idnits 2.17.1 draft-cam-winget-sacm-information-model-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 21, 2016) is 2957 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'ARF' -- Possible downref: Non-RFC (?) normative reference: ref. 'IFMAP' -- Possible downref: Non-RFC (?) normative reference: ref. 'PXGRID' -- Possible downref: Non-RFC (?) normative reference: ref. 'SCAP-AI' -- Possible downref: Non-RFC (?) normative reference: ref. 'SWID' == Outdated reference: A later version (-18) exists of draft-ietf-sacm-requirements-13 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SACM Working Group H. Birkholz 3 Internet-Draft Fraunhofer SIT 4 Intended status: Standards Track N. Cam-Winget 5 Expires: September 22, 2016 Cisco Systems 6 March 21, 2016 8 SACM Information Model 9 draft-cam-winget-sacm-information-model-00 11 Abstract 13 This document defines the data types and data relations and 14 operations that comprise the information model for Security 15 Automation and Continuous Monitoring (SACM) of posture information. 16 This information model is maintained as the IANA "SACM Information 17 Elements" registry. This document defines the initial set and 18 contents to address SACM's use cases (RFC7632). 20 Please help this paragraph becoming an abstract. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on September 22, 2016. 39 Copyright Notice 41 Copyright (c) 2016 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Requirements notation . . . . . . . . . . . . . . . . . . . . 3 58 3. Information Elements (IE) . . . . . . . . . . . . . . . . . . 3 59 4. Structure of Information Elements . . . . . . . . . . . . . . 3 60 4.1. Atomic Information Elements (AIE) . . . . . . . . . . . . 4 61 4.2. Composite Information Elements (CIE) . . . . . . . . . . 4 62 4.3. SACM Statements . . . . . . . . . . . . . . . . . . . . . 4 63 4.4. SACM Content Elements . . . . . . . . . . . . . . . . . . 5 64 4.5. Relationship Types . . . . . . . . . . . . . . . . . . . 5 65 4.6. Events . . . . . . . . . . . . . . . . . . . . . . . . . 6 66 5. Information Element Vocabulary . . . . . . . . . . . . . . . 6 67 5.1. Vocabulary of Categories . . . . . . . . . . . . . . . . 7 68 5.2. Vocabulary of Atomic Information Elements . . . . . . . . 7 69 5.3. Vocabulary of Composite Information Elements . . . . . . 20 70 6. Example composition of SACM statements . . . . . . . . . . . 29 71 7. IANA considerations . . . . . . . . . . . . . . . . . . . . . 31 72 8. Security Considerations . . . . . . . . . . . . . . . . . . . 31 73 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31 74 10. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 31 75 11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 31 76 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 31 77 12.1. Normative References . . . . . . . . . . . . . . . . . . 31 78 12.2. Informative References . . . . . . . . . . . . . . . . . 32 79 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32 81 1. Introduction 83 The purpose of the SACM Information Model (IM) is to ensure 84 interoperability between SACM data models that are used as transport 85 encoding and to provide a base set of information elements and 86 operations that may be exposed or shared between SACM components. A 87 complete set of requirements imposed on the IM can be found in 88 [I-D.ietf-sacm-requirements]. The SACM IM leverages existing 89 definitions of information elements and references the sources in the 90 corresponding descriptions so as to minimize re-invention and 91 duplication. The SACM IM itself is intended to be used for data 92 exchange between SACM components (data in motion). Nevertheless, the 93 Information Elements (IEs) defined in this document can be leveraged 94 to create and align corresponding data models for data at rest. 96 2. Requirements notation 98 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 99 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 100 "OPTIONAL" in this document are to be interpreted as described in RFC 101 2119, BCP 14 [RFC2119]. 103 3. Information Elements (IE) 105 Every type or group of information, e.g. the information elements, 106 defined in this document represent content transported by a SACM 107 component and are associated with a unique label: their name. This 108 document defines that set of IEs standardized by SACM. A SACM data 109 model MAY include additional IEs that are not defined in this 110 document. The labels of additional IEs included in different SACM 111 data models MUST NOT conflict with the labels of the IEs defined by 112 this information model, and the names of additional IEs MUST NOT 113 conflict with each other or across multiple data models. In order to 114 avoid naming conflicts, the labels of additional IEs SHOULD be 115 prefixed to avoid collision across extensions. The prefix MUST 116 include an organizational identifier and therefore, for example, MAY 117 be an IANA enterprise number, a (partial) name space URI or an 118 organization name abbreviation. 120 4. Structure of Information Elements 122 The IEs defined in this document are differentiated into two basic 123 types of Information Elements: 125 o Atomic Information Elements: an atomic IE is the simplest IE 126 structure comprised of a single attribute value pairing (atomic 127 IEs are listed in Section 5.2). 129 o Composite Information Elements: a composite IE is a richer 130 structure that can be comprised of one or more attribute value 131 pairings (composite IE are listed in Section 5.3). 