3.7 Audit Software Inventory

Information

With the introduction of Mac OS X 10.6.6, Apple added a new application, App Store, which resides in the Applications directory. This application allows a user with admin privileges and an Apple ID to browse Apple's online App Store, purchase (including no-cost purchases), and install new applications, bypassing Enterprise software inventory controls. Any admin user can install software in the /Applications directory whether from internet downloads, thumb drives, optical media, cloud storage, or even binaries through email. Even standard users can run executables downloaded to their home folder by default. The source of the software is not nearly as important as a consistent audit of all installed software for patch compliance and appropriateness.

A single user desktop where the user, administrator, and the person approving software are all the same person probably does not need to audit software inventory to this extent. It is helpful in the case of stability problems or malware, however.

Scan systems on a monthly basis and determine the number of unauthorized pieces of software that are installed. Verify that if an unauthorized piece of software is found one month, it is removed from the system the next.

Export System Information through the built-in System Information Application or other third-party tools on an organizationally defined timetable.

Rationale:

Part of comprehensive IT security involves device management and ensuring that all software is authorized and patched. Checking for macOS updates and app updates are relatively simple for the end user, and can even be updated with minimal privileges from trusted sources, if enabled. Remote monitoring of the patch status for software maintained through Apple is very well supported by management applications. Neither Apple capabilities nor third-party patch management solutions will cover all mission-necessary software for most organizations. Full visibility into software present on the system enables vulnerability and risk management.

P.S. Don't forget about browser plugins/extensions for all installed software.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Delete any unnecessary applications from the system.

See Also

https://workbench.cisecurity.org/files/4159