idnits 2.17.1
draft-haynes-sacm-oval-variables-model-01.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (September 7, 2016) is 2788 days in the past. Is this
intentional?
Checking references for intended status: Informational
----------------------------------------------------------------------------
No issues found here.
Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Security Automation and Continuous Monitoring M. Cokus
3 Internet-Draft D. Haynes
4 Intended status: Informational D. Rothenberg
5 Expires: March 11, 2017 The MITRE Corporation
6 J. Gonzalez
7 Department of Homeland Security
8 September 7, 2016
10 OVAL(R) Variables Model
11 draft-haynes-sacm-oval-variables-model-01
13 Abstract
15 This document specifies Version 5.11.1 of the OVAL Variables Model
16 which contains constructs that allow for the specification of values
17 for external_variables defined in content that was created using the
18 OVAL Definitions Model. The OVAL Variables Model serves as a useful
19 mechanism for parameterizing content based on the OVAL Definitions
20 Model.
22 Status of This Memo
24 This Internet-Draft is submitted in full conformance with the
25 provisions of BCP 78 and BCP 79.
27 Internet-Drafts are working documents of the Internet Engineering
28 Task Force (IETF). Note that other groups may also distribute
29 working documents as Internet-Drafts. The list of current Internet-
30 Drafts is at http://datatracker.ietf.org/drafts/current/.
32 Internet-Drafts are draft documents valid for a maximum of six months
33 and may be updated, replaced, or obsoleted by other documents at any
34 time. It is inappropriate to use Internet-Drafts as reference
35 material or to cite them other than as "work in progress."
37 This Internet-Draft will expire on March 11, 2017.
39 Copyright Notice
41 Copyright (c) 2016 IETF Trust and the persons identified as the
42 document authors. All rights reserved.
44 This document is subject to BCP 78 and the IETF Trust's Legal
45 Provisions Relating to IETF Documents
46 (http://trustee.ietf.org/license-info) in effect on the date of
47 publication of this document. Please review these documents
48 carefully, as they describe your rights and restrictions with respect
49 to this document. Code Components extracted from this document must
50 include Simplified BSD License text as described in Section 4.e of
51 the Trust Legal Provisions and are provided without warranty as
52 described in the Simplified BSD License.
54 Table of Contents
56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
57 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
58 2. oval_variables . . . . . . . . . . . . . . . . . . . . . . . 3
59 3. VariablesType . . . . . . . . . . . . . . . . . . . . . . . . 3
60 4. VariableType . . . . . . . . . . . . . . . . . . . . . . . . 4
61 5. OVAL Variables Model Schema . . . . . . . . . . . . . . . . . 4
62 6. Intellectual Property Considerations . . . . . . . . . . . . 8
63 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
64 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
65 9. Security Considerations . . . . . . . . . . . . . . . . . . . 9
66 10. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 9
67 10.1. -00 to -01 . . . . . . . . . . . . . . . . . . . . . . . 9
68 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
69 11.1. Normative References . . . . . . . . . . . . . . . . . . 9
70 11.2. Informative References . . . . . . . . . . . . . . . . . 9
71 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
73 1. Introduction
75 The Open Vulnerability and Assessment Language (OVAL) [OVAL-WEBSITE]
76 is an international, information security community effort to
77 standardize how to assess and report upon the machine state of
78 systems. For over ten years, OVAL has been developed in
79 collaboration with any and all interested parties to promote open and
80 publicly available security content and to standardize the
81 representation of this information across the entire spectrum of
82 security tools and services.
84 OVAL provides an established framework for making assertions about an
85 system's state by standardizing the three main steps of the
86 assessment process: representing the current machine state; analyzing
87 the system for the presence of the specified machine state; and
88 representing the results of the assessment which facilitates
89 collaboration and information sharing among the information security
90 community and interoperability among tools.
92 This draft is part of the OVAL contribution to the IETF SACM WG that
93 standardizes the representation used to analyze a system for the
94 presence of a specific machine state. It is intended to serve as a
95 starting point for the endpoint posture assessment data modeling
96 needs of SACM specifically for creating parameterized Collection and
97 Evaluation Guidance.
99 1.1. Requirements Language
101 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
102 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
103 document are to be interpreted as described in RFC 2119 [RFC2119].