133 To associate metadata (e.g. an observation time stamp) with an atomic 134 information element is the equivalent of creating a composite 135 information element that includes the initial atomic information 136 element and an additional information element that represents the 137 time stamp. The resulting composite information element is 138 associated with its own unique name. 140 Four general structures are expressed via the the two basic types of 141 IE and are used throughout the information model: 143 o SACM statements 144 o SACM content elements 146 o Relationship Types 148 o Events 150 4.1. Atomic Information Elements (AIE) 152 Atomic IEs represent the smallest building blocks for SACM content, 153 including, for example, a SACM endpoint attribute, a policy entry, a 154 configuration item, an expected states, or a threshold value. AIE 155 can be bundled into composite IE. The set of AIEs defined by the 156 SACM IM is described in section Section 5.2. 158 In essence, AIEs are attribute value pairs that constitute the 159 "leaves" in a SACM semantic structure. While the SACM IM sometimes 160 does elaborate on the structure of values (e.g. an IPv6 address is an 161 octet string with a maximum length of 16 that my be collapsed in 162 certain conditions), it does not prescribe specific types used in the 163 data model representation (e.g. an unbounded character string). 165 Every AIE is registered as an corresponding entry at the IANA 166 registry. The Integer Index of the IANA SMI number tables can be 167 used by SACM data models. 169 4.2. Composite Information Elements (CIE) 171 Composite IEs constitute bundles of atomic AIEs and/or composite IEs. 172 A CIE represents a specific set of related information that share a 173 semantic relationship, e.g. a SACM statement metadata or state 174 information about a network interface. The set of CIEs defined by 175 the SACM IM is described in section Section 5.3. In essence, CIEs 176 are a "named container" construct that can be used to compose 177 additional CIEs that go beyond the ones standardized by the SACM 178 information model. 180 The SACM IM allows for recursive or circular nesting of composite 181 IEs. A SACM data Model (DM) MUST include the "default-depth" base 182 AIE that is part of the SACM content metadata. 184 4.3. SACM Statements 186 The data exchanged between SACM components is always embedded in a 187 SACM statement. SACM Statements contain one or more CIEs and/or 188 AIEs. A SACM statement functions as an "envelope" type that is 189 associated with metadata about the providing SACM component. The 190 SACM statement metadata can be used to resolve conflicting 191 information, retrace the provenance of information or to locate 192 archived information in data repositories. 194 Examples of SACM statement metadata information elements: 196 o SACM Domain Identifier: a globally unique identifier that enables 197 the differentiation of SACM statements across SACM domains. 199 o Data Origin: the SACM domain unique identifier associated with a 200 SACM component. 202 o Statement Identifier: an identifier that enables to uniquely 203 reference this specific statement. 205 SACM statements are comprised of one or more CIEs; Section 6 provides 206 examples for constructing SACM statements. 208 4.4. SACM Content Elements 210 SACM Content Elements are categorized CIEs. The content elements can 211 be composed of one or mnore AIEs and/or CIEs or it can be another 212 representation that is embedded in the statement, for example, an 213 IPFIX Template Record. Each SACM content element has its own Content 214 Metadata associated with it (analogously to the way that each SACM 215 statement has metadata associated to it). Content element metadata 216 include information about its type, data source (the result produced 217 by a collector) or data origin (the result produced by most other 218 SACM components). 220 Examples of SACM content element metadata information elements: 222 o Target Endpoint Label: an identifier that enables to distinctly 223 identify a target endpoint as a SACM content element. 225 o Relationship Identifier(s): a set of semantic relationships that 226 associate this SACM content element with other SACM content 227 elements via their content element identifier. 229 o Content Element Identifier: an identifier that enables to uniquely 230 reference this specific content element. 232 SACM content elements are described in section FIXME. 234 4.5. Relationship Types 236 Relationships are expressed via AIE contained within a CIE. There 237 are two ways SACM content elements are associated with each other. 238 "A Flow" associated with "A User", for example, would be a typical 239 case, in which two separate SACM content elements could be associated 240 with each other. 242 One way is to include the Relationships AIE in the content element 243 metadata that preludes the actual content (in this example, the 244 content element metadata of the flow record). Relationship Types are 245 uni-directional. For example, the "is-associated-with-user" 246 Relationship AIE included in the content element metadata points to a 247 specific user via a corresponding content element identifier. 249 The alternative way is to include the reference of associated 250 information directly into the content of the content element. A 251 session CIE, for instance, could refer to a specific user by 252 including identifying attributes about that user. While this is a 253 valid way of creating a relationship between different kinds of 254 content, it requires careful matching or the introduction of another 255 appropriate identifier mechanism (that does not conflict with other 256 SACM statements and SACM content element identifiers). If a SACM 257 data model allows for transport of other representations as payload 258 of a content element (e.g. a pcap fragment containing suspicious 259 packets, for example), there might be no alternative as to use the 260 content element metadata to include relationships to other content 261 elements. 263 4.6. Events 265 Events are a specific type of CIE that are always associated with a 266 time stamp and represent a change of state or configuration that can 267 be expressed as a SACM content. The time an event was published by a 268 SACM component is recorded in its corresponding SACM statement 269 metadata, the time it was created (or initially observed) is recorded 270 in its content element metadata. It is also recorded in the CIE 271 itself, which is somewhat redundant but can improve performance in 272 some scenarios. Event CIE can also include the past state or 273 configuration before the change occurred, or - if applicable - a 274 threshold or trigger condition that lead to the creation of the 275 event. 