows this would be helpful.
>
>
> I have a system with two volumes, the boot volume and one named
> Partition2. I installed an application on Partition2. If I run
> "pkgutil --pkgs" that package is not listed. If I run "pkgutil --pkgs
> --volume /Volumes/Partition2" then it is listed. So it appears that
> querying the receipt database is volume specific. If I subsequently
> install the same application on the root volume, then it shows up as
> you'd expect via "pkgutil --pkgs" and there appears to be no link
> between the two installs. I would think that just checking the boot
> volume would be akin to just checking C:\Program Files on Windows -
> overwhelming probability of being the location, but not good enough.
>
--
********************************************************
Ron Colvin CISSP, CAP, CEH
Certified Security Analyst
NASA - Goddard Space Flight Center
<ron.colvin at nasa.gov>
Direct phone 301-286-2451
NASA Jabber (rdcolvin at im.nasa.gov) AIM rcolvin13
NASA LCS (ronald.d.colvin at nasa.gov)
********************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/scap-on-apple/attachments/20130712/be45ede6/attachment-0001.html>
More information about the SCAP-On-Apple
mailing list