idnits 2.17.1 draft-ietf-sacm-information-model-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == It seems as if not all pages are separated by form feeds - found 0 form feeds but 158 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 27, 2017) is 2556 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC2863' is mentioned on line 2743, but not defined == Missing Reference: 'RFC6759' is mentioned on line 2822, but not defined == Missing Reference: 'RFC5102' is mentioned on line 3027, but not defined ** Obsolete undefined reference: RFC 5102 (Obsoleted by RFC 7012) == Missing Reference: 'RFC5226' is mentioned on line 3036, but not defined ** Obsolete undefined reference: RFC 5226 (Obsoleted by RFC 8126) == Missing Reference: 'RFC3629' is mentioned on line 2971, but not defined == Missing Reference: 'RFC4646' is mentioned on line 2953, but not defined ** Obsolete undefined reference: RFC 4646 (Obsoleted by RFC 5646) == Missing Reference: 'RFC2482' is mentioned on line 2954, but not defined ** Obsolete undefined reference: RFC 2482 (Obsoleted by RFC 6082) == Missing Reference: 'RFC2277' is mentioned on line 2960, but not defined == Missing Reference: 'BER' is mentioned on line 3252, but not defined == Missing Reference: 'RFC3411' is mentioned on line 3348, but not defined == Missing Reference: 'RFC2578' is mentioned on line 3376, but not defined -- Possible downref: Non-RFC (?) normative reference: ref. 'PEN' == Outdated reference: A later version (-18) exists of draft-ietf-sacm-requirements-01 == Outdated reference: A later version (-16) exists of draft-ietf-sacm-terminology-05 -- Obsolete informational reference (is this intentional?): RFC 2434 (Obsoleted by RFC 5226) Summary: 4 errors (**), 0 flaws (~~), 15 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SACM D. Waltermire, Ed. 3 Internet-Draft NIST 4 Intended status: Standards Track K. Watson 5 Expires: October 29, 2017 DHS 6 C. Kahn 7 L. Lorenzin 8 Pulse Secure, LLC 9 M. Cokus 10 D. Haynes 11 The MITRE Corporation 12 H. Birkholz 13 Fraunhofer SIT 14 April 27, 2017 16 SACM Information Model 17 draft-ietf-sacm-information-model-10 19 Abstract 21 This document defines the Information Elements that are transported 22 between SACM components and their interconnected relationships. The 23 primary purpose of the Secure Automation and Continuous Monitoring 24 (SACM) Information Model is to ensure the interoperability of 25 corresponding SACM data models and addresses the use cases defined by 26 SACM. The Information Elements and corresponding types are 27 maintained as the IANA "SACM Information Elements" registry. 29 Status of This Memo 31 This Internet-Draft is submitted in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF). Note that other groups may also distribute 36 working documents as Internet-Drafts. The list of current Internet- 37 Drafts is at http://datatracker.ietf.org/drafts/current/. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 This Internet-Draft will expire on October 29, 2017. 46 Copyright Notice 48 Copyright (c) 2017 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents 53 (http://trustee.ietf.org/license-info) in effect on the date of 54 publication of this document. Please review these documents 55 carefully, as they describe your rights and restrictions with respect 56 to this document. Code Components extracted from this document must 57 include Simplified BSD License text as described in Section 4.e of 58 the Trust Legal Provisions and are provided without warranty as 59 described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 12 64 2. Conventions used in this document . . . . . . . . . . . . . . 13 65 2.1. Requirements Language . . . . . . . . . . . . . . . . . . 13 66 2.2. Information Element Examples . . . . . . . . . . . . . . 13 67 3. Information Elements . . . . . . . . . . . . . . . . . . . . 13 68 3.1. Context of Information Elements . . . . . . . . . . . . . 14 69 3.2. Extensibility of Information Elements . . . . . . . . . . 14 70 4. Structure of Information Elements . . . . . . . . . . . . . . 14 71 4.1. Information Element Naming Convention . . . . . . . . . . 17 72 4.2. SACM Content Elements . . . . . . . . . . . . . . . . . . 18 73 4.3. SACM Statements . . . . . . . . . . . . . . . . . . . . . 18 74 4.4. Relationships . . . . . . . . . . . . . . . . . . . . . . 20 75 4.5. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 22 76 4.6. Categories . . . . . . . . . . . . . . . . . . . . . . . 23 77 5. Abstract Data Types . . . . . . . . . . . . . . . . . . . . . 23 78 5.1. Simple Datatypes . . . . . . . . . . . . . . . . . . . . 23 79 5.1.1. IPFIX Datatypes . . . . . . . . . . . . . . . . . . . 23 80 5.2. Structured Datatypes . . . . . . . . . . . . . . . . . . 24 81 5.2.1. List Datatypes . . . . . . . . . . . . . . . . . . . 24 82 5.2.2. Enumeration Datatype . . . . . . . . . . . . . . . . 25 83 5.2.3. Category Datatype . . . . . . . . . . . . . . . . . . 26 84 6. Information Model Assets . . . . . . . . . . . . . . . . . . 26 85 6.1. Asset . . . . . . . . . . . . . . . . . . . . . . . . . . 27 86 6.2. Endpoint . . . . . . . . . . . . . . . . . . . . . . . . 28 87 6.3. Hardware Component . . . . . . . . . . . . . . . . . . . 28 88 6.4. Software Component . . . . . . . . . . . . . . . . . . . 29 89 6.4.1. Software Instance . . . . . . . . . . . . . . . . . . 29 90 6.5. Identity . . . . . . . . . . . . . . . . . . . . . . . . 29 91 6.6. Guidance . . . . . . . . . . . . . . . . . . . . . . . . 29 92 6.6.1. Collection Guidance . . . . . . . . . . . . . . . . . 30 93 6.6.2. Evaluation Guidance . . . . . . . . . . . . . . . . . 30 94 6.6.3. Classification Guidance . . . . . . . . . . . . . . . 31 95 6.6.4. Storage Guidance . . . . . . . . . . . . . . . . . . 31 96 6.6.5. Evaluation Results . . . . . . . . . . . . . . . . . 31 97 7. Information Model Elements . . . . . . . . . . . . . . . . . 32 98 7.1. sacmStatement . . . . . . . . . . . . . . . . . . . . . . 32 99 7.2. sacmStatementMetadata . . . . . . . . . . . . . . . . . . 32 100 7.3. sacmContentElement . . . . . . . . . . . . . . . . . . . 32 101 7.4. sacmContentElementMetadata . . . . . . . . . . . . . . . 