idnits 2.17.1 draft-camwinget-sacm-information-model-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 8, 2016) is 2939 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'ARF' -- Possible downref: Non-RFC (?) normative reference: ref. 'IFMAP' -- Possible downref: Non-RFC (?) normative reference: ref. 'PXGRID' -- Possible downref: Non-RFC (?) normative reference: ref. 'SCAP-AI' -- Possible downref: Non-RFC (?) normative reference: ref. 'SWID' == Outdated reference: A later version (-18) exists of draft-ietf-sacm-requirements-13 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SACM Working Group H. Birkholz 3 Internet-Draft Fraunhofer SIT 4 Intended status: Standards Track N. Cam-Winget 5 Expires: October 10, 2016 Cisco Systems 6 April 8, 2016 8 SACM Information Model 9 draft-camwinget-sacm-information-model-00 11 Abstract 13 ***replaces abstract in WG IM*** This document defines the 14 information model for Security Automation and Continuous Monitoring 15 (SACM). This includes the definition of information elements 16 transported between SACM components (data in motion) and how to 17 express their relationships. This information model is maintained as 18 the IANA "SACM Information Elements" registry. The information model 19 captures the information needs described in the use cases defined by 20 SACM. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on October 10, 2016. 39 Copyright Notice 41 Copyright (c) 2016 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Requirements notation . . . . . . . . . . . . . . . . . . . . 3 58 3. Information Elements (IE) . . . . . . . . . . . . . . . . . . 3 59 3.1. Context of Information Elements . . . . . . . . . . . . . 4 60 3.2. Extensibility of Information Elements . . . . . . . . . . 4 61 4. Structure of Information Elements . . . . . . . . . . . . . . 4 62 4.1. Atomic Information Elements (AIE) . . . . . . . . . . . . 5 63 4.2. Composite Information Elements (CIE) . . . . . . . . . . 5 64 4.3. SACM Statements . . . . . . . . . . . . . . . . . . . . . 5 65 4.4. SACM Content Elements . . . . . . . . . . . . . . . . . . 6 66 4.5. Relationship Types . . . . . . . . . . . . . . . . . . . 6 67 4.6. Events . . . . . . . . . . . . . . . . . . . . . . . . . 7 68 5. Information Element Vocabulary . . . . . . . . . . . . . . . 7 69 5.1. Vocabulary of Categories . . . . . . . . . . . . . . . . 8 70 5.2. Vocabulary of Atomic Information Elements . . . . . . . . 8 71 5.3. Vocabulary of Composite Information Elements . . . . . . 21 72 6. Example composition of SACM statements . . . . . . . . . . . 30 73 7. IANA considerations . . . . . . . . . . . . . . . . . . . . . 32 74 8. Security Considerations . . . . . . . . . . . . . . . . . . . 32 75 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 32 76 10. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 32 77 11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 32 78 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 79 12.1. Normative References . . . . . . . . . . . . . . . . . . 32 80 12.2. Informative References . . . . . . . . . . . . . . . . . 33 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 83 1. Introduction 85 ***replaces Introduction in the WG IM*** The purpose of the SACM 86 Information Model (IM) is to ensure interoperability between SACM 87 data models that are used as transport encoding and to provide a base 88 set of information elements that may be exposed or shared between 89 SACM components in a scalable and extensible fashion. A complete set 90 of requirements imposed on the IM can be found in 91 [I-D.ietf-sacm-requirements]. The SACM IM defines information 92 elements that are required to carry out the tasks conducted by SACM 93 components. The SACM IM itself is intended to be used for data 94 exchange between SACM components (data in motion). Nevertheless, the 95 information elements defined in this document can be leveraged to 96 create and align corresponding data models for data at rest. 98 The information model expresses, for example, target endpoint (TE) 99 attributes, guidance or evaluation results. The corresponding 100 information elements (IE) are consumed and produced by SACM 101 components as they carry out tasks. 103 The primary tasks that this information model supports (on data, 104 control and management plane) are: 106 o TE Discovery 108 o TE Characterization 110 o TE Classification 112 o Collection 114 o Evaluation 116 o Information Sharing 118 o SACM Component Discovery 120 o SACM component Authentication 122 o SACM component Authorization 124 o SACM component Registration 126 2. Requirements notation 128 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 129 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 130 "OPTIONAL" in this document are to be interpreted as described in RFC 131 2119, BCP 14 [RFC2119]. 133 3. Information Elements (IE) 135 **to be inserted between section 2 and section 3** Every type or 136 group of information, e.g. the information elements, defined in this 137 document represent subjects transported (data in motion) between SACM 138 components and are associated with a unique label in the information 139 model: their name. This document defines a set of information 140 elements standardized by SACM. 142 3.1. Context of Information Elements 144 The IE in this information model represent information related to the 145 following areas (based on the use cases described in [RFC7632]): 147 o Endpoint Management 149 o Software Inventory Management 151 o Hardware Inventory Management 153 o Configuration Management 155 o Vulnerability Management 157 3.2. Extensibility of Information Elements 159 A SACM data model based on this information model MAY include 160 additional information elements that are not defined here. The 161 labels of additional information elements included in different SACM 162 data models MUST NOT conflict with the labels of the information 163 elements defined by this information model, and the names of 164 additional information elements MUST NOT conflict with each other or 165 across multiple data models. In order to avoid naming conflicts, the 166 labels of additional IEs SHOULD be prefixed to avoid collision across 167 extensions. The prefix MUST include an organizational identifier and 168 therefore, for example, MAY be an IANA enterprise number, a (partial) 169 name space URI or an organization name abbreviation. 