MacOS - system_profiler SPInstallHistoryDataType - install app 정보 삭제하기

요즘 취약점 점검이 진화되기 시작해서, 정보 관리자들도 많은 부분에서 발전을 거듭해 오고 있다.
이제는 MacOS에서는 install app 정보를 취합해서 검사하는 방법까지 진화한 상태로 까지 와서
이를 보완할 방법을 찾는다.

MacOS에서 어플리케이션 데이터를 설치하게 되면 아래 파일에 install 정보가 남는다.

/var/log/install.log

카카오톡을 설치하고 나면 아래와 같이 설치 정보가 남는다.

2025-08-13 16:03:00+09 seongmukim-Mac installd[1214]: PackageKit: Set reponsibility for install to 20343
2025-08-13 16:03:00+09 seongmukim-Mac installd[1214]: PackageKit: ----- Begin install -----
2025-08-13 16:03:00+09 seongmukim-Mac installd[1214]: PackageKit: request=PKInstallRequest <1 packages, destination=/>
2025-08-13 16:03:00+09 seongmukim-Mac installd[1214]: PackageKit: packages=(
	    "PKLeopardPackage <id=com.kakao.KakaoTalkMac, version=25.7.0, url=file:///var/folders/fm/wcflwcvs4sl875b_83z4zl6c0000gn/C/com.apple.appstoreagent/com.apple.appstore/2E3BBE5D-E1D5-4847-9D43-771FE4391FB3/sxa4411383618587154446.pkg#com.kakao.KakaoTalkMac.pkg>"
	)
2025-08-13 16:03:01+09 seongmukim-Mac installd[1214]: PackageKit: Extracting file:///var/folders/fm/wcflwcvs4sl875b_83z4zl6c0000gn/C/com.apple.appstoreagent/com.apple.appstore/2E3BBE5D-E1D5-4847-9D43-771FE4391FB3/sxa4411383618587154446.pkg#com.kakao.KakaoTalkMac.pkg (destination=/Library/InstallerSandboxes/.PKInstallSandboxManager/7D3400A3-1815-4364-BA46-B8A74AE67394.activeSandbox/Root/Applications, uid=0)
2025-08-13 16:03:04+09 seongmukim-Mac installd[1214]: PackageKit: Verifying code signature on /Library/InstallerSandboxes/.PKInstallSandboxManager/7D3400A3-1815-4364-BA46-B8A74AE67394.activeSandbox/Root/Applications/KakaoTalk.app
2025-08-13 16:03:06+09 seongmukim-Mac installd[1214]: PackageKit: Writing receipt for com.kakao.KakaoTalkMac to /Library/InstallerSandboxes/.PKInstallSandboxManager/7D3400A3-1815-4364-BA46-B8A74AE67394.activeSandbox/Root
2025-08-13 16:03:06+09 seongmukim-Mac installd[1214]: PackageKit: prevent user idle system sleep
2025-08-13 16:03:06+09 seongmukim-Mac installd[1214]: PackageKit: suspending backupd
2025-08-13 16:03:06+09 seongmukim-Mac installd[1214]: PackageKit: Wrote MAS receipt into Applications/KakaoTalk.app
2025-08-13 16:03:06+09 seongmukim-Mac installd[1214]: PackageKit: Wrote MAS Metadata into Applications/KakaoTalk.app
2025-08-13 16:03:06+09 seongmukim-Mac installd[1214]: PackageKit: Using trashcan path /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/PKInstallSandboxTrash/7D3400A3-1815-4364-BA46-B8A74AE67394.sandboxTrash for sandbox /Library/InstallerSandboxes/.PKInstallSandboxManager/7D3400A3-1815-4364-BA46-B8A74AE67394.activeSandbox
2025-08-13 16:03:06+09 seongmukim-Mac install_monitor[24631]: Temporarily excluding: /Applications, /Library, /System, /bin, /private, /sbin, /usr
2025-08-13 16:03:06+09 seongmukim-Mac installd[1214]: PackageKit: Shoving /Library/InstallerSandboxes/.PKInstallSandboxManager/7D3400A3-1815-4364-BA46-B8A74AE67394.activeSandbox/Root (2 items) to /
2025-08-13 16:03:06+09 seongmukim-Mac installd[1214]: PackageKit: Parent bundle com.kakao.KakaoTalkMac will be atomically shoved.
2025-08-13 16:03:06+09 seongmukim-Mac shove[24632]: /Applications/KakaoTalk.app: restored [xattr=com.apple.appstore.metadata] with value size 1748
2025-08-13 16:03:06+09 seongmukim-Mac shove[24632]: [src=noflags] /Applications/KakaoTalk.app: restored flags 0x0
2025-08-13 16:03:06+09 seongmukim-Mac installd[1214]: PackageKit: Touched bundle /Applications/KakaoTalk.app
2025-08-13 16:03:06+09 seongmukim-Mac installd[1214]: PackageKit: Touched bundle /Applications/KakaoTalk.app/Contents/Library/LoginItems/KakaoTalkHelper.app
2025-08-13 16:03:06+09 seongmukim-Mac installd[1214]: Installed "카카오톡" (25.7.0)
2025-08-13 16:03:06+09 seongmukim-Mac installd[1214]: Successfully wrote install history to /Library/Receipts/InstallHistory.plist
2025-08-13 16:03:06+09 seongmukim-Mac install_monitor[24631]: Re-included: /Applications, /Library, /System, /bin, /private, /sbin, /usr
2025-08-13 16:03:07+09 seongmukim-Mac installd[1214]: PackageKit: releasing backupd
2025-08-13 16:03:07+09 seongmukim-Mac installd[1214]: PackageKit: allow user idle system sleep
2025-08-13 16:03:07+09 seongmukim-Mac installd[1214]: PackageKit: ----- End install -----
2025-08-13 16:03:07+09 seongmukim-Mac installd[1214]: PackageKit: 6.3s elapsed install time
2025-08-13 16:03:07+09 seongmukim-Mac installd[1214]: PackageKit: Cleared responsibility for install from 20343.
2025-08-13 16:03:07+09 seongmukim-Mac installd[1214]: PackageKit: Running idle tasks
2025-08-13 16:03:07+09 seongmukim-Mac installd[1214]: PackageKit: Done with sandbox removals
2025-08-13 16:03:07+09 seongmukim-Mac appstoreagent[20343]: PackageKit: Registered bundle file:///Applications/KakaoTalk.app/ for uid 501
2025-08-13 16:03:07+09 seongmukim-Mac appstoreagent[20343]: PackageKit: Registered bundle file:///Applications/KakaoTalk.app/Contents/Library/LoginItems/KakaoTalkHelper.app/ for uid 501
2025-08-13 16:03:07+09 seongmukim-Mac installd[1214]: PackageKit: Removing client PKInstallDaemonClient pid=20343, uid=501 (/System/Library/PrivateFrameworks/AppStoreDaemon.framework/Support/appstoreagent)