33 102 7.5. targetEndpoint . . . . . . . . . . . . . . . . . . . . . 33 103 7.6. targetEndpointIdentifier . . . . . . . . . . . . . . . . 33 104 7.7. targetEndpointLabel . . . . . . . . . . . . . . . . . . . 33 105 7.8. anyIE . . . . . . . . . . . . . . . . . . . . . . . . . . 34 106 7.9. accessPrivilegeType . . . . . . . . . . . . . . . . . . . 34 107 7.10. accountName . . . . . . . . . . . . . . . . . . . . . . . 34 108 7.11. administrativeDomainType . . . . . . . . . . . . . . . . 34 109 7.12. addressAssociationType . . . . . . . . . . . . . . . . . 34 110 7.13. addressMaskValue . . . . . . . . . . . . . . . . . . . . 35 111 7.14. addressType . . . . . . . . . . . . . . . . . . . . . . . 35 112 7.15. addressValue . . . . . . . . . . . . . . . . . . . . . . 35 113 7.16. applicationComponent . . . . . . . . . . . . . . . . . . 35 114 7.17. applicationLabel . . . . . . . . . . . . . . . . . . . . 36 115 7.18. applicationType . . . . . . . . . . . . . . . . . . . . . 36 116 7.19. applicationManufacturer . . . . . . . . . . . . . . . . . 36 117 7.20. authenticator . . . . . . . . . . . . . . . . . . . . . . 36 118 7.21. authenticationType . . . . . . . . . . . . . . . . . . . 36 119 7.22. birthdate . . . . . . . . . . . . . . . . . . . . . . . . 37 120 7.23. bytesReceived . . . . . . . . . . . . . . . . . . . . . . 37 121 7.24. bytesReceived . . . . . . . . . . . . . . . . . . . . . . 37 122 7.25. bytesSent . . . . . . . . . . . . . . . . . . . . . . . . 37 123 7.26. certificate . . . . . . . . . . . . . . . . . . . . . . . 38 124 7.27. collectionTaskType . . . . . . . . . . . . . . . . . . . 38 125 7.28. confidence . . . . . . . . . . . . . . . . . . . . . . . 38 126 7.29. contentAction . . . . . . . . . . . . . . . . . . . . . . 38 127 7.30. countryCode . . . . . . . . . . . . . . . . . . . . . . . 38 128 7.31. dataOrigin . . . . . . . . . . . . . . . . . . . . . . . 39 129 7.32. dataSource . . . . . . . . . . . . . . . . . . . . . . . 39 130 7.33. default-depth . . . . . . . . . . . . . . . . . . . . . . 39 131 7.34. discoverer . . . . . . . . . . . . . . . . . . . . . . . 39 132 7.35. emailAddress . . . . . . . . . . . . . . . . . . . . . . 40 133 7.36. eventType . . . . . . . . . . . . . . . . . . . . . . . . 40 134 7.37. eventThreshold . . . . . . . . . . . . . . . . . . . . . 40 135 7.38. eventThresholdName . . . . . . . . . . . . . . . . . . . 40 136 7.39. eventTrigger . . . . . . . . . . . . . . . . . . . . . . 40 137 7.40. firmwareId . . . . . . . . . . . . . . . . . . . . . . . 41 138 7.41. hostName . . . . . . . . . . . . . . . . . . . . . . . . 41 139 7.42. interfaceLabel . . . . . . . . . . . . . . . . . . . . . 41 140 7.43. ipv6AddressSubnetMask . . . . . . . . . . . . . . . . . . 41 141 7.44. ipv6AddressSubnetMaskCidrNotation . . . . . . . . . . . . 41 142 7.45. ipv6AddressValue . . . . . . . . . . . . . . . . . . . . 42 143 7.46. ipv4AddressSubnetMask . . . . . . . . . . . . . . . . . . 42 144 7.47. ipv4AddressSubnetMaskCidrNotation . . . . . . . . . . . . 42 145 7.48. ipv4AddressValue . . . . . . . . . . . . . . . . . . . . 42 146 7.49. layer2InterfaceType . . . . . . . . . . . . . . . . . . . 42 147 7.50. layer4PortAddress . . . . . . . . . . . . . . . . . . . . 42 148 7.51. layer4Protocol . . . . . . . . . . . . . . . . . . . . . 43 149 7.52. locationName . . . . . . . . . . . . . . . . . . . . . . 43 150 7.53. networkZoneLocation . . . . . . . . . . . . . . . . . . . 43 151 7.54. layer2NetworkLocation . . . . . . . . . . . . . . . . . . 43 152 7.55. layer3NetworkLocation . . . . . . . . . . . . . . . . . . 44 153 7.56. macAddressValue . . . . . . . . . . . . . . . . . . . . . 44 154 7.57. methodLabel . . . . . . . . . . . . . . . . . . . . . . . 44 155 7.58. methodRepository . . . . . . . . . . . . . . . . . . . . 44 156 7.59. networkAccessLevelType . . . . . . . . . . . . . . . . . 44 157 7.60. networkId . . . . . . . . . . . . . . . . . . . . . . . . 45 158 7.61. networkInterfaceName . . . . . . . . . . . . . . . . . . 45 159 7.62. networkLayer . . . . . . . . . . . . . . . . . . . . . . 45 160 7.63. networkName . . . . . . . . . . . . . . . . . . . . . . . 45 161 7.64. organizationId . . . . . . . . . . . . . . . . . . . . . 45 162 7.65. patchId . . . . . . . . . . . . . . . . . . . . . . . . . 46 163 7.66. patchName . . . . . . . . . . . . . . . . . . . . . . . . 46 164 7.67. personFirstName . . . . . . . . . . . . . . . . . . . . . 46 165 7.68. personLastName . . . . . . . . . . . . . . . . . . . . . 46 166 7.69. personMiddleName . . . . . . . . . . . . . . . . . . . . 46 167 7.70. phoneNumber . . . . . . . . . . . . . . . . . . . . . . . 46 168 7.71. phoneNumberType . . . . . . . . . . . . . . . . . . . . . 47 169 7.72. privilegeName . . . . . . . . . . . . . . . . . . . . . . 47 170 7.73. privilegeValue . . . . . . . . . . . . . . . . . . . . . 47 171 7.74. protocol . . . . . . . . . . . . . . . . . . . . . . . . 47 172 7.75. publicKey . . . . . . . . . . . . . . . . . . . . . . . . 48 173 7.76. relationshipContentElementGuid . . . . . . . . . . . . . 48 174 7.77. relationshipStatementElementGuid . . . . . . . . . . . . 48 175 7.78. relationshipObjectLabel . . . . . . . . . . . . . . . . . 48 176 7.79. relationshipType . . . . . . . . . . . . . . . . . . . . 48 177 7.80. roleName . . . . . . . . . . . . . . . . . . . . . . . . 49 178 7.81. sessionStateType . . . . . . . . . . . . . . . . . . . . 49 179 7.82. statementGuid . . . . . . . . . . . . . . . . . . . . . . 49 180 7.83. statementType . . . . . . . . . . . . . . . . . . . . . . 49 181 7.84. status . . . . . . . . . . . . . . . . . . . . . . . . . 50 182 7.85. subAdministrativeDomain . . . . . . . . . . . . . . . . . 50 183 7.86. subInterfaceLabel . . . . . . . . . . . . . . . . . . . . 50 184 7.87. superAdministrativeDomain . . . . . . . . . . . . . . . . 50 185 7.88. superInterfaceLabel . . . . . . . . . . . . . . . . . . . 51 186 7.89. teAssessmentState . . . . . . . . . . . . . . . . . . . . 51 187 7.90. teLabel . . . . . . . . . . . . . . . . . . . . . . . . . 51 188 7.91. teId . . . . . . . . . . . . . . . . . . . . . . . . . . 