[SCAP-On-Apple] [SCAP-On-Apple-Dev] Mac OS X proposed pkginfo OVAL Test.

Peter Link plink53 at mac.com
Sun Jul 21 06:48:11 PDT 2013


I'd like to ask my original question again. 

What are we trying to find and how does it help define an OVAL test or anything related to the SCAP-on-Apple project?

This started with the pkgutil test to figure out what the version and installation date of specific software was. I don't remember seeing anything related to finding every executable (per David Solin posting, Like this? find / -type f -perm +111 -print) on a Windows system only specific ones. 

I commented on some of the initial tickets posted on http://scap-on-apple.macosforge.org but haven't looked at all of the second batch. I'm going to try and focus my effort on helping get these tickets completed so Shawn can release more. 
 


On Jul 20, 2013, at 6:52 PM, Todd Heberlein <todd_heberlein at mac.com> wrote:

> 
> On Jul 16, 2013, at 6:39 AM, Peter Link <plink53 at mac.com> wrote:
> 
>> True, but if that application is still on the Mac, system profiler will find it and report when it was installed/modified. Isn't this what you want any test to show?
> 
> I looked at the output of
> 
> 	system_profiler -xml SPApplicationsDataType
> 
> and it appears to only have .app bundles (e.g., Cocoa applications) and not executable code in general. I couldn't find an argument that would gather all executable code on the system. Anyone know how to search for all executable code on the system (including helper programs)?
> 
> I am also guessing that it uses data provided by the application itself. That is, the applications are "self reporting". From a security point of view, that seems like an issue to me.
> 
> 
> There were two more data types I personally found interesting: SPFrameworksDataType (for some of the framework libraries (but again, not libraries in general) and SPExtensionsDataType (for kernel extensions).
> 
> 
> In addition to whatever security purposes you are looking for, it seems like this would be nice data to help diagnose why one machine in your fleet doesn't behave like the others.
> 
> Todd
> 
> PS. I'm not on the Oval mailing list, so if anyone thinks it is appropriate, please forward this email to that list.

Peter Link
LLNL retired
plink53 at mac.com





More information about the SCAP-On-Apple mailing list