277 5. Information Element Vocabulary 279 The vocabulary of Information Element names standardized by the SACM 280 IM does not prescribe the use of these exact same names in every SACM 281 data model. If terms diverge, a mapping has to be provided in the 282 corresponding SACM data model document. 284 A subset of the names of the information elements defined in this 285 document are appended with "-type". This indicates that the IM 286 defines a set of values for these information elements (e.g. the 287 interface types defined by the IANA registry or the relationship 288 types). 290 5.1. Vocabulary of Categories 292 Categories are special Information Elements that enable to refer to 293 multiple types of IEs via just one name. Therefore, they are similar 294 to a type-choice. A prominent example of a category is network- 295 address. Network-address is a category that every kind of network 296 address is associated with, e.g. mac-address, ipv4-address, 297 ipv6-address, or typed-network-address. If a CIE includes network- 298 address as one of its components, any of that categories members is 299 valid to be used in its stead. 301 Another prominent example is EndpointIdentifier. Some IEs can be 302 used to identify (and over time re-recognize) target endpoints - 303 those are associated with the category endpoint-identifier. 305 content: this is a very broad category. Content is the payload of a 306 content element in a SACM statement. Formally, metadata is the 307 complement to content and everything that is not part of SACM 308 statement metadata or content element metadata is therefore 309 considered to be content. Every IE can be content (although the 310 same type of IE can be used in the metadata at the same time - and 311 those would not be content as described before). Annotating every 312 IE with this category would be highly redundant and is therefore 313 omitted for brevity. 315 network-address: (work-in-progress) 317 ipv4-address 319 ipv6-address 321 mac-address 323 endpoint-identifier: (work-in-progress) 325 software-component: (work-in-progress) 327 software-label: (work-in-progress) 329 5.2. Vocabulary of Atomic Information Elements 331 The content of every Atomic Information Element is expressed in a 332 single value. Note that while this section lists AIEs, some of them 333 may also be represented as a CIE (especially if metadata is used). 335 access-privilege-type: a set of types that represents access 336 privileges (e.g. read, write, none) 338 References: none 340 account-name: a label that uniquely identifies an account that can 341 require some form of (user) authentication to access 343 References: none 345 administrative-domain: a label the is supposed to uniquely identify 346 an administrative domain 348 References [IFMAP] 350 address-association-type: a set of types that defines the type of 351 address associations (e.g. broadcast-domain-member-list, ip- 352 subnet-member-list, ip-mac, shared-backhaul-interface, etc.) 354 References: none 356 address-mask-value: a value that expresses a generic address 357 subnetting bitmask 359 address-type: a set of types that specifies the type of address that 360 is expressed in an address CIE (e.g. ethernet, modbus, zigbee) 362 References: none 364 address-value: a value that expresses a generic network address 366 References: none 368 Category: network-address 370 application-component: a label that references a "sub"-application 371 that is part of the application (e.g. an add-on, a chiper-suite, a 372 library) 374 References: [SWID] 376 Category: software-component 378 application-label: a label that is supposed to uniquely reference an 379 application 381 References: [SWID] 382 Category: software-label 384 application-type: a set of types (FIXME maybe a finite set is not 385 realistic here - value not enumerator?) that identifies the type 386 of (user-space) application (e.g. text-editor, policy-editor, 387 service-client, service-server, calender, rouge-like RPG) 389 References: [SWID] 391 Category: software-type 393 application-manufacturer: the name of the vendor that created the 394 application 396 References: [SWID] 398 Category: software-manufacturer 400 application-name: a value that represents the name of an application 401 given by the manufacturer 403 References: [SWID] 405 application-version: a version string that identifies a specific 406 version of an application 408 References: [SWID] 410 Category: software-version 412 authenticator: a label that references a SACM component that can 413 authenticate target endpoints (can be used in a target-endpoint 414 CIE to express that the target endpoint was authenticated by that 415 SACM component) 417 References: none 419 attribute-name: a value that can express the attribute name of 420 generic Attribute-Value-Pair CIE 422 References: none 424 attribute-value: a value that can express the attribute value of 425 generic Attribute-Value-Pair CIE 427 References: none 429 authentication-type: a set of types that expresses which type of 430 authentication was used to enable a network interaction/connection 432 References: [PXGRID] 434 birthdate: a label for the registered day of birth of a natural 435 person (e.g. the date of birth of a person as an ISO date string 436 http://rs.tdwg.org/ontology/voc/Person#birthdate) 438 References: [SCAP-AI] 440 bytes-received: a value that represents a number of octets received 441 on a network interface 443 Reference : [PXGRID] 445 bytes-sent: a value that represents a number of octets sent on a 446 network interface 448 Reference : [PXGRID] 450 certificate: a value that expresses a certificate that can be 451 collected from