105 2. oval_variables
107 The oval_variables type defines the base structure in the OVAL
108 Variables Model for representing a collection of OVAL Variables and
109 their associated values. This container type adds metadata about the
110 origin of the content and allows for a signature.
112 +-----------+--------------------+-------+--------------------------+
113 | Property | Type | Count | Description |
114 +-----------+--------------------+-------+--------------------------+
115 | generator | oval:GeneratorType | 1 | Information regarding |
116 | | | | the generation of the |
117 | | | | OVAL Variables content. |
118 | | | | The timestamp property |
119 | | | | of the generator MUST |
120 | | | | represent the time at |
121 | | | | which the oval_variables |
122 | | | | was created. |
123 | | | | |
124 | variables | VariablesType | 1 | The variables defined in |
125 | | | | the OVAL Variables |
126 | | | | content. |
127 | | | | |
128 | signature | ext:Signature | 0..1 | Mechanism to ensure the |
129 | | | | integrity and |
130 | | | | authenticity of the OVAL |
131 | | | | Variables content. |
132 +-----------+--------------------+-------+--------------------------+
134 Table 1: oval_variables Construct
136 3. VariablesType
138 The VariablesType provides a container for one or more OVAL
139 Variables.
141 +----------+--------------+-------+---------------------------------+
142 | Property | Type | Count | Description |
143 +----------+--------------+-------+---------------------------------+
144 | variable | VariableType | 1..* | A collection of OVAL Variables. |
145 +----------+--------------+-------+---------------------------------+
147 Table 2: VariablesType Construct
149 4. VariableType
151 The VariableType defines a variable in the OVAL Variables Model that
152 corresponds to an instance of an external variable in content based
153 on the OVAL Definitions Model.
155 +----------+--------------------------------+-------+---------------+
156 | Property | Type | Count | Description |
157 +----------+--------------------------------+-------+---------------+
158 | id | oval:VariableIDPattern | 1 | The globally |
159 | | | | unique |
160 | | | | identifier of |
161 | | | | an external |
162 | | | | variable. |
163 | | | | |
164 | datatype | oval:SimpleDatatypeEnumeration | 1 | The datatype |
165 | | | | of the |
166 | | | | value(s) in |
167 | | | | the variable. |
168 | | | | |
169 | comment | string | 1 | The |
170 | | | | documentation |
171 | | | | associated |
172 | | | | with the |
173 | | | | variable |
174 | | | | instance. |
175 | | | | |
176 | value | string | 1..* | The value(s) |
177 | | | | associated |
178 | | | | with the |
179 | | | | variable. |
180 +----------+--------------------------------+-------+---------------+
182 Table 3: VariableType Construct
184 5. OVAL Variables Model Schema
186 The XML Schema that implements this OVAL Variables Model can be found
187 below.
189
190
200
203
206
207
208 The following is a
209 description of the elements, types, and
210 attributes that compose the core schema for
211 encoding Open Vulnerability and Assessment
212 Language (OVAL) Variables. This schema is
213 provided to give structure to any external
214 variables and their values that an OVAL
215 Definition is expecting.
216
217 Core Variable
218 5.11.1
219 4/22/2015 09:00:00 AM
220 Copyright (C) 2010 United States Government.
221 All Rights Reserved.
222
225
226
227
228
229
230
231
232 The oval_variables
233 element is the root of an OVAL Variable
234 Document. Its purpose is to bind together
235 the different variables contained in the
236 document. The generator section must be
237 present and provides information about
238 when the variable file was compiled and
239 under what version. The optional Signature
240 element allows an XML Signature as defined
241 by the W3C to be attached to the document.
242 This allows authentication and data
243 integrity to be provided to the user.
244 Enveloped signatures are supported. More
245 information about the official W3C
246 Recommendation regarding XML digital
247 signatures can be found at
248 http://www.w3.org/TR/xmldsig-core/.
249
250
251
252
254
257
259
260
261
262
263 Enforce uniqueness
264 amongst the variable ids found in the
265 variable document.