171 4. Structure of Information Elements 173 **replaces beginning text of Information Model Framework and 3.1-3.4, 174 will move syntax 3.1.1 and 3.2.1 to aggregated sub-section, will also 175 privacy sub-section 3.5 and label sub-section 3.6** The IEs defined 176 in this document are differentiated into two basic types of 177 Information Elements: 179 o Attributes: an attribute is the simplest IE structure comprised of 180 a unique attribute name and an attribute value (attributes are 181 listed in Section 5.2). 183 o Subjects: a subject is a richer structure that has a unique 184 subject name and one or more attributes or subjects (subjects are 185 listed in Section 5.3). In essence, the instance of a subject is 186 defined by the attribute values associated with it. 188 Metadata is constructed as a subject and is associated with 189 attributes or subjects to provide additional information about them. 191 The IM explicitly defines two specific kinds of metadata: metadata 192 about the data origin and metadata about the data source. Metadata 193 can include relationships that refer to other attributes or subjects 194 by referencing labels included in their corresponding metadata. 196 4.1. Atomic Information Elements (AIE) 198 **to be salvaged an then removed** Atomic IEs represent the smallest 199 building blocks for SACM content, including, for example, a SACM 200 endpoint attribute, a policy entry, a configuration item, an expected 201 states, or a threshold value. AIE can be bundled into composite IE. 202 The set of AIEs defined by the SACM IM is described in section 203 Section 5.2. 205 In essence, AIEs are attribute value pairs that constitute the 206 "leaves" in a SACM semantic structure. While the SACM IM sometimes 207 does elaborate on the structure of values (e.g. an IPv6 address is an 208 octet string with a maximum length of 16 that my be collapsed in 209 certain conditions), it does not prescribe specific types used in the 210 data model representation (e.g. an unbounded character string). 212 Every AIE is registered as an corresponding entry at the IANA 213 registry. The Integer Index of the IANA SMI number tables can be 214 used by SACM data models. 216 4.2. Composite Information Elements (CIE) 218 **to be salvaged an then removed** Composite IEs constitute bundles 219 of atomic AIEs and/or composite IEs. A CIE represents a specific set 220 of related information that share a semantic relationship, e.g. a 221 SACM statement metadata or state information about a network 222 interface. The set of CIEs defined by the SACM IM is described in 223 section Section 5.3. In essence, CIEs are a "named container" 224 construct that can be used to compose additional CIEs that go beyond 225 the ones standardized by the SACM information model. 227 The SACM IM allows for recursive or circular nesting of composite 228 IEs. A SACM data Model (DM) MUST include the "default-depth" base 229 AIE that is part of the SACM content metadata. 231 4.3. SACM Statements 233 **to be salvaged an then removed** The data exchanged between SACM 234 components is always embedded in a SACM statement. SACM Statements 235 contain one or more CIEs and/or AIEs. A SACM statement functions as 236 an "envelope" type that is associated with metadata about the 237 providing SACM component. The SACM statement metadata can be used to 238 resolve conflicting information, retrace the provenance of 239 information or to locate archived information in data repositories. 241 Examples of SACM statement metadata information elements: 243 o SACM Domain Identifier: a globally unique identifier that enables 244 the differentiation of SACM statements across SACM domains. 246 o Data Origin: the SACM domain unique identifier associated with a 247 SACM component. 249 o Statement Identifier: an identifier that enables to uniquely 250 reference this specific statement. 252 SACM statements are comprised of one or more CIEs; Section 6 provides 253 examples for constructing SACM statements. 255 4.4. SACM Content Elements 257 **to be salvaged an then removed** SACM Content Elements are 258 categorized CIEs. The content elements can be composed of one or 259 more AIEs and/or CIEs or it can be another representation that is 260 embedded in the statement, for example, an IPFIX Template Record. 261 Each SACM content element has its own Content Metadata associated 262 with it (analogously to the way that each SACM statement has metadata 263 associated to it). Content element metadata include information 264 about its type, data source (the result produced by a collector) or 265 data origin (the result produced by most other SACM components). 267 Examples of SACM content element metadata information elements: 269 o Target Endpoint Label: an identifier that enables to distinctly 270 identify a target endpoint as a SACM content element. 272 o Relationship Identifier(s): a set of semantic relationships that 273 associate this SACM content element with other SACM content 274 elements via their content element identifier. 276 o Content Element Identifier: an identifier that enables to uniquely 277 reference this specific content element. 279 SACM content elements are described in section FIXME. 281 4.5. Relationship Types 283 **to be salvaged an then removed** Relationships are expressed via 284 AIE contained within a CIE. There are two ways SACM content elements 285 are associated with each other. "A Flow" associated with "A User", 286 for example, would be a typical case, in which two separate SACM 287 content elements could be associated with each other. 289 One way is to include the Relationships AIE in the content element 290 metadata that preludes the actual content (in this example, the 291 content element metadata of the flow record). Relationship Types are 292 uni-directional. For example, the "is-associated-with-user" 293 Relationship AIE included in the content element metadata points to a 294 specific user via a corresponding content element identifier. 