51 189 7.92. timestampType . . . . . . . . . . . . . . . . . . . . . . 51 190 7.93. unitsReceived . . . . . . . . . . . . . . . . . . . . . . 52 191 7.94. unitsSent . . . . . . . . . . . . . . . . . . . . . . . . 52 192 7.95. userDirectory . . . . . . . . . . . . . . . . . . . . . . 52 193 7.96. sacmUserId . . . . . . . . . . . . . . . . . . . . . . . 52 194 7.97. webSite . . . . . . . . . . . . . . . . . . . . . . . . . 53 195 7.98. WGS84Longitude . . . . . . . . . . . . . . . . . . . . . 53 196 7.99. WGS84Latitude . . . . . . . . . . . . . . . . . . . . . . 53 197 7.100. WGS84Altitude . . . . . . . . . . . . . . . . . . . . . 53 198 7.101. hardwareSerialNumber . . . . . . . . . . . . . . . . . . 53 199 7.102. interfaceName . . . . . . . . . . . . . . . . . . . . . 54 200 7.103. interfaceIndex . . . . . . . . . . . . . . . . . . . . . 54 201 7.104. interfaceMacAddress . . . . . . . . . . . . . . . . . . 54 202 7.105. interfaceType . . . . . . . . . . . . . . . . . . . . . 54 203 7.106. interfaceFlags . . . . . . . . . . . . . . . . . . . . . 54 204 7.107. networkInterface . . . . . . . . . . . . . . . . . . . . 55 205 7.108. softwareIdentifier . . . . . . . . . . . . . . . . . . . 55 206 7.109. softwareTitle . . . . . . . . . . . . . . . . . . . . . 55 207 7.110. softwareCreator . . . . . . . . . . . . . . . . . . . . 56 208 7.111. simpleSoftwareVersion . . . . . . . . . . . . . . . . . 56 209 7.112. rpmSoftwareVersion . . . . . . . . . . . . . . . . . . . 56 210 7.113. ciscoTrainSoftwareVersion . . . . . . . . . . . . . . . 56 211 7.114. softwareVersion . . . . . . . . . . . . . . . . . . . . 56 212 7.115. softwareLastUpdated . . . . . . . . . . . . . . . . . . 57 213 7.116. softwareClass . . . . . . . . . . . . . . . . . . . . . 57 214 7.117. softwareInstance . . . . . . . . . . . . . . . . . . . . 58 215 7.118. globallyUniqueIdentifier . . . . . . . . . . . . . . . . 59 216 7.119. creationTimestamp . . . . . . . . . . . . . . . . . . . 59 217 7.120. collectionTimestamp . . . . . . . . . . . . . . . . . . 59 218 7.121. publicationTimestamp . . . . . . . . . . . . . . . . . . 59 219 7.122. relayTimestamp . . . . . . . . . . . . . . . . . . . . . 59 220 7.123. storageTimestamp . . . . . . . . . . . . . . . . . . . . 60 221 7.124. type . . . . . . . . . . . . . . . . . . . . . . . . . . 60 222 7.125. protocolIdentifier . . . . . . . . . . . . . . . . . . . 60 223 7.126. sourceTransportPort . . . . . . . . . . . . . . . . . . 60 224 7.127. sourceIPv4PrefixLength . . . . . . . . . . . . . . . . . 61 225 7.128. ingressInterface . . . . . . . . . . . . . . . . . . . . 61 226 7.129. destinationTransportPort . . . . . . . . . . . . . . . . 61 227 7.130. sourceIPv6PrefixLength . . . . . . . . . . . . . . . . . 61 228 7.131. sourceIPv4Prefix . . . . . . . . . . . . . . . . . . . . 62 229 7.132. destinationIPv4Prefix . . . . . . . . . . . . . . . . . 62 230 7.133. sourceMacAddress . . . . . . . . . . . . . . . . . . . . 62 231 7.134. ipVersion . . . . . . . . . . . . . . . . . . . . . . . 62 232 7.135. interfaceDescription . . . . . . . . . . . . . . . . . . 62 233 7.136. applicationDescription . . . . . . . . . . . . . . . . . 62 234 7.137. applicationId . . . . . . . . . . . . . . . . . . . . . 63 235 7.138. applicationName . . . . . . . . . . . . . . . . . . . . 63 236 7.139. exporterIPv4Address . . . . . . . . . . . . . . . . . . 63 237 7.140. exporterIPv6Address . . . . . . . . . . . . . . . . . . 63 238 7.141. portId . . . . . . . . . . . . . . . . . . . . . . . . . 63 239 7.142. templateId . . . . . . . . . . . . . . . . . . . . . . . 64 240 7.143. collectorIPv4Address . . . . . . . . . . . . . . . . . . 64 241 7.144. collectorIPv6Address . . . . . . . . . . . . . . . . . . 64 242 7.145. informationElementIndex . . . . . . . . . . . . . . . . 65 243 7.146. informationElementId . . . . . . . . . . . . . . . . . . 65 244 7.147. informationElementDataType . . . . . . . . . . . . . . . 65 245 7.148. informationElementDescription . . . . . . . . . . . . . 65 246 7.149. informationElementName . . . . . . . . . . . . . . . . . 66 247 7.150. informationElementRangeBegin . . . . . . . . . . . . . . 66 248 7.151. informationElementRangeEnd . . . . . . . . . . . . . . . 66 249 7.152. informationElementSemantics . . . . . . . . . . . . . . 67 250 7.153. informationElementUnits . . . . . . . . . . . . . . . . 67 251 7.154. applicationCategoryName . . . . . . . . . . . . . . . . 68 252 7.155. mibObjectValueInteger . . . . . . . . . . . . . . . . . 68 253 7.156. mibObjectValueOctetString . . . . . . . . . . . . . . . 69 254 7.157. mibObjectValueOID . . . . . . . . . . . . . . . . . . . 69 255 7.158. mibObjectValueBits . . . . . . . . . . . . . . . . . . . 69 256 7.159. mibObjectValueIPAddress . . . . . . . . . . . . . . . . 70 257 7.160. mibObjectValueCounter . . . . . . . . . . . . . . . . . 70 258 7.161. mibObjectValueGauge . . . . . . . . . . . . . . . . . . 71 259 7.162. mibObjectValueTimeTicks . . . . . . . . . . . . . . . . 71 260 7.163. mibObjectValueUnsigned . . . . . . . . . . . . . . . . . 72 261 7.164. mibObjectValueTable . . . . . . . . . . . . . . . . . . 72 262 7.165. mibObjectValueRow . . . . . . . . . . . . . . . . . . . 72 263 7.166. mibObjectIdentifier . . . . . . . . . . . . . . . . . . 73 264 7.167. mibSubIdentifier . . . . . . . . . . . . . . . . . . . . 73 265 7.168. mibIndexIndicator . . . . . . . . . . . . . . . . . . . 73 266 7.169. mibCaptureTimeSemantics . . . . . . . . . . . . . . . . 74 267 7.170. mibContextEngineID . . . . . . . . . . . . . . . . . . . 75 268 7.171. mibContextName . . . . . . . . . . . . . . . . . . . . . 76 269 7.172. mibObjectName . . . . . . . . . . . . . . . . . . . . . 76 270 7.173. mibObjectDescription . . . . . . . . . . . . . . . . . . 76 271 7.174. mibObjectSyntax . . . . . . . . . . . . . . . . . . . . 76 272 7.175. mibModuleName . . . . . . . . . . . . . . . . . . . . . 76 273 7.176. interface . . . . . . . . . . . . . . . . . . . . . . . 77 274 7.177. iflisteners . . . . . . . . . . . . . . . . . . . . . . 77 275 7.178. physicalProtocol . . . . . . . . . . . . . . . . . . . . 