Wiki     Blog     New Ticket     View Tickets     Ticket Query     Timeline     Search

SCAP-On-Apple is a community driven collaboration on Identifying, Developing, Vetting, and Sharing all available Secure Content Automation Protocol content, tools and data streams to be used against Apple Products.

[Reminder] Weekly Closing of Settings Review


Just a reminder on the settings review process and curation.

We have been posting blocks of settings each as their on ticket for review, discussion, correction and agreement.

We will closeout each block of settings tickets one week after they have been posted which should be long enough.  If for any reasons, anyone feels the need for more time on any setting(s), please note that on a ticket or on the list and we will take action appropriately.


Tickets already created that will be closing out in the coming days..

Created on:  5/29/13     Closing on:  06/05/13


  1. [CCE-28300-2] idle_time_for_screen_saver
  2. [CCE-28301-0] sleep_restart_shutdown_buttons
  3. [CCE-28302-8] restart_button
  4. [CCE-28303-6] users_list_on_login
  5. [CCE-28304-4] other_users_list_on_login
  6. [CCE-28305-1] shutdown_button
  7. [CCE-28307-7] retries_until_hint
  8. [CCE-28308-5] inactivity_logout
  9. [CCE-28309-3] fast_user_switching
  10. [CCE-28306-9] sleep_button




Created on:  6/03/13     Closing on:  06/10/13



  1. [CCE-28310-1] console_login
  2. [CCE-28311-9] external_accounts
  3. [CCE-28312-7] admin_accounts
  4. [CCE-28313-5] local_user_accounts_visibility
  5. [CCE-28314-3] mobile_accounts_visibility
  6. [CCE-28315-0] network_users_visibility
  7. [CCE-28316-8] bash_init_files_owner
  8. [CCE-28317-6] bash_init_files_group
  9. [CCE-28318-4] bash_init_files_permissions
  10. [CCE-28319-2] csh_init_files_owner
  11. [CCE-28320-0] csh_init_files_group
  12. [CCE-28321-8] csh_init_files_permissions
  13. [CCE-28322-6] ftp_daemon
  14. [CCE-28323-4] rsh_daemon
  15. [CCE-28324-2] rexec_daemon
  16. [CCE-28325-9] telnet_daemon
  17. [CCE-28326-7] tftp_daemon
  18. [CCE-28327-5] http_daemon
  19. [CCE-28328-3] global_umask


Please take the time to comment/contribute on the tickets, discuss on the list or provide general feedback prior to closing date for each block of settings.

[Announce] Community-based Settings Curation for OSX & iOS

SCAP-On-Apple User and Dev Community,

(cross-post to Fed-Talk Community)

The day has finally come to begin digging in your heels with your shoulder to the grindstone!

Several have been working hard behind the scenes, for several months now, to establish a bulk of the initial settings for OSX and iOS for public review, discussion, modifications and ultimately for approval and posting to the data feeds provided from this project.  We have had some time and resource constraints that have negatively impacted our ability to reach this point on our original target date.  Now, your wait is over and we can all dig in our heels and move this effort forward in a joint effort to bring the best and brightest together in a concerted effort for Settings Curation.

I wanted to give everyone a bit of structure and guidance on how we plan to proceed to maximize our time, talents and goals for this project.  

Flow of Settings Curation - Iterative Process

  1. Selection of the next BLOCK of settings [selection by SCAP Core Team]
  2. Generation of a Ticket here  for each setting  [for Tracking & Reference purposes]
  3. Blog posting here of next Settings Block [announce posting of next block]
  4. Daily Community Review & discussion here [Community review/discussion via List]
  5. Weekly Closeout of Review here [Tickets closed one week after creation]
  6. Post Curated Settings to Repository here [Post updated data repositories & feeds]

In addition to the users and developers in this community, this process will also have close involvement by individuals from NIST, NSA and SCAP Experts to ensure a solid review and submission process is accomplished.

You will notice that we are targeting a weekly closeout of settings.  This will give us a 'rolling review' and ONE FULL WEEK for review/feedback/modifications of each setting.  We do not anticipate any setting requiring more time than that for vetting, but if it does, we will place the settings ticket on hold for later followup.  

We plan to prefix the corresponding settings tickets with a designated CCE# which, among other things, will aid this community in long term tracking of activity and outcome for any given CCE / setting.

Data Feeds
The data feeds necessary for testing will also be pulled and hosted here as a 'developing authoritative data feed'.  Once we have completed our curated  

We have several hundred settings right now and anticipate throughout this process that some may be significantly modified, dropped, added or approved as is.  Guidance is that you jump right in on areas you are most knowledgable on and then progress to those you are unfamiliar or interested in learning more about with community discussion. 

Tool Vendors
We encourage all tool vendors to participating and contribute validation feedback on all data tested from here against your own available tool sets.  Right now this activity would be premature in the process, but keep this in mind for your organization's resource planning.

We want to Thank You all in advance for waiting on us for so long and for your willingness to actively engage in the SCAP-On-Apple Project.

If for any reason you have questions or comments, please do not hesitate to send them directly to this list for community feedback as well.  Contact / Admin email addresses are on the main wiki page -

- Project Admin


Inaugural Meeting Oct 4, 2012


The inaugural meeting on October 4, 2012 at the 8th Annual IT Security Automation Conference in Baltimore, MD, marked the launch of the SCAP-On-Apple Project here on

The SCAP-On-Apple Project Team was very excited by the turnout yesterday with representatives from all sectors of the SCAP Community interested in immediately engaging in collaboration.

Those unable to attend in person will have plenty of opportunity to engage by jumping on the mailing lists and pulling our efforts together.

Much can be accomplished by like minded people with laser focus.

The SCAP-On-Apple Team


"SCAP-On-Apple" Project Launch

The long wait is over!  We are very excited to launch the SCAP-On-Apple Project here on simultaneously with the first community gathering at the 8th Annual IT Security Automation Conference in Baltimore, MD - October 3-5, 2012.


The SCAP-On-Apple Open Source Project engages and empowers the SCAP community to strengthen the awareness, knowledge and collaboration on SCAP Content, Tools and Solutions with authoritative data for the Apple Platforms OSX  and iOS.


Managing patches and secure configurations of a large number of enterprise systems, while ensuring each one is compliant with security requirements, has become a daunting task for IT.   The National Institute of Standards and Technology (NIST) is leading the charge in defining the standards, developing the specifications, and guiding the community in developing SCAP content and deploying compliant tools for all platforms.

Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Versions 1.2 (DRAFT)

Special Publication 800-117 Revision 1 (DRAFT)


This Project's goal is to augment the existing SCAP Community efforts by focusing exclusively on relevant information for OSX and iOS.  To facilitate the SCAP Community, the project will provide the following services hosted here under :

 • Blog for timely announcements and updates

 • Wiki for Information & Documentation

 • Source Repository for Source Repository hosting and versioning

 • Mailing Lists for community sharing

 • Ticketing System for defects and enhancement submission and tracking

Bug / Enhancement Ticket System

The Project Team encourages all participants to fully utilize the Ticketing System to identify, submit, and track defects and enhancement requests against all  content (wiki, documentation, tools, source code, etc.) maintained by this project.


Jump into the project and engage!

The SCAP-On-Apple Team


news feed