a target endpoint 453 References: none 455 Category: endpoint-identifier 457 collection-task-type: a set of types that defines how collected SACM 458 content was acquired (e.g. network-observation, remote- 459 acquisition, self-reported) 461 Reference: none 463 confidence: a representation of the subjective probability that the 464 assessed value is correct. If no confidence value is given it is 465 assumed that the confidence is 1 (limits confidence values to the 466 range between zero and one) 468 References: [ARF] 470 content-action: a set of types that expresses a type of action (e.g. 471 add, delete, update). Can be associated, for instance, with an 472 event CIE or with an network observation 474 References: [ARF] 476 content-elements: a value that represents the number of content- 477 elements included in a SACM statement 479 References: none 481 content-topic: a set of types that defines what kind of concept the 482 information is included in a content element (e.g. Session, User, 483 Interface, PostureProfile, Flow, PostureAssessment, 484 TargetEndpoint) 486 References: none 488 content-type: a set of types that defines what kind of information 489 is included in a content element (e.g. EndpointConfiguration, 490 EndpointState, DirectoryEntry, Event, Incident) 492 References: none 494 country-code: a set of types according to ISO 3166-1 trigraphic 495 codes of countries 497 References: FIXME 499 data-origin: a label that uniquely identifies a SACM component in 500 and across SACM domains 502 References: none 504 Aliases: sacm-component-id 506 data-source: a label that is supposed to uniquely identify the data 507 source (e.g. a target endpoint or sensor) that provided an initial 508 endpoint attribute record 510 References: [ARF] 512 Aliases: te-id (work-in-progress) 514 decimal-fraction-denominator: a denominator value to express a 515 decimal fraction time stamp (e.g. in timestamp) 517 References: none 519 decimal-fraction-numerator: a numerator value to express a decimal 520 fraction time stamp (e.g. in timestamp) 522 default-depth: a value that expresses how often a circular reference 523 of CIE is allowed to repeat, or how deep a recursive nesting may 524 occour, respectively. 526 References: none 528 discoverer: a label that refers to the SACM component that 529 discovered a target endpoint (can be used in a target-endpoint CIE 530 to express, for example, that the target endpoint was 531 authenticated by that SACM component) 533 References: none 535 email-address: a value that expresses an email-address 537 References: none 539 event-type: a set of types that define the categories of an event 540 (e.g. access-level-change, change-of-priviledge, change-of- 541 authorization, environmental-event, or provisioning-event) 543 Reference: none 545 event-threshold: if applicable, a value that can be included in an 546 event CIE to indicate what numeric threshold value was crossed to 547 trigger that event 549 Reference: none 551 event-threshold-name: if an event is created due to a crossed 552 threshold, the threshold might have a name associated with it that 553 can be expressed via this value 555 References: none 557 event-trigger: this value is used to express more complex trigger 558 conditions that may cause the creation of an event. 560 firmware-id: a label that represents the BIOS or firmware ID of a 561 specific target endpoint 563 Reference: none 565 Category: endpoint-identifier 567 hardware-serial-number: a value that identifies a piece of hardware 568 that is a component of a composite target endpoint (in essence, 569 every target endpoint is a composite) and can be acquired from a 570 target endpoint by a collection task 572 Reference: none 574 Category: endpoint-identifier 576 host-name: a label typically associated with an endpoint but not 577 always intended to be unique in a given scope 579 References [ARF], [SCAP-AI] 581 Category: endpoint-identifier 583 interface-label: a unique label a network interface can be 584 referenced with 586 Reference: none 588 ipv6-address-subnet-mask-cidrnot: an IPv6 subnet bit mask in CIDR 589 notation 591 References: TBD 593 ipv6-address-value: an IPv4 address value 595 References: TBD 597 Category: endpoint-identifier, network-address 599 ipv4-address-subnet-mask-cidrnot: an IPv4 subnet bit mask in CIDR 600 notation 602 References: TBD 604 ipv4-address-subnet-mask: an IPv4 subnet mask 606 References: TBD 608 ipv4-address-value: an IPv4 address value 610 References: TBD 612 Category: endpoint-identifier, network-address 614 layer2-interface-type: a set of types referenced by IANA ifType 616 References: [RFC3635], [RFC2863] 618 layer4-port-address: a layer 4 port address (typically used, for 619 example, with TCP and UDP) 621 References: none 623 Category: network-address 625 layer4-protocol: a set of types that express a layer 4 protocol 626 (e.g. UDP or TCP) 628 location-name: a value that represents a named region of space FIXME 630 References: [IFMAP], [ARF], [SCAP-AI] 632 mac-address: a value that expresses an Ethernet address 634 References: [IFMAP], [ARF], [SCAP-AI] 636 Category: endpoint-identifier, network-address 638 method-label: a label that references a specific method registered 639 and used in a SACM domain (e.g. method to match and re-identify 640 target endpoints via identifying attributes) 642 References: none 644 method-repository: a label that references a SACM component methods 645 can be registered at and that can provide guidance in the form of 646 registered methods to other SACM components 648 References: none 650 network-access-level-type: a set of types that expresses categories 651 of network access-levels (e.g. block, quarantine, etc.) 653 References: [IFMAP] 655 network-id: most networks, such as AS, an OSBF domains, or vlans, 656 can have an ID that is represented via this AIE 658 References: none 660 network-interface-name: a label that uniquely identifies an 661 interface associated with a distinguishable endpoint 