77 276 7.179. hwAddress . . . . . . . . . . . . . . . . . . . . . . . 78 277 7.180. programName . . . . . . . . . . . . . . . . . . . . . . 79 278 7.181. userId . . . . . . . . . . . . . . . . . . . . . . . . . 79 279 7.182. inetlisteningserver . . . . . . . . . . . . . . . . . . 79 280 7.183. transportProtocol . . . . . . . . . . . . . . . . . . . 79 281 7.184. localAddress . . . . . . . . . . . . . . . . . . . . . . 79 282 7.185. localPort . . . . . . . . . . . . . . . . . . . . . . . 80 283 7.186. localFullAddress . . . . . . . . . . . . . . . . . . . . 80 284 7.187. foreignAddress . . . . . . . . . . . . . . . . . . . . . 80 285 7.188. foreignFullAddress . . . . . . . . . . . . . . . . . . . 80 286 7.189. selinuxboolean . . . . . . . . . . . . . . . . . . . . . 80 287 7.190. selinuxName . . . . . . . . . . . . . . . . . . . . . . 81 288 7.191. currentStatus . . . . . . . . . . . . . . . . . . . . . 81 289 7.192. pendingStatus . . . . . . . . . . . . . . . . . . . . . 81 290 7.193. selinuxsecuritycontext . . . . . . . . . . . . . . . . . 81 291 7.194. filepath . . . . . . . . . . . . . . . . . . . . . . . . 82 292 7.195. path . . . . . . . . . . . . . . . . . . . . . . . . . . 82 293 7.196. filename . . . . . . . . . . . . . . . . . . . . . . . . 82 294 7.197. pid . . . . . . . . . . . . . . . . . . . . . . . . . . 82 295 7.198. role . . . . . . . . . . . . . . . . . . . . . . . . . . 82 296 7.199. domainType . . . . . . . . . . . . . . . . . . . . . . . 83 297 7.200. lowSensitivity . . . . . . . . . . . . . . . . . . . . . 83 298 7.201. lowCategory . . . . . . . . . . . . . . . . . . . . . . 83 299 7.202. highSensitivity . . . . . . . . . . . . . . . . . . . . 83 300 7.203. highCategory . . . . . . . . . . . . . . . . . . . . . . 83 301 7.204. rawlowSensitivity . . . . . . . . . . . . . . . . . . . 84 302 7.205. rawlowCategory . . . . . . . . . . . . . . . . . . . . . 84 303 7.206. rawhighSensitivity . . . . . . . . . . . . . . . . . . . 84 304 7.207. rawhighCategory . . . . . . . . . . . . . . . . . . . . 84 305 7.208. systemdunitdependency . . . . . . . . . . . . . . . . . 84 306 7.209. unit . . . . . . . . . . . . . . . . . . . . . . . . . . 85 307 7.210. dependency . . . . . . . . . . . . . . . . . . . . . . . 85 308 7.211. systemdunitproperty . . . . . . . . . . . . . . . . . . 85 309 7.212. property . . . . . . . . . . . . . . . . . . . . . . . . 85 310 7.213. systemdunitValue . . . . . . . . . . . . . . . . . . . . 85 311 7.214. file . . . . . . . . . . . . . . . . . . . . . . . . . . 86 312 7.215. fileType . . . . . . . . . . . . . . . . . . . . . . . . 86 313 7.216. groupId . . . . . . . . . . . . . . . . . . . . . . . . 86 314 7.217. aTime . . . . . . . . . . . . . . . . . . . . . . . . . 86 315 7.218. cTime . . . . . . . . . . . . . . . . . . . . . . . . . 86 316 7.219. mTime . . . . . . . . . . . . . . . . . . . . . . . . . 87 317 7.220. size . . . . . . . . . . . . . . . . . . . . . . . . . . 87 318 7.221. suid . . . . . . . . . . . . . . . . . . . . . . . . . . 87 319 7.222. sgid . . . . . . . . . . . . . . . . . . . . . . . . . . 87 320 7.223. sticky . . . . . . . . . . . . . . . . . . . . . . . . . 87 321 7.224. hasExtendedAcl . . . . . . . . . . . . . . . . . . . . . 88 322 7.225. inetd . . . . . . . . . . . . . . . . . . . . . . . . . 88 323 7.226. serverProgram . . . . . . . . . . . . . . . . . . . . . 88 324 7.227. inetdEndpointType . . . . . . . . . . . . . . . . . . . 88 325 7.228. execAsUser . . . . . . . . . . . . . . . . . . . . . . . 89 326 7.229. waitStatus . . . . . . . . . . . . . . . . . . . . . . . 89 327 7.230. inetAddr . . . . . . . . . . . . . . . . . . . . . . . . 90 328 7.231. netmask . . . . . . . . . . . . . . . . . . . . . . . . 90 329 7.232. passwordInfo . . . . . . . . . . . . . . . . . . . . . . 90 330 7.233. username . . . . . . . . . . . . . . . . . . . . . . . . 91 331 7.234. password . . . . . . . . . . . . . . . . . . . . . . . . 91 332 7.235. gcos . . . . . . . . . . . . . . . . . . . . . . . . . . 91 333 7.236. homeDir . . . . . . . . . . . . . . . . . . . . . . . . 91 334 7.237. loginShell . . . . . . . . . . . . . . . . . . . . . . . 91 335 7.238. lastLogin . . . . . . . . . . . . . . . . . . . . . . . 92 336 7.239. process . . . . . . . . . . . . . . . . . . . . . . . . 92 337 7.240. commandLine . . . . . . . . . . . . . . . . . . . . . . 92 338 7.241. ppid . . . . . . . . . . . . . . . . . . . . . . . . . . 92 339 7.242. priority . . . . . . . . . . . . . . . . . . . . . . . . 93 340 7.243. startTime . . . . . . . . . . . . . . . . . . . . . . . 93 341 7.244. routingtable . . . . . . . . . . . . . . . . . . . . . . 93 342 7.245. destination . . . . . . . . . . . . . . . . . . . . . . 93 343 7.246. gateway . . . . . . . . . . . . . . . . . . . . . . . . 93 344 7.247. runlevelInfo . . . . . . . . . . . . . . . . . . . . . . 94 345 7.248. runlevel . . . . . . . . . . . . . . . . . . . . . . . . 94 346 7.249. start . . . . . . . . . . . . . . . . . . . . . . . . . 94 347 7.250. kill . . . . . . . . . . . . . . . . . . . . . . . . . . 94 348 7.251. shadowItem . . . . . . . . . . . . . . . . . . . . . . . 94 349 7.252. chgLst . . . . . . . . . . . . . . . . . . . . . . . . . 95 350 7.253. chgAllow . . . . . . . . . . . . . . . . . . . . . . . . 95 351 7.254. chgReq . . . . . . . . . . . . . . . . . . . . . . . . . 95 352 7.255. expWarn . . . . . . . . . . . . . . . . . . . . . . . . 95 353 7.256. expInact . . . . . . . . . . . . . . . . . . . . . . . . 95 354 7.257. expDate . . . . . . . . . . . . . . . . . . . . . . . . 96 355 7.258. encryptMethod . . . . . . . . . . . . . . . . . . . . . 96 356 7.259. symlink . . . . . . . . . . . . . . . . . . . . . . . . 96 357 7.260. symlinkFilepath . . . . . . . . . . . . . . . . . . . . 96 358 7.261. canonicalPath . . . . . . . . . . . . . . . . . . . . . 97 359 7.262. sysctl . . . . . . . . . . . . . . . . . . . . . . . . . 97 360 7.263. kernelParameterName . . . . . . . . . . . . . . . . . . 97 361 7.264. kernelParameterValue . . . . . . . . . . . . . . . . . . 97 362 7.265. uname . . . . . . . . . . . . . . . . . . . . . . . . . 98 363 7.266. machineClass . . . . . . . . . . . . . . . . . . . . . . 