296 The alternative way is to include the reference of associated 297 information directly into the content of the content element. A 298 session CIE, for instance, could refer to a specific user by 299 including identifying attributes about that user. While this is a 300 valid way of creating a relationship between different kinds of 301 content, it requires careful matching or the introduction of another 302 appropriate identifier mechanism (that does not conflict with other 303 SACM statements and SACM content element identifiers). If a SACM 304 data model allows for transport of other representations as payload 305 of a content element (e.g. a pcap fragment containing suspicious 306 packets, for example), there might be no alternative as to use the 307 content element metadata to include relationships to other content 308 elements. 310 4.6. Events 312 **to be salvaged an then removed** Events are a specific type of CIE 313 that are always associated with a time stamp and represent a change 314 of state or configuration that can be expressed as a SACM content. 315 The time an event was published by a SACM component is recorded in 316 its corresponding SACM statement metadata, the time it was created 317 (or initially observed) is recorded in its content element metadata. 318 It is also recorded in the CIE itself, which is somewhat redundant 319 but can improve performance in some scenarios. Event CIE can also 320 include the past state or configuration before the change occurred, 321 or - if applicable - a threshold or trigger condition that lead to 322 the creation of the event. 324 5. Information Element Vocabulary 326 **to be inserted in section 5 as candidates** The vocabulary of 327 Information Element names standardized by the SACM IM does not 328 prescribe the use of these exact same names in every SACM data model. 329 If terms diverge, a mapping has to be provided in the corresponding 330 SACM data model document. 332 A subset of the names of the information elements defined in this 333 document are appended with "-type". This indicates that the IM 334 defines a set of values for these information elements (e.g. the 335 interface types defined by the IANA registry or the relationship 336 types). 338 5.1. Vocabulary of Categories 340 Categories are special Information Elements that enable to refer to 341 multiple types of IEs via just one name. Therefore, they are similar 342 to a type-choice. A prominent example of a category is network- 343 address. Network-address is a category that every kind of network 344 address is associated with, e.g. mac-address, ipv4-address, 345 ipv6-address, or typed-network-address. If a CIE includes network- 346 address as one of its components, any of that categories members is 347 valid to be used in its stead. 349 Another prominent example is EndpointIdentifier. Some IEs can be 350 used to identify (and over time re-recognize) target endpoints - 351 those are associated with the category endpoint-identifier. 353 content: this is a very broad category. Content is the payload of a 354 content element in a SACM statement. Formally, metadata is the 355 complement to content and everything that is not part of SACM 356 statement metadata or content element metadata is therefore 357 considered to be content. Every IE can be content (although the 358 same type of IE can be used in the metadata at the same time - and 359 those would not be content as described before). Annotating every 360 IE with this category would be highly redundant and is therefore 361 omitted for brevity. 363 network-address: (work-in-progress) 365 ipv4-address 367 ipv6-address 369 mac-address 371 endpoint-identifier: (work-in-progress) 373 software-component: (work-in-progress) 375 software-label: (work-in-progress) 377 5.2. Vocabulary of Atomic Information Elements 379 **to be inserted in section 5 as candidates** The content of every 380 Atomic Information Element is expressed in a single value. Note that 381 while this section lists AIEs, some of them may also be represented 382 as a CIE (especially if metadata is used). 384 access-privilege-type: a set of types that represents access 385 privileges (e.g. read, write, none) 387 References: none 389 account-name: a label that uniquely identifies an account that can 390 require some form of (user) authentication to access 392 References: none 394 administrative-domain: a label the is supposed to uniquely identify 395 an administrative domain 397 References [IFMAP] 399 address-association-type: a set of types that defines the type of 400 address associations (e.g. broadcast-domain-member-list, ip- 401 subnet-member-list, ip-mac, shared-backhaul-interface, etc.) 403 References: none 405 address-mask-value: a value that expresses a generic address 406 subnetting bitmask 408 address-type: a set of types that specifies the type of address that 409 is expressed in an address CIE (e.g. ethernet, modbus, zigbee) 411 References: none 413 address-value: a value that expresses a generic network address 415 References: none 417 Category: network-address 419 application-component: a label that references a "sub"-application 420 that is part of the application (e.g. an add-on, a cipher-suite, a 421 library) 423 References: [SWID] 425 Category: software-component 427 application-label: a label that is supposed to uniquely reference an 428 application 429 References: [SWID] 431 Category: software-label 433 application-type: a set of types (FIXME maybe a finite set is not 434 realistic here - value not enumerator?) that identifies the type 435 of (user-space) application (e.g. text-editor, policy-editor, 436 service-client, service-server, calendar, rouge-like RPG) 438 References: [SWID] 440 Category: software-type 442 application-manufacturer: the name of the vendor that created the 443 application 445 References: [SWID] 447 Category: software-manufacturer 449 application-name: a value that represents the name of an application 450 given by the manufacturer 452 References: [SWID] 454 application-version: a version string that identifies a specific 455 version of an application 457 References: [SWID] 459 Category: software-version 461 authenticator: a label that references a SACM component that can 462 authenticate target endpoints (can be used in a target-endpoint 463 CIE to express that the target endpoint was authenticated by that 464 SACM component) 