663 References: FIXME 665 network-layer: a set of layers that express the specific network 666 layer an interface operate on (typically layer 2-4) 668 References: FIXME 670 network-name: a label that is associated with a network. Some 671 networks, for example effective layer2-broadcast-domains, are 672 difficult to "grasp" and therefore quite complicated to name 674 References: none 676 organization-id: a label that is supposed to uniquely identify an 677 organization 679 References: [ARF] 681 organization-name: a value that represents the name of an 682 organization 684 References: [ARF] 686 os-component: a label that references a "sub-component" that is part 687 of the operating system (e.g. a kernel module, microcode, or ACPI 688 table) 690 References: [SWID] 692 Category: software-component 694 os-label: a label that references a specific version of an operating 695 system, including patches and hotfixes 697 References: [SWID] 699 Category: software-label 701 os-manufacturer: the name of the manufacturer of an operating system 703 References: [IFMAP] 705 Category: software-manufacturer 707 os-name: the name of an operating system 709 References: [IFMAP] 711 Category: software-name 713 os-type: a set of types that identifies the type of an operating 714 system (e.g. real-time, security-enhanced, consumer, server) 716 References: none 718 Category: software-type 720 os-version: a value that represents the version of an operating- 721 system 723 Category: software-version 725 patch-id: a label the uniquely identifies a specific software patch 727 References: [ARF] 729 patch-name: the vendor's name of a software patch 731 References: [ARF], [SWID] 733 person-first-name: the first name of a natural person 735 References: [ARF], [SCAP-AI] 737 person-last-name: the last name of a natural person 739 References: [ARF], [SCAP-AI] 741 person-middle-name: the first name of a natural person 743 References: [ARF], [SCAP-AI] 745 phone-number: a label that expresses the u.s. national phone number 746 (e.g. pattern value="((\d{3}) )?\d{3}-\d{4}") 748 References: [ARF], [SCAP-AI] 750 phone-number-type: a set of types that express the type of a phone 751 number (e.g. DSN, Fax, Home, Mobile, Pager, Secure, Unsecure, 752 Work, Other) 754 References: [ARF] 756 privilege-name: the attribute-name of the privilege represented as 757 an AVP 759 References: none 761 privilege-value: the value-content of the privilege represented as 762 an AVP 764 References: none 766 protocol: a set of types that defines specific protocols above layer 767 4 (e.g. http, https, dns, ipp, or unknown) 769 References: none 771 public-key: the value of a public key (regardless of its method of 772 creation, crypto-system, or signature scheme) that can be 773 collected from a target endpoint 775 Reference: none 777 Category: endpoint-identifier 779 relationship-content-element-guid: a reference to a specific content 780 element used in a relationship CIE 782 References: none 784 relationship-statement-guid: a reference to a specific SACM 785 statement used in a relationship CIE 787 References: none 789 relationship-object-label: a reference to a specific label used in 790 content (e.g. a te-label or a user-id). This reference is 791 typically used if matching content AIE can be done efficiantly and 792 can also be included in addition to a relationship-content- 793 element-guid reference. 795 References: none 797 relationship-type: a set of types that is in every instance of a 798 relationship CIE to highlight what kind of relationship exists 799 between the CIE the relationship is included in (e.g. 800 associated_with_user, applies_to_session, seen_on_interface, 801 associated_with_flow, contains_virtual_device) 803 References: none 805 role-name: a label that references a collection of privileges 806 assigned to a specific entity (identity? FIXME) 808 References: FIXME 810 session-state-type: a set of types a discernible session (an ongoing 811 network interaction) can be in (e.g. Authenticating, 812 Authenticated, Postured, Started, Disconnected) 814 References: [PXGRID] 816 statement-guid: a label that expresses a global unique ID 817 referencing a specific SACM statement that was produced by a SACM 818 component 820 References: none 822 statement-type: a set of types that define the type of content that 823 is included in a SACM statement (e.g. Observation, 824 DirectoryContent, Correlation, Assessment, Guidance) 826 References: none 828 status: a set of types that defines possible result values for a 829 finding in general (e.g. true, false, error, unknown, not 830 applicable, not evaluated) 832 References: [ARF] 834 sub-administrative-domain: a label for related child domains an 835 administrative domain can be composed of (used in the CIE 836 administrative-domain) 838 References: none 840 sub-interface-label: a unique label a sub network interface (e.g. a 841 tagged vlan on a trunk) can be referenced with 843 References: none 845 super-administrative-domain: a label for related parent domains an 846 administrative domain is part of (used in the CIE administrative- 847 domain) 849 References: none 851 super-interface-label: a unique label a super network interface 852 (e.g. a physical interface a tunnel interface terminates on) can 853 be referenced with 855 References: none 857 te-assessment-state: a set of types that defines the state of 858 assessment of a target-endpoint (e.g. in-discovery, discovered, 859 in-classification, classified, in-assessment, assessed) 861 References: [ARF] 863 te-label: an identifying label created from a set of identifying 864 attributes used to reference a specific target endpoint 866 References: none 868 te-id: an identifying label that is created randomly, is supposed to 869 be unique, and used to reference a specific target endpoint 871 References: [ARF], [SWID] 873 Aliases: data-source 875 timestamp: a timestamp the expresses a specific point in time 877 References: [IFMAP], [ARF] 879 timestamp-type: a