98 364 7.267. nodeName . . . . . . . . . . . . . . . . . . . . . . . . 98 365 7.268. osName . . . . . . . . . . . . . . . . . . . . . . . . . 98 366 7.269. osRelease . . . . . . . . . . . . . . . . . . . . . . . 98 367 7.270. processorType . . . . . . . . . . . . . . . . . . . . . 99 368 7.271. internetService . . . . . . . . . . . . . . . . . . . . 99 369 7.272. serviceProtocol . . . . . . . . . . . . . . . . . . . . 99 370 7.273. serviceName . . . . . . . . . . . . . . . . . . . . . . 99 371 7.274. flags . . . . . . . . . . . . . . . . . . . . . . . . . 99 372 7.275. noAccess . . . . . . . . . . . . . . . . . . . . . . . . 100 373 7.276. onlyFrom . . . . . . . . . . . . . . . . . . . . . . . . 100 374 7.277. port . . . . . . . . . . . . . . . . . . . . . . . . . . 100 375 7.278. server . . . . . . . . . . . . . . . . . . . . . . . . . 100 376 7.279. serverArguments . . . . . . . . . . . . . . . . . . . . 100 377 7.280. socketType . . . . . . . . . . . . . . . . . . . . . . . 101 378 7.281. registeredServiceType . . . . . . . . . . . . . . . . . 101 379 7.282. wait . . . . . . . . . . . . . . . . . . . . . . . . . . 101 380 7.283. disabled . . . . . . . . . . . . . . . . . . . . . . . . 102 381 7.284. windowsView . . . . . . . . . . . . . . . . . . . . . . 102 382 7.285. fileauditedpermissions . . . . . . . . . . . . . . . . . 102 383 7.286. trusteeName . . . . . . . . . . . . . . . . . . . . . . 103 384 7.287. auditStandardDelete . . . . . . . . . . . . . . . . . . 103 385 7.288. auditStandardReadControl . . . . . . . . . . . . . . . . 103 386 7.289. auditStandardWriteDac . . . . . . . . . . . . . . . . . 104 387 7.290. auditStandardWriteOwner . . . . . . . . . . . . . . . . 104 388 7.291. auditStandardSynchronize . . . . . . . . . . . . . . . . 105 389 7.292. auditAccessSystemSecurity . . . . . . . . . . . . . . . 105 390 7.293. auditGenericRead . . . . . . . . . . . . . . . . . . . . 106 391 7.294. auditGenericWrite . . . . . . . . . . . . . . . . . . . 106 392 7.295. auditGenericExecute . . . . . . . . . . . . . . . . . . 107 393 7.296. auditGenericAll . . . . . . . . . . . . . . . . . . . . 107 394 7.297. auditFileReadData . . . . . . . . . . . . . . . . . . . 108 395 7.298. auditFileWriteData . . . . . . . . . . . . . . . . . . . 108 396 7.299. auditFileAppendData . . . . . . . . . . . . . . . . . . 109 397 7.300. auditFileReadEa . . . . . . . . . . . . . . . . . . . . 109 398 7.301. auditFileWriteEa . . . . . . . . . . . . . . . . . . . . 110 399 7.302. auditFileExecute . . . . . . . . . . . . . . . . . . . . 110 400 7.303. auditFileDeleteChild . . . . . . . . . . . . . . . . . . 111 401 7.304. auditFileReadAttributes . . . . . . . . . . . . . . . . 111 402 7.305. auditFileWriteAttributes . . . . . . . . . . . . . . . . 112 403 7.306. fileeffectiverights . . . . . . . . . . . . . . . . . . 112 404 7.307. standardDelete . . . . . . . . . . . . . . . . . . . . . 113 405 7.308. standardReadControl . . . . . . . . . . . . . . . . . . 113 406 7.309. standardWriteDac . . . . . . . . . . . . . . . . . . . . 113 407 7.310. standardWriteOwner . . . . . . . . . . . . . . . . . . . 114 408 7.311. standardSynchronize . . . . . . . . . . . . . . . . . . 114 409 7.312. accessSystemSecurity . . . . . . . . . . . . . . . . . . 114 410 7.313. genericRead . . . . . . . . . . . . . . . . . . . . . . 114 411 7.314. genericWrite . . . . . . . . . . . . . . . . . . . . . . 114 412 7.315. genericExecute . . . . . . . . . . . . . . . . . . . . . 115 413 7.316. genericAll . . . . . . . . . . . . . . . . . . . . . . . 115 414 7.317. fileReadData . . . . . . . . . . . . . . . . . . . . . . 115 415 7.318. fileWriteData . . . . . . . . . . . . . . . . . . . . . 115 416 7.319. fileAppendData . . . . . . . . . . . . . . . . . . . . . 115 417 7.320. fileReadEa . . . . . . . . . . . . . . . . . . . . . . . 116 418 7.321. fileWriteEa . . . . . . . . . . . . . . . . . . . . . . 116 419 7.322. fileExecute . . . . . . . . . . . . . . . . . . . . . . 116 420 7.323. fileDeleteChild . . . . . . . . . . . . . . . . . . . . 116 421 7.324. fileReadAttributes . . . . . . . . . . . . . . . . . . . 116 422 7.325. fileWriteAttributes . . . . . . . . . . . . . . . . . . 117 423 7.326. groupInfo . . . . . . . . . . . . . . . . . . . . . . . 117 424 7.327. group . . . . . . . . . . . . . . . . . . . . . . . . . 117 425 7.328. subgroup . . . . . . . . . . . . . . . . . . . . . . . . 117 426 7.329. groupSidInfo . . . . . . . . . . . . . . . . . . . . . . 117 427 7.330. userSidInfo . . . . . . . . . . . . . . . . . . . . . . 118 428 7.331. userSid . . . . . . . . . . . . . . . . . . . . . . . . 118 429 7.332. subgroupSid . . . . . . . . . . . . . . . . . . . . . . 118 430 7.333. lockoutpolicy . . . . . . . . . . . . . . . . . . . . . 118 431 7.334. forceLogoff . . . . . . . . . . . . . . . . . . . . . . 118 432 7.335. lockoutDuration . . . . . . . . . . . . . . . . . . . . 119 433 7.336. lockoutObservationWindow . . . . . . . . . . . . . . . . 119 434 7.337. lockoutThreshold . . . . . . . . . . . . . . . . . . . . 119 435 7.338. passwordpolicy . . . . . . . . . . . . . . . . . . . . . 119 436 7.339. maxPasswdAge . . . . . . . . . . . . . . . . . . . . . . 120 437 7.340. minPasswdAge . . . . . . . . . . . . . . . . . . . . . . 120 438 7.341. minPasswdLen . . . . . . . . . . . . . . . . . . . . . . 120 439 7.342. passwordHistLen . . . . . . . . . . . . . . . . . . . . 121 440 7.343. passwordComplexity . . . . . . . . . . . . . . . . . . . 121 441 7.344. reversibleEncryption . . . . . . . . . . . . . . . . . . 121 442 7.345. portInfo . . . . . . . . . . . . . . . . . . . . . . . . 121 443 7.346. foreignPort . . . . . . . . . . . . . . . . . . . . . . 121 444 7.347. printereffectiverights . . . . . . . . . . . . . . . . . 122 445 7.348. printerName . . . . . . . . . . . . . . . . . . . . . . 122 446 7.349. printerAccessAdminister . . . . . . . . . . . . . . . . 122 447 7.350. printerAccessUse . . . . . . . . . . . . . . . . . . . . 122 448 7.351. jobAccessAdminister . . . . . . . . . . . . . . . . . . 122 449 7.352. jobAccessRead . . . . . . . . . . . . . . . . . . . . . 