일단 해당 설치 로그 정보를 삭제한다.

두번째, 조금 더 진화한 경우, 아래 명령어를 사용해서 설치 정보를 확인한다.

system_profiler SPInstallHistoryDataType

% system_profiler SPInstallHistoryDataType
...
    XProtectPlistConfigData:

      Version: 5310
      Source: Apple
      Install Date: 2025. 8. 13. 오전 9:53

    카카오톡:

      Version: 25.7.0
      Source: 3rd Party
      Install Date: 2025. 8. 13. 오후 4:03

% system_profiler SPInstallHistoryDataType |grep "카카오톡"
    카카오톡:

해당 정보를 수정하려면 아래 파일에서 카카오톡 설치 부분을 삭제한다.

/Library/Receipts/InstallHistory.plist

% cat /Library/Receipts/InstallHistory.plist
...
	<dict>
		<key>contentType</key>
		<string>config-data</string>
		<key>date</key>
		<date>2025-08-13T00:53:10Z</date>
		<key>displayName</key>
		<string>XProtectPlistConfigData</string>
		<key>displayVersion</key>
		<string>5310</string>
		<key>packageIdentifiers</key>
		<array>
			<string>com.apple.pkg.XProtectPlistConfigData_10_15.16U4384</string>
		</array>
		<key>processName</key>
		<string>softwareupdated</string>
	</dict>
	<dict>
		<key>date</key>
		<date>2025-08-13T07:03:06Z</date>
		<key>displayName</key>
		<string>카카오톡</string>
		<key>displayVersion</key>
		<string>25.7.0</string>
		<key>packageIdentifiers</key>
		<array>
			<string>com.kakao.KakaoTalkMac</string>
		</array>
		<key>processName</key>
		<string>appstoreagent</string>
	</dict>
</array>
</plist>

수정 후, 확인하면 아래와 같이 "카카오톡"이 설치된 적이 없다고 나온다.

% system_profiler SPInstallHistoryDataType |grep "카카오톡"
%

우리도 진화해야하지 않을까 싶다.