set of types that express what type of action or 880 event happened at that point of time (e.g. discovered, classified, 881 collected, published). Can be included in a generic timestamp CIE 883 References: none 885 units-received: a value that represents a number of units (e.g. 886 frames, packets, cells or segments) received on a network 887 interface 889 Reference : [PXGRID] 891 units-sent: a value that represents a number of units (e.g. frames, 892 packets, cells or segments) sent on a network interface 894 Reference : [PXGRID] 896 username: a part of the credentials required to access an account 897 that can be collected from a target endpoint 899 References: none 901 Category: endpoint-identifier 903 user-directory: a label that identifies a specific type of user- 904 directory (e.g. ldap, active-directory, local-user) 905 Reference: [PXGRID] 907 user-id: a label that references a specific user known in a SACM 908 domain 910 References: [PXGRID] 912 web-site: a URI that references a web-site 914 References: [ARF] 916 WGS84-longitude: a label that represents WGS 84 rev 2004 longitude 918 References: [SCAP-AI] 920 WGS84-latitude: a label that represents WGS 84 rev 2004 latitude 922 References: [SCAP-AI] 924 WGS84-altitude: a label that represents WGS 84 rev 2004 altitude 926 References: [SCAP-AI] 928 5.3. Vocabulary of Composite Information Elements 930 The content of every Composite Information Element is expressed by 931 the mandatory and optional IE it can be composed of. The components 932 of an CIE can have a cardinality associated with them: 934 o (*): zero to unbounded occurrences 936 o (+): one to unbounded occurrences 938 o (?): zero or one occurrence 940 o (n*m): between n and m occurrences 942 o no cardinality: one occurrence 944 If there is no cardinality highlighted or the cardinality (+) or 945 (n*m) is used, including this IE in the CIE is mandatory. In 946 contrast, optional IE are expressed via the cardinality (?) or (*). 947 An CIE can prescribe a strict sequence to the component IE it 948 contains. This in indicated by an (s). 950 address-association (s): some addresses are associated with each 951 other, e.g. a mac-address can be associated with a number of IP 952 addresses or a sensor address can be associated with the external 953 address of its two redundant IP gateways. The first address is 954 the address a number of addresses with the same type is associated 955 with. An address type SHOULD be included and the addresses 956 associated with the first address entry MUST be of the same type. 957 NANCY FIXME 959 address 961 address-type (?) 963 address (+) 965 address-type (?) 967 administrative-domain: this CIE is intended to express more complex 968 setups of interconnected administrative domains 970 administrative-domain 972 sub-administrative-domain (*) 974 super-administrative-domain (?) 976 location (?) 978 application: an application is software that is not part of the 979 kernel space (therefore typically runs in the user space. An 980 application can depend on specfific running party of an operating 981 system. 983 application-label (?) 985 application-name 987 application-type (*) 989 application-component (*) 991 application-manufacturer (?) 993 application-version (?) 995 application-instance: a specific instance of an application that is 996 installed on an endpoint. The application-label is used to refer 997 to corresponding information stored in an application CIE 999 application-label 1000 target-endpoint 1002 attribute-value-pair: a generic CIE that is used to express various 1003 AVP (e.g. Radius Attributes) 1005 attribute-name 1007 attribute-value 1009 content-creation-timestamp: a decimal fraction timestamp that 1010 specifies the point in time the content element was created by a 1011 SACM component 1013 decimal-fraction-denominator 1015 decimal-fraction-numerator 1017 content-element: content produced by a SACM component is 1018 encapsulated in content-elements that also include content- 1019 metadata regarding that content 1021 content-metadata (+) 1023 content (+) 1025 content-metadata: metadata regarding the content included in a 1026 specific content-element. The content the metadata annotates can 1027 be initially collected content - in this case a data-source has to 1028 be included in the metadata. Content can also be the product of a 1029 SACM component (e.g. an evaluator), which requires a data-origin 1030 IE instead that references the producer of information. 1032 content-element-guid 1034 content-creation-timestamp 1036 content-topic 1038 content-type 1040 data-source (?) 1042 data-origin (?) 1044 relationship (*) 1046 data-source: a CIE that refers to a target endpoint that is the 1047 source of SACM content - either via a label (data-source, which 1048 could also be used without this CIE), or via a list of endpoint- 1049 identifiers (category). Both can be included at the same time but 1050 MUST NOT conflict. 1052 data-source (?) 1054 endpoint-identifier (*) 1056 dst-flow-element: identifies the destination of a flow. The port 1057 number SHOULD be included if the network-address is an IP-address. 1059 network-address 1061 layer4-port-address (?) 1063 ethernet-interface: the only two mandatory component of this CIE is 1064 the mac-address and the generated label (to distinguish non-unique 1065 addresses). This acknowledges the fact that in many cases this is 1066 the only information available about an Ethernet interface. If 1067 there is more detail information available it MUST be included to 1068 avoid ambiguity and to increase the usefulness for consumer of 1069 information. The exception are sub-interface-labels and super- 1070 interface-labels, which SHOULD be included. 1072 interface-label 1074 network-interface-name (?) 1076 mac-address 1078 network-name (?) 1080 network-id (?) 1082 layer2-interface-type (?) 