# System Packages

The **System Packages** page provides visibility into all OS-level packages installed on developer machines across your organization.

This view consolidates packages detected by the Dev Machine Guard agent on macOS and Linux devices, giving security teams a unified inventory of OS-level developer tooling. This is the category of software that often sits outside traditional MDM inventories and SCA tools, and that has been the target of recent supply-chain incidents.

### Supported package managers

System Packages currently covers:

* **macOS**: Homebrew (formulae)
* **Linux**: Distribution package managers (for example, `dnf`, `apt`, `pacman`)
* **Windows**: *Coming soon*

The page is organized into per-platform tabs. Each tab header shows the total number of unique packages detected on that platform across your fleet (for example, `macOS 235`, `Linux 1,472`).

<figure><img src="/files/qulnReb7PKqCwGsePpse" alt=""><figcaption></figcaption></figure>

The main System Packages list shows every unique package detected on the selected platform:

* **Package**: the package or formula name (for example, `openssl@3`, `sqlite`, `terraform`). Click the name to open the package detail view.
* **Type**: the package type. On macOS this is typically `formula` for standard Homebrew packages. On Linux this reflects the package manager (for example, `rpm`, `deb`).
* **Devices**: the number of devices where the package is present. Click the count to see the list of devices.
* **Versions**: the number of distinct versions of the package installed across your fleet. A high version count often indicates version drift worth investigating.

A summary at the top shows the total number of unique packages detected on the selected platform across all active devices.

You can:

* Switch between **macOS**, **Linux**, and **Windows** tabs
* Search the list by package name
* Filter by device using the **All devices** dropdown
* Filter by package type using the **All types** dropdown
* Sort by **Devices** or **Versions** to surface the most widely deployed or most fragmented packages

#### **Linux-only filters**

When the **Linux** tab is selected, three additional filters appear:

* **All vendors**: filter packages by vendor (for example, Cursor, Microsoft Corporation)
* **Unsigned**: show only packages that have no cryptographic signature. Unsigned packages cannot be verified against a publisher and are worth reviewing during incident response.
* **Third-party**: show only packages that are not distributed officially by the device's Linux distribution. Third-party packages typically come from vendor-provided repositories or sideloaded installers and represent a higher-risk surface than packages that ship with the distribution.

<figure><img src="/files/ZiSuUxPYBHsTB3CURbQl" alt=""><figcaption></figcaption></figure>

These filters can be combined with the search box and the **All types** filter to quickly narrow the list to, for example, all unsigned third-party `rpm` packages from a specific vendor.

### Package details

Clicking a package name opens a side panel with detailed information about that package.

<figure><img src="/files/COHjKQEyiiuyIjIAzEoE" alt=""><figcaption></figcaption></figure>

The panel is organized into the following sections.

#### **Summary cards**

* **Devices**: the total number of devices in your fleet where the package is installed
* **Versions**: the number of distinct versions detected across those devices

#### **Package Information**

* **Name**: the package or formula name
* **Type**: the package manager origin (for example, `brew`)
* **Last Updated**: the most recent date upstream package metadata was refreshed for this package
* **Versions**: the number of distinct versions detected

#### **Package Metadata**

* **Description**: the upstream package description
* **Tap** (Homebrew only): the originating Homebrew tap (for example, `homebrew/core`)
* **License**: the package license (for example, `blessing`, `MIT`, `Apache-2.0`)
* **Homepage**: a link to the upstream project homepage
* **Install Reason**: how the package came to be installed on the device. Common values include `dependency` (installed automatically to satisfy another package's requirements) and direct/manual installs.

For Linux packages, this block also surfaces signature status. If the package has no cryptographic signature, an **Unsigned Package** warning is shown:

> **Unsigned Package** This package has no cryptographic signature.

Unsigned packages cannot be verified against a publisher's signing key. Combined with the **Third-party** indicator, this is a strong signal that the package warrants closer review.

#### **Version distribution**

A row of version chips below Package Metadata shows each distinct version detected in your fleet and the number of devices running it (for example, `3.50.4 1 device`, `3.51.1 1 device`, `3.53.0 1 device`).

This makes version drift immediately visible. A widely-installed package such as `openssl@3` may span four or more distinct versions across a fleet of a dozen devices, showing you at a glance where updates have lagged.

#### **Devices**

A list of all devices where the package is installed. Each entry shows:

* Device hostname
* Device ID

This helps you understand the spread of a specific package across your organization and identify where remediation may be required during an active supply-chain incident.

### Why it matters

Package managers such as Homebrew (macOS) and `dnf`/`apt` (Linux) are the de facto distribution channels for developer tooling on engineer workstations and build hosts. A typical developer machine has hundreds of system-installed utilities, compilers, databases, and network tools, many installed automatically as dependencies of higher-level packages. This software routinely runs with developer-level access to source code, credentials, and CI/CD tokens.

Visibility into what your developers have installed, and at what versions, is the foundation for responding quickly when a supply-chain incident is disclosed.

Use this page to:

* **Respond to incidents**: when a compromised system package is disclosed, search for it here to identify affected devices and users in seconds
* **Audit developer tooling**: surface unexpected or policy-violating software across the fleet
* **Assess version drift**: packages with high version counts across your fleet may indicate forgotten auto-installed dependencies or inconsistent update practices
* **Track footprint**: understand the total OS-level package surface area across your developer population

### Remediation

Using the device and version information from the System Packages detail view, you can create an MDM script to remove affected packages from developer machines during an incident. After the package is removed, rescan the device and verify the package is no longer present in Dev Machine Guard.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.stepsecurity.io/developer-machines/system-packages.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.