123 450 7.353. registry . . . . . . . . . . . . . . . . . . . . . . . . 123 451 7.354. registryHive . . . . . . . . . . . . . . . . . . . . . . 123 452 7.355. registryKey . . . . . . . . . . . . . . . . . . . . . . 124 453 7.356. registryKeyName . . . . . . . . . . . . . . . . . . . . 124 454 7.357. lastWriteTime . . . . . . . . . . . . . . . . . . . . . 124 455 7.358. registryKeyType . . . . . . . . . . . . . . . . . . . . 125 456 7.359. registryKeyValue . . . . . . . . . . . . . . . . . . . . 126 457 7.360. regkeyauditedpermissions . . . . . . . . . . . . . . . . 127 458 7.361. auditKeyQueryValue . . . . . . . . . . . . . . . . . . . 128 459 7.362. auditKeySetValue . . . . . . . . . . . . . . . . . . . . 128 460 7.363. auditKeyCreateSubKey . . . . . . . . . . . . . . . . . . 129 461 7.364. auditKeyEnumerateSubKeys . . . . . . . . . . . . . . . . 129 462 7.365. auditKeyNotify . . . . . . . . . . . . . . . . . . . . . 130 463 7.366. auditKeyCreateLink . . . . . . . . . . . . . . . . . . . 130 464 7.367. auditKeyWow6464Key . . . . . . . . . . . . . . . . . . . 131 465 7.368. auditKeyWow6432Key . . . . . . . . . . . . . . . . . . . 131 466 7.369. auditKeyWow64Res . . . . . . . . . . . . . . . . . . . . 132 467 7.370. regkeyeffectiverights . . . . . . . . . . . . . . . . . 132 468 7.371. keyQueryValue . . . . . . . . . . . . . . . . . . . . . 133 469 7.372. keySetValue . . . . . . . . . . . . . . . . . . . . . . 133 470 7.373. keyCreateSubKey . . . . . . . . . . . . . . . . . . . . 133 471 7.374. keyEnumerateSubKeys . . . . . . . . . . . . . . . . . . 134 472 7.375. keyNotify . . . . . . . . . . . . . . . . . . . . . . . 134 473 7.376. keyCreateLink . . . . . . . . . . . . . . . . . . . . . 134 474 7.377. keyWow6464Key . . . . . . . . . . . . . . . . . . . . . 134 475 7.378. keyWow6432Key . . . . . . . . . . . . . . . . . . . . . 134 476 7.379. keyWow64Res . . . . . . . . . . . . . . . . . . . . . . 134 477 7.380. service . . . . . . . . . . . . . . . . . . . . . . . . 135 478 7.381. displayName . . . . . . . . . . . . . . . . . . . . . . 135 479 7.382. description . . . . . . . . . . . . . . . . . . . . . . 135 480 7.383. serviceType . . . . . . . . . . . . . . . . . . . . . . 135 481 7.384. startType . . . . . . . . . . . . . . . . . . . . . . . 136 482 7.385. currentState . . . . . . . . . . . . . . . . . . . . . . 137 483 7.386. controlsAccepted . . . . . . . . . . . . . . . . . . . . 138 484 7.387. startName . . . . . . . . . . . . . . . . . . . . . . . 140 485 7.388. serviceFlag . . . . . . . . . . . . . . . . . . . . . . 140 486 7.389. dependencies . . . . . . . . . . . . . . . . . . . . . . 140 487 7.390. serviceeffectiverights . . . . . . . . . . . . . . . . . 140 488 7.391. trusteeSid . . . . . . . . . . . . . . . . . . . . . . . 141 489 7.392. serviceQueryConf . . . . . . . . . . . . . . . . . . . . 141 490 7.393. serviceChangeConf . . . . . . . . . . . . . . . . . . . 141 491 7.394. serviceQueryStat . . . . . . . . . . . . . . . . . . . . 141 492 7.395. serviceEnumDependents . . . . . . . . . . . . . . . . . 141 493 7.396. serviceStart . . . . . . . . . . . . . . . . . . . . . . 142 494 7.397. serviceStop . . . . . . . . . . . . . . . . . . . . . . 142 495 7.398. servicePause . . . . . . . . . . . . . . . . . . . . . . 142 496 7.399. serviceInterrogate . . . . . . . . . . . . . . . . . . . 142 497 7.400. serviceUserDefined . . . . . . . . . . . . . . . . . . . 142 498 7.401. sharedresourceauditedpermissions . . . . . . . . . . . . 143 499 7.402. netname . . . . . . . . . . . . . . . . . . . . . . . . 143 500 7.403. sharedresourceeffectiverights . . . . . . . . . . . . . 143 501 7.404. user . . . . . . . . . . . . . . . . . . . . . . . . . . 144 502 7.405. enabled . . . . . . . . . . . . . . . . . . . . . . . . 144 503 7.406. lastLogon . . . . . . . . . . . . . . . . . . . . . . . 144 504 7.407. groupSid . . . . . . . . . . . . . . . . . . . . . . . . 144 505 7.408. endpointType . . . . . . . . . . . . . . . . . . . . . . 144 506 7.409. endpointPurpose . . . . . . . . . . . . . . . . . . . . 145 507 7.410. endpointCriticality . . . . . . . . . . . . . . . . . . 145 508 7.411. ingestTimestamp . . . . . . . . . . . . . . . . . . . . 145 509 7.412. vulnerabilityVersion . . . . . . . . . . . . . . . . . . 146 510 7.413. vulnerabilityExternalId . . . . . . . . . . . . . . . . 146 511 7.414. vulnerabilitySeverity . . . . . . . . . . . . . . . . . 146 512 7.415. assessmentTimestamp . . . . . . . . . . . . . . . . . . 146 513 7.416. vulnerableSoftware . . . . . . . . . . . . . . . . . . . 146 514 7.417. endpointVulnerabilityStatus . . . . . . . . . . . . . . 147 515 7.418. vulnerabilityDescription . . . . . . . . . . . . . . . . 147 516 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 147 517 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 148 518 10. Security Considerations . . . . . . . . . . . . . . . . . . . 148 519 11. Operational Considerations . . . . . . . . . . . . . . . . . 149 520 11.1. Endpoint Designation . . . . . . . . . . . . . . . . . . 149 521 11.2. Timestamp Accuracy . . . . . . . . . . . . . . . . . . . 150 522 12. Privacy Considerations . . . . . . . . . . . . . . . . . . . 151 523 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 151 524 13.1. Normative References . . . . . . . . . . . . . . . . . . 151 525 13.2. Informative References . . . . . . . . . . . . . . . . . 151 527 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 152 528 A.1. Changes in Revision 01 . . . . . . . . . . . . . . . . . 152 529 A.2. Changes in Revision 02 . . . . . . . . . . . . . . . . . 154 530 A.3. Changes in Revision 03 . . . . . . . . . . . . . . . . . 154 531 A.4. Changes in Revision 04 . . . . . . . . . . . . . . . . . 154 532 A.5. Changes in Revision 05 . . . . . . . . . . . . . . . . . 155 533 A.6. Changes in Revision 06 . . . . . . . . . . . . . . . . . 155 534 A.7. Changes in Revision 07 . . . . . . . . . . . . . . . . . 155 535 A.8. Changes in Revision 08 . . . . . . . . . . . . . . . . . 156 536 A.9. Changes in Revision 09 . . . . . . . . . . . . . . . . . 156 537 A.10. Changes in Revision 10 . . . . . . . . . . . . . . . . . 