1084 sub-interface-label (*) 1086 super-interface-label (*) 1088 event (s): this a special purpose CIE that represents the change of 1089 content. As with content-elements basically every content can be 1090 included in the two content entries. The mandatory content entry 1091 represents the "after" state of the content and the optional 1092 content entry can represent the "before" state if available or 1093 required. 1095 event-type (?) 1096 event-threshold (?) 1098 event-threshold-name (?) 1100 event-trigger (?) 1102 typed-timestamp 1104 content 1106 content (?) 1108 flow-record: a composite that expresses a single flow and its 1109 statistics. If applicable, protocol and layer4-protocol SHOULD be 1110 included 1112 src-flow-element 1114 dst-flow-element 1116 protocol (?) 1118 layer4-protocol (?) 1120 flow-statistics 1122 flow-statistics: this CIE aggregates bytes and units send and 1123 received 1125 bytes-received 1127 bytes-sent 1129 units-received 1131 units-sent 1133 group: insert text here (work in progress) 1135 ipv4-address: an IPv4 address is always associated with a subnet. 1136 This CIE combines these both tightly nit values. Either a subnet 1137 mask or a CIDR notation bitmask SHOULD be included. 1139 ipv4-address-value 1141 ipv4-address-subnet-mask-cidrnot (?) 1143 ipv4-address-subnet-mask (?) 1145 ipv6-address: an IPv6 address is always associated with a subnet. 1146 This CIE combines these both tightly nit values. A CIDR notation 1147 bitmask SHOULD be included. 1149 ipv6-address-value 1151 ipv6-address-subnet-mask-cidrnot (?) 1153 location: a CIE that aggregates potential details about a location 1155 location-name 1157 WGS84-longitude 1159 WGS84-latitude 1161 WGS84-altitude 1163 operation-system: an operation-system is software that is directly 1164 interacting with the hardware, provides the runtime environment 1165 for the user-space and corresponding interfaces to hardware 1166 functions. 1168 os-label (?) 1170 os-name 1172 os-type (*) 1174 os-component (*) 1176 os-manufacturer (?) 1178 os-version (?) 1180 organization: this CIE aggregates information about an organization 1181 and can be references via its id 1183 organization-id 1185 organization-name 1187 location (?) 1189 person: a CIE that aggregates the details about a person and 1190 combines it with a identifier unique to SACM domains 1192 person-first-name 1193 person-last-name 1195 person-middle-name (*) 1197 phone-contact (*) 1199 email-address (*) 1201 phone-contact: this CIE can be used to reference a phone number and 1202 how it fucntions as a contact 1204 phone-number 1206 phone-number-type (?) 1208 priviledge: a CIE to express priviledges via a specific name/value 1209 pair 1211 privilege-name 1213 privilege-value 1215 relationship: the relationship CIE enables to associate the CIE it 1216 is included in with other CIE if they contain a unique identifier 1217 or label - providing an alternative to including attributes of 1218 other content CIE as a means to map them (which remains a valid 1219 alternative, though). The relationship CIE MUST at least 1220 reference one relationship object (either a SACM statement iden 1222 relationship-type 1224 relationship-content-element-guid (*) 1226 relationship-statement-guid (*) 1228 relationship-object-label (*) 1230 sacm-statement: every SACM components produces information in this 1231 format. This CIE can be considered the root IE for every SACM 1232 message generated. There MUST be at least one content element 1233 included in a SACM statement and if there are more than one, they 1234 are ordered in a sequence. 1236 statement-metadata 1238 content-element (+)(s) 1240 session: represents an ongoing network interaction that can be in 1241 various states of authentication or assessement 1243 session-state-type 1245 (work-in-progress) 1247 src-flow-element: identifies the source of a flow. The port number 1248 SHOULD be included if the network-address is an IP-address. 1250 network-address 1252 layer4-port-address (?) 1254 statement-creation-timestamp: a decimal fraction timestamp that 1255 specifies the point in time the SACM statement was created by a 1256 SACM component 1258 decimal-fraction-denominator 1260 decimal-fraction-numerator 1262 statement-publish-timestamp: a decimal fraction timestamp that 1263 specifies the point in time the SACM component attempted to 1264 publish the SACM statement (if successful, this will result in the 1265 publish-timestamp send with the SACM statement). 1267 decimal-fraction-denominator 1269 decimal-fraction-numerator 1271 statement-metadata: every SACM statement includes statement metadata 1272 about the SACM component it was produced by and a general category 1273 that indicates what this statement is about 1275 statement-guid 1277 data-origin 1279 statement-creation-timestamp (?) 1281 statement-publish-timestamp 1283 statement-type 1285 content-elements 1287 target-endpoint: this is a central CIE used in the process chains a 1288 SACM domain can compose. Theoretically every kind of information 1289 can be associated with a target endpoint CIE via its corresponding 1290 content element. A few select IE can be stored in the CIE itself 1291 to reduce the overhead of following references that would occur in 1292 most scenarios. If the hostname is unknown the value has to be 1293 set as an equivalent to "not available" (e.g. NULL). Comment 1294 from the authors: This is "work in progress" an a good basis for 1295 discussion 1297 host-name 1299 te-label 1301 administrative-domain (?) 1303 application-instance (*) 1305 ethernet-interface (*) 1307 address-association (*) 1309 data-source (?) 1311 operation-system (?) 1313 te-profile: a set of expected states, policies and pieces of 1314 guidance that can be matched to a target endpoint (or a class of 1315 target endpoints "work in progress") 1317 typed-timestamp: a flexible timestamp CIE that can express the 1318 specific type of timestamp via its content. This is an 1319 alternative to the "named" timestamps that do not include a 1320 timestamp-type 1322 decimal-fraction-denominator 1324 decimal-fraction-numerator 1326 timestamp-type 1328 user: a CIE that references details of a specific user known in a 1329 SACM domain active on a specific target endpoint 1331 user-id 1333 username (?) 