466 References: none 468 attribute-name: a value that can express the attribute name of 469 generic Attribute-Value-Pair CIE 471 References: none 473 attribute-value: a value that can express the attribute value of 474 generic Attribute-Value-Pair CIE 476 References: none 478 authentication-type: a set of types that expresses which type of 479 authentication was used to enable a network interaction/connection 481 References: [PXGRID] 483 birthdate: a label for the registered day of birth of a natural 484 person (e.g. the date of birth of a person as an ISO date string 485 http://rs.tdwg.org/ontology/voc/Person#birthdate) 487 References: [SCAP-AI] 489 bytes-received: a value that represents a number of octets received 490 on a network interface 492 Reference : [PXGRID] 494 bytes-sent: a value that represents a number of octets sent on a 495 network interface 497 Reference : [PXGRID] 499 certificate: a value that expresses a certificate that can be 500 collected from a target endpoint 502 References: none 504 Category: endpoint-identifier 506 collection-task-type: a set of types that defines how collected SACM 507 content was acquired (e.g. network-observation, remote- 508 acquisition, self-reported) 510 Reference: none 512 confidence: a representation of the subjective probability that the 513 assessed value is correct. If no confidence value is given it is 514 assumed that the confidence is 1 (limits confidence values to the 515 range between zero and one) 517 References: [ARF] 519 content-action: a set of types that expresses a type of action (e.g. 520 add, delete, update). Can be associated, for instance, with an 521 event CIE or with an network observation 523 References: [ARF] 525 content-elements: a value that represents the number of content- 526 elements included in a SACM statement 528 References: none 530 content-topic: a set of types that defines what kind of concept the 531 information is included in a content element (e.g. Session, User, 532 Interface, PostureProfile, Flow, PostureAssessment, 533 TargetEndpoint) 535 References: none 537 content-type: a set of types that defines what kind of information 538 is included in a content element (e.g. EndpointConfiguration, 539 EndpointState, DirectoryEntry, Event, Incident) 541 References: none 543 country-code: a set of types according to ISO 3166-1 trigraphic 544 codes of countries 546 References: FIXME 548 data-origin: a label that uniquely identifies a SACM component in 549 and across SACM domains 551 References: none 553 Aliases: sacm-component-id 555 data-source: a label that is supposed to uniquely identify the data 556 source (e.g. a target endpoint or sensor) that provided an initial 557 endpoint attribute record 559 References: [ARF] 561 Aliases: te-id (work-in-progress) 563 decimal-fraction-denominator: a denominator value to express a 564 decimal fraction time stamp (e.g. in timestamp) 566 References: none 568 decimal-fraction-numerator: a numerator value to express a decimal 569 fraction time stamp (e.g. in timestamp) 571 default-depth: a value that expresses how often a circular reference 572 of CIE is allowed to repeat, or how deep a recursive nesting may 573 occur, respectively. 575 References: none 577 discoverer: a label that refers to the SACM component that 578 discovered a target endpoint (can be used in a target-endpoint CIE 579 to express, for example, that the target endpoint was 580 authenticated by that SACM component) 582 References: none 584 email-address: a value that expresses an email-address 586 References: none 588 event-type: a set of types that define the categories of an event 589 (e.g. access-level-change, change-of-privilege, change-of- 590 authorization, environmental-event, or provisioning-event) 592 Reference: none 594 event-threshold: if applicable, a value that can be included in an 595 event CIE to indicate what numeric threshold value was crossed to 596 trigger that event 598 Reference: none 600 event-threshold-name: if an event is created due to a crossed 601 threshold, the threshold might have a name associated with it that 602 can be expressed via this value 604 References: none 606 event-trigger: this value is used to express more complex trigger 607 conditions that may cause the creation of an event. 609 firmware-id: a label that represents the BIOS or firmware ID of a 610 specific target endpoint 612 Reference: none 614 Category: endpoint-identifier 616 hardware-serial-number: a value that identifies a piece of hardware 617 that is a component of a composite target endpoint (in essence, 618 every target endpoint is a composite) and can be acquired from a 619 target endpoint by a collection task 621 Reference: none 623 Category: endpoint-identifier 625 host-name: a label typically associated with an endpoint but not 626 always intended to be unique in a given scope 628 References [ARF], [SCAP-AI] 630 Category: endpoint-identifier 632 interface-label: a unique label a network interface can be 633 referenced with 635 Reference: none 637 ipv6-address-subnet-mask-cidrnot: an IPv6 subnet bit mask in CIDR 638 notation 640 References: TBD 642 ipv6-address-value: an IPv4 address value 644 References: TBD 646 Category: endpoint-identifier, network-address 648 ipv4-address-subnet-mask-cidrnot: an IPv4 subnet bit mask in CIDR 649 notation 651 References: TBD 653 ipv4-address-subnet-mask: an IPv4 subnet mask 655 References: TBD 657 ipv4-address-value: an IPv4 address value 659 References: TBD 661 Category: endpoint-identifier, network-address 663 layer2-interface-type: a set of types referenced by IANA ifType 665 References: [RFC3635], [RFC2863] 667 layer4-port-address: a layer 4 port address (typically used, for 668 example, with TCP and UDP) 670 References: none 672 Category: network-address 674 layer4-protocol: a set of types that express a layer 4 protocol 675 (e.g. UDP or TCP) 677 location-name: a value that represents a named region of space FIXME 679 References: [IFMAP], [ARF], [SCAP-AI] 681 mac-address: a value that expresses an Ethernet address 683 References: [IFMAP], [ARF], [SCAP-AI] 685 Category: endpoint-identifier, network-address 687 method-label: a label that references a specific method registered 688 and used in a SACM domain (e.g. method to match and re-identify 