157 538 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 157 540 1. Introduction 542 The SACM Information Model (IM) serves multiple purposes: 544 o to ensure interoperability between SACM data models that are used 545 as transport encodings, 547 o to provide a standardized set of Information Elements - the SACM 548 Vocabulary - to enable the exchange of content vital to automated 549 security posture assessment, and 551 o to enable secure information sharing in a scalable and extensible 552 fashion in order to support the tasks conducted by SACM 553 components. 555 A complete set of requirements imposed on the IM can be found in 556 [I-D.ietf-sacm-requirements]. The SACM IM is intended to be used for 557 standardized data exchange between SACM components (data in motion). 558 Nevertheless, the Information Elements (IE) and their relationships 559 defined in this document can be leveraged to create and align 560 corresponding data models for data at rest. 562 The information model expresses, for example, target endpoint (TE) 563 attributes, guidance, and evaluation results. The corresponding 564 Information Elements are consumed and produced by SACM components as 565 they carry out tasks. 567 The primary tasks that this information model supports (on data, 568 control, and management plane) are: 570 o TE Discovery 572 o TE Characterization 574 o TE Classification 575 o Collection 577 o Evaluation 579 o Information Sharing 581 o SACM Component Discovery 583 o SACM Component Authentication 585 o SACM Component Authorization 587 o SACM Component Registration 589 These tasks are defined in [I-D.ietf-sacm-terminology]. 591 2. Conventions used in this document 593 2.1. Requirements Language 595 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 596 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 597 document are to be interpreted as described in RFC 2119 [RFC2119]. 599 2.2. Information Element Examples 601 The notation used to define the SACM Information Elements (IEs) is 602 based on a customized version of the IPFIX information model syntax 603 [RFC7012] which is described in Figure 2. However, there are several 604 examples presented throughout the document that use a simplified 605 pseudo-code to illustrate the basic structure. It should be noted 606 that while they include actual names of subjects and attributes as 607 well as values, they are not intended to influence how corresponding 608 SACM IEs should be defined in Section 7. The examples are provided 609 for demonstration purposes only. 611 3. Information Elements 613 The IEs defined in this document comprise the building blocks by 614 which all SACM content is composed. They are consumed and provided 615 by SACM components on the data plane. Every Information Element has 616 a unique label: its name. Every type of IE defined by the SACM IM is 617 registered as a type at the IANA registry. The Integer Index of the 618 IANA SMI number tables can be used by SACM data models. 620 3.1. Context of Information Elements 622 The IEs in this information model represent information related to 623 assets in the following areas (based on the use cases described in 624 [RFC7632]): 626 o Endpoint Management 628 o Software Inventory Management 630 o Hardware Inventory Management 632 o Configuration Management 634 o Vulnerability Management 636 3.2. Extensibility of Information Elements 638 A SACM data model based on this information model MAY include 639 additional information elements that are not defined here. The 640 labels of additional Information Elements included in different SACM 641 data models MUST NOT conflict with the labels of the Information 642 Elements defined by this information model, and the names of 643 additional Information Elements MUST NOT conflict with each other or 644 across multiple data models. In order to avoid naming conflicts, the 645 labels of additional IEs SHOULD be prefixed to avoid collisions 646 across extensions. The prefix MUST include an organizational 647 identifier and therefore, for example, MAY be an IANA enterprise 648 number, a (partial) name space URI, or an organization name 649 abbreviation. 651 4. Structure of Information Elements 653 There are two basic types of IEs: 655 o Attributes: Atomic information elements that are equivalent to 656 name-value-pairs and can be components of Subjects. 658 o Subjects: Composite information elements that have a name and are 659 made up of Attributes and/or other Subjects. Every IE that is 660 part of a Subject can have a quantity associated with it (e.g. 661 zero-one, none-unbounded). The content IEs of a Subject can be 662 ordered or unordered. 664 Example Instance of an Attribute: 665 hostname = "arbutus" 667 Example Instance of a Subject: 668 coordinates = ( 669 latitude = N27.99619, 670 longitude = E86.92761 671 ) 673 Figure 1: Example instance of an attribute and subject. 675 In general, every piece of information that enables security posture 676 assessment or further enriches the quality of the assessment process 677 can be associated with metadata. In the SACM IM, metadata is 678 represented by specific subjects and is bundled with other attributes 679 or subjects to provide additional information about them. The IM 680 explicitly defines two kinds of metadata: 682 o Metadata focusing on the data origin (the SACM component that 683 provides the information to the SACM domain) 685 o Metadata focusing on the data source (the target endpoint that is 686 assessed) 688 Metadata can also include relationships that refer to other 689 associated IEs (or SACM content in general) by using referencing 690 labels that have to be included in the metadata of the associated IE. 692 Subjects can be nested and the SACM IM allows for circular or 693 recursive nesting. The association of IEs via nesting results in a 694 tree-like structure wherein subjects compose the root and 695 intermediary nodes and attributes the leaves of the tree. This 696 semantic structure does not impose a specific structure on SACM data 697 models regarding data in motion or data repository schemata for data 698 at rest. 700 The SACM IM provides two conceptual top-level subjects that are used 701 to ensure a homogeneous structure for SACM content and its associated 702 metadata: SACM statements and SACM content-elements. Every set of 703 IEs that is provided by a SACM component must provide the information 704 contained in these two subjects although it is up to the implementer 705 whether or not the subjects are explicitly defined in a data model. 