<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">We have already seen many instances
      where our patch management solution reports the inventory for all
      applications including those on backup drives. If I am trying to
      plumb the inventory to look at vulnerability data I don't really
      need to see the back-up versions of the now patched MS Office,
      Adobe Reader, Safari, Firefox etc if they are unlikely to be used.
      I am all for a full list of all the exectuables but I need to be
      able to tell between boot volumes and other volumes, especially if
      they are rarely mounted.<br>
      <br>
      On 7/12/13 10:34 AM, Shane Shaffer wrote:<br>
    </div>
    <blockquote
cite="mid:CA+K-tmus=0Q+AvyDjdL+8qSjyqpX0F5FToPVitp99Cf5SC-AgQ@mail.gmail.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <div dir="ltr"><br>
        <div class="gmail_extra">
          <div class="gmail_quote">On Thu, Jul 11, 2013 at 1:14 PM,
            Jacobsen, Jasen W. <span dir="ltr">&lt;<a
                moz-do-not-send="true" href="mailto:jasenj1@mitre.org"
                target="_blank">jasenj1@mitre.org</a>&gt;</span> wrote:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
              <div
style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word">
                <div>Great points Shane. Comments inline below.</div>
                <div><br>
                </div>
                <span>
                  <div style="border-width:1pt medium
                    medium;border-style:solid none none;padding:3pt 0in
0in;text-align:left;font-size:11pt;font-family:Calibri;border-top-color:rgb(181,196,223)">
                    <span style="font-weight:bold">From: </span>Shane
                    Shaffer &lt;<a moz-do-not-send="true"
                      href="mailto:shane.shaffer@g2-inc.com"
                      target="_blank">shane.shaffer@g2-inc.com</a>&gt;<br>
                    <span style="font-weight:bold">Date: </span>Thursday,
                    July 11, 2013 12:49 PM<br>
                    <span style="font-weight:bold">To: </span>MITRE
                    Employee &lt;<a moz-do-not-send="true"
                      href="mailto:jasenj1@mitre.org" target="_blank">jasenj1@mitre.org</a>&gt;<br>
                    <span style="font-weight:bold">Cc: </span>"<a
                      moz-do-not-send="true"
                      href="mailto:scap-on-apple-dev@lists.macosforge.org"
                      target="_blank">scap-on-apple-dev@lists.macosforge.org</a>"
                    &lt;<a moz-do-not-send="true"
                      href="mailto:scap-on-apple-dev@lists.macosforge.org"
                      target="_blank">scap-on-apple-dev@lists.macosforge.org</a>&gt;,
                    "<a moz-do-not-send="true"
                      href="mailto:scap-on-apple@lists.macosforge.org"
                      target="_blank">scap-on-apple@lists.macosforge.org</a>"
                    &lt;<a moz-do-not-send="true"
                      href="mailto:scap-on-apple@lists.macosforge.org"
                      target="_blank">scap-on-apple@lists.macosforge.org</a>&gt;,
                    oval-developer-list OVAL Developer List/Closed
                    Public Discussion &lt;<a moz-do-not-send="true"
                      href="mailto:oval-developer-list@lists.mitre.org"
                      target="_blank">oval-developer-list@lists.mitre.org</a>&gt;<br>
                    <span style="font-weight:bold">Subject: </span>Re:
                    [SCAP-On-Apple] Mac OS X proposed pkginfo OVAL Test.<br>
                  </div>
                  <div>
                    <div><br>
                    </div>
                    <div>
                      <div>
                        <div dir="ltr">Since the target volume can often
                          be specified during installation, it seems
                          that we would need to specify the volume.
                          However that is going to require the ability
                          to enumerate the volumes via OVAL, and an
                          existing way to do that isn't jumping out at
                          me.</div>
                      </div>
                    </div>
                  </div>
                </span>
                <div><br>
                </div>
                <div>Jasen: I think there are two "volumes" in play
                  here. One is the command option "--volume" which tells
                  pkgutil which volume's receipt database to check (I'm
                  pretty sure). Second is the volume reported by
                  "--pkg-info" which is the volume the package is
                  installed on. So something installed to a different
                  volume could have its receipt info on the boot volume.
                  Would OVAL need/want to check the receipt database on
                  multiple volumes? Or is the boot volume
                  sufficient?&nbsp;Clarification from Apple or someone else
                  who really knows this would be helpful.&nbsp;</div>
              </div>
            </blockquote>
            <div><br>
            </div>
            <div>I have a system with two volumes, the boot volume and
              one named Partition2. I installed an application on
              Partition2. If I run "pkgutil --pkgs" that package is not
              listed. If I run "pkgutil --pkgs --volume
              /Volumes/Partition2" then it is listed. So it appears that
              querying the receipt database is volume specific. If I
              subsequently install the same application on the root
              volume, then it shows up as you'd expect via "pkgutil
              --pkgs" and there appears to be no link between the two
              installs. I would think that just checking the boot volume
              would be akin to just checking C:\Program Files on Windows
              - overwhelming probability of being the location, but not
              good enough.</div>
            <div>&nbsp;<br>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <pre class="moz-signature" cols="72">-- 


********************************************************
Ron Colvin CISSP, CAP, CEH
Certified Security Analyst
NASA - Goddard Space Flight Center
<a class="moz-txt-link-rfc2396E" href="mailto:ron.colvin@nasa.gov">&lt;ron.colvin@nasa.gov&gt;</a>
Direct phone 301-286-2451
NASA Jabber (<a class="moz-txt-link-abbreviated" href="mailto:rdcolvin@im.nasa.gov">rdcolvin@im.nasa.gov</a>) AIM rcolvin13
NASA LCS (<a class="moz-txt-link-abbreviated" href="mailto:ronald.d.colvin@nasa.gov">ronald.d.colvin@nasa.gov</a>)
********************************************************
</pre>
  </body>
</html>