1334 data-source (?) 1336 user-directory (?) 1338 6. Example composition of SACM statements 1340 This section illustrates how SACM statements can be composed of 1341 content information elements, how relationship CIEs can be used in 1342 content metadata, and how the categories statement-type, content- 1343 topic and content-type are intended to be used. 1345 The SACM statements instances are written in pseudo code. AIE end 1346 with a colon. Some AIE include exemplary values to, for example, 1347 present how references to guid and labels can be used. For the sake 1348 of brevity, not all mandatory IE that are part of a CIE are always 1349 included (e.g. as it is the case with target-endpoint). 1351 The example shows three SACM statements that were produced by three 1352 different SACM components that overall include four related content 1353 elements. 1355 This is (work in progress). 1357 sacm statement 1358 statement-metadata 1359 statement-guid: example-sguid-one 1360 data-origin: SACM-component-label-one 1361 statement-publish-timestamp: exmample-TS-one 1362 statement-type: Observation 1363 content-element 1364 content-metadata 1365 content-element-guid: example-cguid-one 1366 content-creation-timestamp: 1367 content-topic: Flow 1368 content-type: EndpointState 1369 relationship 1370 relationship-type: is-associated-with-user 1371 relationship-content-object: example-cguid-three 1372 relationship 1373 relationship-type: is-associated-with-te 1374 relationship-content-object: example-cguid-two 1375 relationship 1376 relationship-type: is-associated-with-te 1377 relationship-content-object: example-te-label 1378 flow-record 1379 src-flow-element 1380 network-address (ipv4-address) 1381 ipv4-address-value: 1383 ipv4-address-subnet-mask-cidrnot: 1384 layer4-port-address: 23111 1385 dst-flow-element 1386 network-address (IPv4-address) 1387 ipv4-address-value: 1388 ipv4-address-subnet-mask-cidrnot: 1389 layer4-port-address: 22 1390 protocol: ssh 1391 layer4-protocol: tcp 1392 flow-statistics 1393 bytes-received: 1394 bytes-sent: 1395 units-received: 1396 units-sent: 1397 content-element 1398 content-metadata 1399 content-element-guid: example-cguid-two 1400 content-creation-timestamp: 1401 content-topic: TargetEndpoint 1402 content-type: EndpointConfiguration 1403 target-endpoint 1404 te-label: example-te-label 1405 host-name: example-host-name 1406 ethernet-interface: example-interface 1408 sacm statement 1409 statement-metadata 1410 statement-guid: example-sguid-two 1411 data-origin: SACM-component-label-two 1412 statement-publish-timestamp: exmample-TS-two 1413 statement-type: DirectoryContent 1414 content-element 1415 content-metadata 1416 content-element-guid: example-cguid-three 1417 content-creation-timestamp: 1418 content-topic: User 1419 content-type: DirectoryEntry 1420 user 1421 user-name: example-username 1422 user-directory: component-id 1424 sacm statement 1425 statement-metadata 1426 statement-guid: example-sguid-three 1427 data-origin: SACM-component-label-three 1428 statement-publish-timestamp: exmample-TS-three 1429 statement-type: Observation 1430 content-element 1431 content-metadata 1432 content-element-guid: example-cguid-four 1433 content-creation-timestamp: 1434 content-topic: Priviledges 1435 content-type: Event 1436 relationship 1437 relationship-type: is-associated-with-user 1438 relationship-content-object: example-cguid-three 1439 event 1440 event-type: change-of-priviledge 1441 typed-timestamp 1442 decimal-fraction-denominator: 1443 decimal-fraction-numerator: 1444 timestamp-type: time-of-observation 1445 priviledge 1446 privilege-name: super-user-escalation 1447 privilege-value: true 1448 priviledge 1449 privilege-name: super-user-escalation 1450 privilege-value: false 1452 7. IANA considerations 1454 This document includes requests to IANA. 1456 8. Security Considerations 1458 9. Acknowledgements 1460 10. Change Log 1462 First version -00 1464 11. Contributors 1466 12. References 1468 12.1. Normative References 1470 [ARF] Corporation., T., "Assessment Results Format", 2010. 1472 [IFMAP] "TCG Trusted Network Communications - TNC IF-MAP Metadata 1473 for Network Security Specification Version 1.1r9", May 1474 2012. 1476 [PXGRID] Appala, S., Cam-Winget, N., McGrew, D., and J. Verma, "An 1477 Actionable Threat Intelligence system using a Publish- 1478 Subscribe communications model", ACM Proceedings of the 1479 2nd ACM Workshop on Information Sharing and Collaborative 1480 Security, page 61-70, DOI 10.1145/2808128.2808131, ISBN 1481 978-1-4503-3822-6. 1483 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1484 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 1485 RFC2119, March 1997, 1486 . 1488 [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group 1489 MIB", RFC 2863, DOI 10.17487/RFC2863, June 2000, 1490 . 1492 [RFC3635] Flick, J., "Definitions of Managed Objects for the 1493 Ethernet-like Interface Types", RFC 3635, DOI 10.17487/ 1494 RFC3635, September 2003, 1495 . 1497 [SCAP-AI] Wunder, J., Halbardier, A., and D. Waltermire, 1498 "Specification for Asset Identification 1.1", NIST 1499 Interagency Report 7693 , 2011. 1501 [SWID] "Information technology - Software asset management - Part 1502 2: Software identification tag'", ISO/IEC 19770-2:2015, 1503 October 2015. 1505 12.2. Informative References 1507 [I-D.ietf-sacm-requirements] 1508 Cam-Winget, N. and L. Lorenzin, "Security Automation and 1509 Continuous Monitoring (SACM) Requirements", draft-ietf- 1510 sacm-requirements-13 (work in progress), March 2016. 1512 Authors' Addresses 1514 Henk Birkholz 1515 Fraunhofer SIT 1516 Rheinstrasse 75 1517 Darmstadt 64295 1518 Germany 1520 Email: henk.birkholz@sit.fraunhofer.de 1521 Nancy Cam-Winget 1522 Cisco Systems 1523 3550 Cisco Way 1524 San Jose, CA 95134 1525 USA 1527 Email: ncamwing@cisco.com