689 target endpoints via identifying attributes) 691 References: none 693 method-repository: a label that references a SACM component methods 694 can be registered at and that can provide guidance in the form of 695 registered methods to other SACM components 697 References: none 699 network-access-level-type: a set of types that expresses categories 700 of network access-levels (e.g. block, quarantine, etc.) 702 References: [IFMAP] 704 network-id: most networks, such as AS, an OSBF domains, or vlans, 705 can have an ID that is represented via this AIE 707 References: none 709 network-interface-name: a label that uniquely identifies an 710 interface associated with a distinguishable endpoint 712 References: FIXME 714 network-layer: a set of layers that express the specific network 715 layer an interface operate on (typically layer 2-4) 717 References: FIXME 719 network-name: a label that is associated with a network. Some 720 networks, for example effective layer2-broadcast-domains, are 721 difficult to "grasp" and therefore quite complicated to name 723 References: none 725 organization-id: a label that is supposed to uniquely identify an 726 organization 728 References: [ARF] 730 organization-name: a value that represents the name of an 731 organization 733 References: [ARF] 735 os-component: a label that references a "sub-component" that is part 736 of the operating system (e.g. a kernel module, microcode, or ACPI 737 table) 739 References: [SWID] 741 Category: software-component 743 os-label: a label that references a specific version of an operating 744 system, including patches and hotfixes 746 References: [SWID] 748 Category: software-label 750 os-manufacturer: the name of the manufacturer of an operating system 752 References: [IFMAP] 754 Category: software-manufacturer 756 os-name: the name of an operating system 758 References: [IFMAP] 760 Category: software-name 762 os-type: a set of types that identifies the type of an operating 763 system (e.g. real-time, security-enhanced, consumer, server) 765 References: none 767 Category: software-type 769 os-version: a value that represents the version of an operating- 770 system 772 Category: software-version 774 patch-id: a label the uniquely identifies a specific software patch 776 References: [ARF] 778 patch-name: the vendor's name of a software patch 780 References: [ARF], [SWID] 782 person-first-name: the first name of a natural person 784 References: [ARF], [SCAP-AI] 786 person-last-name: the last name of a natural person 788 References: [ARF], [SCAP-AI] 790 person-middle-name: the first name of a natural person 792 References: [ARF], [SCAP-AI] 794 phone-number: a label that expresses the u.s. national phone number 795 (e.g. pattern value="((\d{3}) )?\d{3}-\d{4}") 797 References: [ARF], [SCAP-AI] 799 phone-number-type: a set of types that express the type of a phone 800 number (e.g. DSN, Fax, Home, Mobile, Pager, Secure, Unsecure, 801 Work, Other) 803 References: [ARF] 805 privilege-name: the attribute-name of the privilege represented as 806 an AVP 808 References: none 810 privilege-value: the value-content of the privilege represented as 811 an AVP 813 References: none 815 protocol: a set of types that defines specific protocols above layer 816 4 (e.g. http, https, dns, ipp, or unknown) 818 References: none 820 public-key: the value of a public key (regardless of its method of 821 creation, crypto-system, or signature scheme) that can be 822 collected from a target endpoint 824 Reference: none 826 Category: endpoint-identifier 828 relationship-content-element-guid: a reference to a specific content 829 element used in a relationship CIE 831 References: none 833 relationship-statement-guid: a reference to a specific SACM 834 statement used in a relationship CIE 836 References: none 838 relationship-object-label: a reference to a specific label used in 839 content (e.g. a te-label or a user-id). This reference is 840 typically used if matching content AIE can be done efficiently and 841 can also be included in addition to a relationship-content- 842 element-guid reference. 844 References: none 846 relationship-type: a set of types that is in every instance of a 847 relationship CIE to highlight what kind of relationship exists 848 between the CIE the relationship is included in (e.g. 849 associated_with_user, applies_to_session, seen_on_interface, 850 associated_with_flow, contains_virtual_device) 852 References: none 854 role-name: a label that references a collection of privileges 855 assigned to a specific entity (identity? FIXME) 857 References: FIXME 859 session-state-type: a set of types a discernible session (an ongoing 860 network interaction) can be in (e.g. Authenticating, 861 Authenticated, Postured, Started, Disconnected) 863 References: [PXGRID] 865 statement-guid: a label that expresses a global unique ID 866 referencing a specific SACM statement that was produced by a SACM 867 component 869 References: none 871 statement-type: a set of types that define the type of content that 872 is included in a SACM statement (e.g. Observation, 873 DirectoryContent, Correlation, Assessment, Guidance) 875 References: none 877 status: a set of types that defines possible result values for a 878 finding in general (e.g. true, false, error, unknown, not 879 applicable, not evaluated) 881 References: [ARF] 883 sub-administrative-domain: a label for related child domains an 884 administrative domain can be composed of (used in the CIE 885 administrative-domain) 887 References: none 889 sub-interface-label: a unique label a sub network interface (e.g. a 890 tagged vlan on a trunk) can be referenced with 892 References: none 894 super-administrative-domain: a label for related parent domains an 895 administrative domain is part of (used in the CIE administrative- 896 domain) 898 References: none 900 super-interface-label: a unique label a super network interface 901 (e.g. a physical interface a tunnel interface terminates on) can 902 be referenced with 904 References: none 906 te-assessment-state: a set of types that defines the state of 907 assessment of a target-endpoint (e.g. in-discovery, discovered, 908 in-classification, classified, in-assessment, assessed) 910 References: [ARF] 912 te-label: an identifying