266
267
268
269
270
271
272
273
274
279
280
281
282
283
284 The VariablesType complex
285 type is a container for one or more
286 variable elements. Each variable element
287 holds the value of an external variable
288 used in an OVAL Definition. Please refer
289 to the description of the VariableType for
290 more information about an individual
291 variable.
292
293
294
297
298
299
300
301 Each variable element
302 contains the associated datatype and value
303 which will be substituted into the OVAL
304 Definition that is referencing this
305 specific variable.
306 The notes section of a
307 variable should be used to hold
308 information that might be helpful to
309 someone examining the technical aspects of
310 the variable. Please refer to the
311 description of the NotesType complex type
312 for more information about the notes
313 element.
314
315
316
319
322
323
325
327
328 Note that the 'record'
329 datatype is not permitted on
330 variables.
331
332
333
335
336
337
338
339
348
349
350
351
353 6. Intellectual Property Considerations
355 Copyright (C) 2010 United States Government. All Rights Reserved.
357 DHS, on behalf of the United States, owns the registered OVAL
358 trademarks, identifying the OVAL STANDARDS SUITE and any component
359 part, as that suite has been provided to the IETF Trust. A "(R)"
360 will be used in conjunction with the first use of any OVAL trademark
361 in any document or publication in recognition of DHS's trademark
362 ownership.
364 7. Acknowledgements
366 The authors wish to thank DHS for sponsoring the OVAL effort over the
367 years which has made this work possible. The authors also wish to
368 thank the original authors of this document Jonathan Baker, Matthew
369 Hansbury, and Daniel Haynes of the MITRE Corporation as well as the
370 OVAL Community for its assistance in contributing and reviewing the
371 original document. The authors would also like to acknowledge Dave
372 Waltermire of NIST for his contribution to the development of the
373 original document.
375 8. IANA Considerations
377 This memo includes no request to IANA.
379 9. Security Considerations
381 While OVAL is just a set of data models and does not directly
382 introduce security concerns, it does provide a mechanism by which to
383 represent endpoint posture assessment information. This information
384 could be extremely valuable to an attacker allowing them to learn
385 about very sensitive information including, but, not limited to:
386 security policies, systems on the network, criticality of systems,
387 software and hardware inventory, patch levels, user accounts and much
388 more. To address this concern, all endpoint posture assessment
389 information should be protected while in transit and at rest.
390 Furthermore, it should only be shared with parties that are
391 authorized to receive it.
393 Another possible security concern is due to the fact that content
394 expressed as OVAL has the ability to impact how a security tool
395 operates. For example, content may instruct a tool to collect
396 certain information off a system or may be used to drive follow-up
397 actions like remediation. As a result, it is important for security
398 tools to ensure that they are obtaining OVAL content from a trusted
399 source, that it has not been modified in transit, and that proper
400 validation is performed in order to ensure it does not contain
401 malicious data.
403 10. Change Log
405 10.1. -00 to -01
407 There are no textual changes associated with this revision. This
408 revision simply reflects a resubmission of the document so that it
409 remains in active status.
411 11. References
413 11.1. Normative References
415 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
416 Requirement Levels", BCP 14, RFC 2119,
417 DOI 10.17487/RFC2119, March 1997,
418 .
420 11.2. Informative References
422 [OVAL-WEBSITE]
423 The MITRE Corporation, "The Open Vulnerability and
424 Assessment Language", 2015,
425 .
427 Authors' Addresses
429 Michael Cokus
430 The MITRE Corporation
431 903 Enterprise Parkway, Suite 200
432 Hampton, VA 23666
433 USA
435 Email: msc@mitre.org
437 Daniel Haynes
438 The MITRE Corporation
439 202 Burlington Road
440 Bedford, MA 01730
441 USA
443 Email: dhaynes@mitre.org
445 David Rothenberg
446 The MITRE Corporation
447 202 Burlington Road
448 Bedford, MA 01730
449 USA
451 Email: drothenberg@mitre.org
453 Juan Gonzalez
454 Department of Homeland Security
455 245 Murray Lane
456 Washington, DC 20548
457 USA
459 Email: juan.gonzalez@dhs.gov