label created from a set of identifying 913 attributes used to reference a specific target endpoint 915 References: none 917 te-id: an identifying label that is created randomly, is supposed to 918 be unique, and used to reference a specific target endpoint 920 References: [ARF], [SWID] 922 Aliases: data-source 924 timestamp: a timestamp the expresses a specific point in time 926 References: [IFMAP], [ARF] 928 timestamp-type: a set of types that express what type of action or 929 event happened at that point of time (e.g. discovered, classified, 930 collected, published). Can be included in a generic timestamp CIE 932 References: none 934 units-received: a value that represents a number of units (e.g. 935 frames, packets, cells or segments) received on a network 936 interface 938 Reference : [PXGRID] 940 units-sent: a value that represents a number of units (e.g. frames, 941 packets, cells or segments) sent on a network interface 943 Reference : [PXGRID] 945 username: a part of the credentials required to access an account 946 that can be collected from a target endpoint 948 References: none 950 Category: endpoint-identifier 952 user-directory: a label that identifies a specific type of user- 953 directory (e.g. ldap, active-directory, local-user) 954 Reference: [PXGRID] 956 user-id: a label that references a specific user known in a SACM 957 domain 959 References: [PXGRID] 961 web-site: a URI that references a web-site 963 References: [ARF] 965 WGS84-longitude: a label that represents WGS 84 rev 2004 longitude 967 References: [SCAP-AI] 969 WGS84-latitude: a label that represents WGS 84 rev 2004 latitude 971 References: [SCAP-AI] 973 WGS84-altitude: a label that represents WGS 84 rev 2004 altitude 975 References: [SCAP-AI] 977 5.3. Vocabulary of Composite Information Elements 979 **to be inserted in section 5 as candidates** The content of every 980 Composite Information Element is expressed by the mandatory and 981 optional IE it can be composed of. The components of an CIE can have 982 a cardinality associated with them: 984 o (*): zero to unbounded occurrences 986 o (+): one to unbounded occurrences 988 o (?): zero or one occurrence 990 o (n*m): between n and m occurrences 992 o no cardinality: one occurrence 994 If there is no cardinality highlighted or the cardinality (+) or 995 (n*m) is used, including this IE in the CIE is mandatory. In 996 contrast, optional IE are expressed via the cardinality (?) or (*). 997 An CIE can prescribe a strict sequence to the component IE it 998 contains. This in indicated by an (s). 1000 address-association (s): some addresses are associated with each 1001 other, e.g. a mac-address can be associated with a number of IP 1002 addresses or a sensor address can be associated with the external 1003 address of its two redundant IP gateways. The first address is 1004 the address a number of addresses with the same type is associated 1005 with. An address type SHOULD be included and the addresses 1006 associated with the first address entry MUST be of the same type. 1007 NANCY FIXME 1009 address 1011 address-type (?) 1013 address (+) 1015 address-type (?) 1017 administrative-domain: this CIE is intended to express more complex 1018 setups of interconnected administrative domains 1020 administrative-domain 1022 sub-administrative-domain (*) 1024 super-administrative-domain (?) 1026 location (?) 1028 application: an application is software that is not part of the 1029 kernel space (therefore typically runs in the user space. An 1030 application can depend on specific running party of an operating 1031 system. 1033 application-label (?) 1035 application-name 1037 application-type (*) 1039 application-component (*) 1041 application-manufacturer (?) 1043 application-version (?) 1045 application-instance: a specific instance of an application that is 1046 installed on an endpoint. The application-label is used to refer 1047 to corresponding information stored in an application CIE 1049 application-label 1050 target-endpoint 1052 attribute-value-pair: a generic CIE that is used to express various 1053 AVP (e.g. Radius Attributes) 1055 attribute-name 1057 attribute-value 1059 content-creation-timestamp: a decimal fraction timestamp that 1060 specifies the point in time the content element was created by a 1061 SACM component 1063 decimal-fraction-denominator 1065 decimal-fraction-numerator 1067 content-element: content produced by a SACM component is 1068 encapsulated in content-elements that also include content- 1069 metadata regarding that content 1071 content-metadata (+) 1073 content (+) 1075 content-metadata: metadata regarding the content included in a 1076 specific content-element. The content the metadata annotates can 1077 be initially collected content - in this case a data-source has to 1078 be included in the metadata. Content can also be the product of a 1079 SACM component (e.g. an evaluator), which requires a data-origin 1080 IE instead that references the producer of information. 1082 content-element-guid 1084 content-creation-timestamp 1086 content-topic 1088 content-type 1090 data-source (?) 1092 data-origin (?) 1094 relationship (*) 1096 data-source: a CIE that refers to a target endpoint that is the 1097 source of SACM content - either via a label (data-source, which 1098 could also be used without this CIE), or via a list of endpoint- 1099 identifiers (category). Both can be included at the same time but 1100 MUST NOT conflict. 1102 data-source (?) 1104 endpoint-identifier (*) 1106 dst-flow-element: identifies the destination of a flow. The port 1107 number SHOULD be included if the network-address is an IP-address. 1109 network-address 1111 layer4-port-address (?) 1113 ethernet-interface: the only two mandatory component of this CIE is 1114 the mac-address and the generated label (to distinguish non-unique 1115 addresses). This acknowledges the fact that in many cases this is 1116 the only information available about an Ethernet interface. If 1117 there is more detail information available it MUST be included to 1118 avoid ambiguity and to increase the usefulness for consumer of 1119 information. The exception are sub-interface-labels and super- 1120 interface-labels, which SHOULD be included. 1122 interface-label 1124 network-interface-name (?) 1126 mac-address 1128 network-name (?) 1130 network-id (?) 1132 layer2-interface-type (?) 1134 sub-interface-label (*) 1136 super-interface-label (*) 1138 event (s): this a special purpose CIE that represents the change of 1139 content. As with content-elements basically every content can be 1140 included in the two content entries. The mandatory content entry 1141 represents the "after" state of the content and the optional 1142 content entry can represent the "before" state if available or 1143 required. 1145 event-type (?) 1146 event-threshold (?) 1148 event-threshold-name (?) 1150 event-trigger (?) 1152 typed-timestamp 1154 content 1156 content (?) 1158 flow-record: a composite that expresses a single flow and its 1159 statistics. If applicable, protocol and layer4-protocol SHOULD be 1160 included 1162 src-flow-element 1164 dst-flow-element 1166 protocol (?) 1168 layer4-protocol (?) 1170 flow-statistics 1172 flow-statistics: this CIE aggregates bytes and units send and 1173 received 1175 bytes-received 1177 bytes-sent 1179 units-received 1181 units-sent 1183 group: insert text here (work in progress) 1185 ipv4-address: an IPv4 address is always associated with a subnet. 1186 This CIE combines these both tightly nit values. Either a subnet 1187 mask or a CIDR notation bitmask SHOULD be included. 1189 ipv4-address-value 1191 ipv4-address-subnet-mask-cidrnot (?) 1193 ipv4-address-subnet-mask (?) 1195 ipv6-address: an IPv6 address is always associated with a subnet. 1196 This CIE combines these both tightly nit values. A CIDR notation 1197 bitmask SHOULD be included. 1199 ipv6-address-value 1201 ipv6-address-subnet-mask-cidrnot (?) 1203 location: a CIE that aggregates potential details about a location 1205 location-name 1207 WGS84-longitude 1209 WGS84-latitude 1211 WGS84-altitude 1213 operation-system: an operation-system is software that is directly 1214 interacting with the hardware, provides the runtime environment 1215 for the user-space and corresponding interfaces to hardware 1216 functions. 1218 os-label (?) 1220 os-name 1222 os-type (*) 1224 os-component (*) 1226 os-manufacturer (?) 1228 os-version (?) 1230 organization: this CIE aggregates information about an organization 1231 and can be references via its id 1233 organization-id 1235 organization-name 1237 location (?) 1239 person: a CIE that aggregates the details about a person and 1240 combines it with a identifier unique to SACM domains 1242 person-first-name 1243 person-last-name 1245 person-middle-name (*) 1247 phone-contact (*) 1249 email-address (*) 1251 phone-contact: this CIE can be used to reference a phone number and 1252 how it functions as a contact 1254 phone-number 1256 phone-number-type (?) 1258 privilege: a CIE to express privileges via a specific name/value 1259 pair 1261 privilege-name 1263 privilege-value 1265 relationship: the relationship CIE enables to associate the CIE it 1266 is included in with other CIE if they contain a unique identifier 1267 or label - providing an alternative to including attributes of 1268 other content CIE as a means to map them (which remains a valid 1269 alternative, though). The relationship CIE MUST at least 1270 reference one relationship object (either a SACM statement iden 1272 relationship-type 1274 relationship-content-element-guid (*) 1276 relationship-statement-guid (*) 1278 relationship-object-label (*) 1280 sacm-statement: every SACM components produces information in this 1281 format. This CIE can be considered the root IE for every SACM 1282 message generated. There MUST be at least one content element 1283 included in a SACM statement and if there are more than one, they 1284 are ordered in a sequence. 1286 statement-metadata 1288 content-element (+)(s) 1290 session: represents an ongoing network interaction that can be in 1291 various states of authentication or assessement 1293 session-state-type 1295 (work-in-progress) 1297 src-flow-element: identifies the source of a flow. The port number 1298 SHOULD be included if the network-address is an IP-address. 1300 network-address 1302 layer4-port-address (?) 1304 statement-creation-timestamp: a decimal fraction timestamp that 1305 specifies the point in time the SACM statement was created by a 1306 SACM component 1308 decimal-fraction-denominator 1310 decimal-fraction-numerator 1312 statement-publish-timestamp: a decimal fraction timestamp that 1313 specifies the point in time the SACM component attempted to 1314 publish the SACM statement (if successful, this will result in the 1315 publish-timestamp send with the SACM statement). 1317 decimal-fraction-denominator 1319 decimal-fraction-numerator 1321 statement-metadata: every SACM statement includes statement metadata 1322 about the SACM component it was produced by and a general category 1323 that indicates what this statement is about 1325 statement-guid 1327 data-origin 1329 statement-creation-timestamp (?) 1331 statement-publish-timestamp 1333 statement-type 1335 content-elements 1337 target-endpoint: this is a central CIE used in the process chains a 1338 SACM domain can compose. Theoretically every kind of information 1339 can be associated with a target endpoint CIE via its corresponding 1340 content element. A few select IE can be stored in the CIE itself 1341 to reduce the overhead of following references that would occur in 1342 most scenarios. If the hostname is unknown the value has to be 1343 set as an equivalent to "not available" (e.g. NULL). Comment 1344 from the authors: This is "work in progress" an a good basis for 1345 discussion 1347 host-name 1349 te-label 1351 administrative-domain (?) 1353 application-instance (*) 1355 ethernet-interface (*) 1357 address-association (*) 1359 data-source (?) 1361 operation-system (?) 1363 te-profile: a set of expected states, policies and pieces of 1364 guidance that can be matched to a target endpoint (or a class of 1365 target endpoints "work in progress") 1367 typed-timestamp: a flexible timestamp CIE that can express the 1368 specific type of timestamp via its content. This is an 1369 alternative to the "named" timestamps that do not include a 1370 timestamp-type 1372 decimal-fraction-denominator 1374 decimal-fraction-numerator 1376 timestamp-type 1378 user: a CIE that references details of a specific user known in a 1379 SACM domain active on a specific target endpoint 1381 user-id 1383 username (?) 1384 data-source (?) 1386 user-directory (?) 1388 6. Example composition of SACM statements 1390 This section illustrates how SACM statements can be composed of 1391 content information elements, how relationship CIEs can be used in 1392 content metadata, and how the categories statement-type, content- 1393 topic and content-type are intended to be used. 1395 The SACM statements instances are written in pseudo code. AIE end 1396 with a colon. Some AIE include exemplary values to, for example, 1397 present how references to guid and labels can be used. For the sake 1398 of brevity, not all mandatory IE that are part of a CIE are always 1399 included (e.g. as it is the case with target-endpoint). 1401 The example shows three SACM statements that were produced by three 1402 different SACM components that overall include four related content 1403 elements. 1405 This is (work in progress). 1407 sacm statement 1408 statement-metadata 1409 statement-guid: example-sguid-one 1410 data-origin: SACM-component-label-one 1411 statement-publish-timestamp: exmample-TS-one 1412 statement-type: Observation 1413 content-element 1414 content-metadata 1415 content-element-guid: example-cguid-one 1416 content-creation-timestamp: 1417 content-topic: Flow 1418 content-type: EndpointState 1419 relationship 1420 relationship-type: is-associated-with-user 1421 relationship-content-object: example-cguid-three 1422 relationship 1423 relationship-type: is-associated-with-te 1424 relationship-content-object: example-cguid-two 1425 relationship 1426 relationship-type: is-associated-with-te 1427 relationship-content-object: example-te-label 1428 flow-record 1429 src-flow-element 1430 network-address (ipv4-address) 1431 ipv4-address-value: 1433 ipv4-address-subnet-mask-cidrnot: 1434 layer4-port-address: 23111 1435 dst-flow-element 1436 network-address (IPv4-address) 1437 ipv4-address-value: 1438 ipv4-address-subnet-mask-cidrnot: 1439 layer4-port-address: 22 1440 protocol: ssh 1441 layer4-protocol: tcp 1442 flow-statistics 1443 bytes-received: 1444 bytes-sent: 1445 units-received: 1446 units-sent: 1447 content-element 1448 content-metadata 1449 content-element-guid: example-cguid-two 1450 content-creation-timestamp: 1451 content-topic: TargetEndpoint 1452 content-type: EndpointConfiguration 1453 target-endpoint 1454 te-label: example-te-label 1455 host-name: example-host-name 1456 ethernet-interface: example-interface 1458 sacm statement 1459 statement-metadata 1460 statement-guid: example-sguid-two 1461 data-origin: SACM-component-label-two 1462 statement-publish-timestamp: exmample-TS-two 1463 statement-type: DirectoryContent 1464 content-element 1465 content-metadata 1466 content-element-guid: example-cguid-three 1467 content-creation-timestamp: 1468 content-topic: User 1469 content-type: DirectoryEntry 1470 user 1471 user-name: example-username 1472 user-directory: component-id 1474 sacm statement 1475 statement-metadata 1476 statement-guid: example-sguid-three 1477 data-origin: SACM-component-label-three 1478 statement-publish-timestamp: exmample-TS-three 1479 statement-type: Observation 1480 content-element 1481 content-metadata 1482 content-element-guid: example-cguid-four 1483 content-creation-timestamp: 1484 content-topic: Privileges 1485 content-type: Event 1486 relationship 1487 relationship-type: is-associated-with-user 1488 relationship-content-object: example-cguid-three 1489 event 1490 event-type: change-of-privilege 1491 typed-timestamp 1492 decimal-fraction-denominator: 1493 decimal-fraction-numerator: 1494 timestamp-type: time-of-observation 1495 privilege 1496 privilege-name: super-user-escalation 1497 privilege-value: true 1498 privilege 1499 privilege-name: super-user-escalation 1500 privilege-value: false 1502 7. IANA considerations 1504 This document includes requests to IANA. 1506 8. Security Considerations 1508 9. Acknowledgements 1510 10. Change Log 1512 First revision -00 1514 Second revision -00. Rename to Camwinget (removed -) to make 1515 submissions happier. Demonstrate how to integrate with WG draft. 1517 11. Contributors 1519 12. References 1521 12.1. Normative References 1523 [ARF] Corporation., T., "Assessment Results Format", 2010. 1525 [IFMAP] "TCG Trusted Network Communications - TNC IF-MAP Metadata 1526 for Network Security Specification Version 1.1r9", May 1527 2012. 1529 [PXGRID] Appala, S., Cam-Winget, N., McGrew, D., and J. Verma, "An 1530 Actionable Threat Intelligence system using a Publish- 1531 Subscribe communications model", ACM Proceedings of the 1532 2nd ACM Workshop on Information Sharing and Collaborative 1533 Security, page 61-70, DOI 10.1145/2808128.2808131, 1534 ISBN 978-1-4503-3822-6. 1536 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1537 Requirement Levels", BCP 14, RFC 2119, 1538 DOI 10.17487/RFC2119, March 1997, 1539 . 1541 [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group 1542 MIB", RFC 2863, DOI 10.17487/RFC2863, June 2000, 1543 . 1545 [RFC3635] Flick, J., "Definitions of Managed Objects for the 1546 Ethernet-like Interface Types", RFC 3635, 1547 DOI 10.17487/RFC3635, September 2003, 1548 . 1550 [SCAP-AI] Wunder, J., Halbardier, A., and D. Waltermire, 1551 "Specification for Asset Identification 1.1", NIST 1552 Interagency Report 7693 , 2011. 1554 [SWID] "Information technology - Software asset management - Part 1555 2: Software identification tag'", ISO/IEC 19770-2:2015, 1556 October 2015. 1558 12.2. Informative References 1560 [I-D.ietf-sacm-requirements] 1561 Cam-Winget, N. and L. Lorenzin, "Security Automation and 1562 Continuous Monitoring (SACM) Requirements", draft-ietf- 1563 sacm-requirements-13 (work in progress), March 2016. 1565 [RFC7632] Waltermire, D. and D. Harrington, "Endpoint Security 1566 Posture Assessment: Enterprise Use Cases", RFC 7632, 1567 DOI 10.17487/RFC7632, September 2015, 1568 . 1570 Authors' Addresses 1571 Henk Birkholz 1572 Fraunhofer SIT 1573 Rheinstrasse 75 1574 Darmstadt 64295 1575 Germany 1577 Email: henk.birkholz@sit.fraunhofer.de 1579 Nancy Cam-Winget 1580 Cisco Systems 1581 3550 Cisco Way 1582 San Jose, CA 95134 1583 USA 1585 Email: ncamwing@cisco.com