707 The notation the SACM IM is defined in is based on a modified version 708 of the IP Information Flow Export (IPFIX) Information Model syntax 709 described in Section 2.1 of [RFC7012]. The customized syntax used by 710 the SACM IM is defined below in Figure 2. 712 elementId (required): The numeric identifier of the 713 Information Element. It is used 714 for the compact identification 715 of an Information Element. If 716 this identifier is used without 717 an enterpriseID, then the 718 elementId must be unique, and 719 the description of allowed values 720 is administrated by IANA. The 721 value "TBD" may be used during 722 development of the information 723 model until an elementId is 724 assigned by IANA and filled 725 in at publication time. 727 enterpriseId (optional): Enterprises may wish to define 728 Information Elements without 729 registering them with IANA, for 730 example, for enterprise-internal 731 purposes. For such Information 732 Elements, the elementId is 733 not sufficient when used 734 outside the enterprise. If 735 specifications of enterprise- 736 specific Information Elements 737 are made public and/or if 738 enterprise-specific identifiers 739 are used by SACM components 740 outside the enterprise, then the 741 enterprise-specific identifier 742 MUST be made globally unique by 743 combining it with an enterprise 744 identifier. Valid values for the 745 enterpriseId are defined by IANA 746 as Structure of Management 747 Information (SMI) network management 748 private enterprise numbers. 750 name (required): A unique and meaningful name for 751 the Information Element. 753 dataType (required): There are two kinds of datatypes: 754 simple and structured. Attributes are 755 defined using simple datatypes 756 and subjects are defined using 757 structured datatypes. The contents of 758 the datatype field will be either 759 a reference to one of the simple 760 datatypes listed in Section 761 5.1, or the specification of 762 structured datatype as defined in 763 Section 5.2. 765 status (required): The status of the specification 766 of the Information Element. 767 Allowed values are "current" and 768 "deprecated". All newly defined 769 Information Elements have "current" 770 status. The process for moving 771 Information Elements to the 772 "deprecated" status is TBD. 774 description (required): Describes the meaning of the 775 Information Element, how it is 776 derived, conditions for its use, 777 etc. 779 structure (optional): A parsable property that provides 780 details about the definition of 781 structured Information Elements as 782 described in Section 5.2. 784 references (optional): Identifies other RFCs or documents 785 outside the IETF which provide 786 additional information or context 787 about the Information Element. 789 Figure 2: Information Element Specification Template 791 4.1. Information Element Naming Convention 793 SACM Information Elements must adhere to the following naming 794 conventions. 796 o Names SHOULD be descriptive 798 o Names MUST be unique within the SACM registry. Enterprise- 799 specific names SHOULD be prefixed with a Private Enterprise Number 800 [PEN]. 802 o Names MUST start with lowercase letters unless it begins with a 803 Private Enterprise Number 805 o Composed names MUST use capital letters for the first letter of 806 each part 808 4.2. SACM Content Elements 810 Every piece of information that is provided by a SACM Component is 811 always associated with a set of data source metadata (e.g. the 812 timestamp when the information was collected, the target endpoint 813 from which the this set of information is about, etc.) which is 814 provided in the SACM Content Element Metadata. The SACM Content 815 Element is the subject information element that associates the 816 information with the SACM Content Element Metadata. The SACM Content 817 Element Metadata may also include relationships that express 818 associations with other SACM Content Elements. 820 content-element = ( 821 content-metadata = ( 822 collection-timestamp = 146193322, 823 data-source = fb02e551-7101-4e68-8dec-1fde6bd10981 824 ), 825 hostname = "arbutus", 826 coordinates = ( 827 latitude = N27.99619, 828 longitude = E86.92761 829 ) 830 ) 832 Figure 3: Example set of IEs associated with a timestamp and a target 833 endpoint label. 835 4.3. SACM Statements 837 One or more SACM Content Elements are bundled in a SACM Statement. 838 In contrast to SACM Content Element Metadata, SACM Statement Metadata 839 focuses on the providing information about the SACM Component that 840 provided it rather than the target endpoint that the content is 841 about. The only content-specific metadata included in the SACM 842 Statement is the statement-type IE. Therefore, multiple SACM Content 843 Elements that share the same SACM Statement Metadata and are of the 844 same statement-type can be included in a single SACM Statement. A 845 SACM Statement functions similar to an envelope or a header and is 846 the subject information element that associates SACM Statement 847 Metadata with security automation information provided in its SACM 848 Content Element(s). Its purpose is to enable the tracking of the 849 origin of data inside a SACM domain and more importantly to enable 850 the mitigation of conflicting information that may originate from 851 different SACM Components. How a consuming SACM Component actually 852 deals with conflicting information is out-of-scope of the SACM IM. 853 Semantically, the term statement implies that the SACM content 854 provided by a SACM Component might not be correct in every context, 855 but, rather is the result of a best-effort to produce correct 856 information. 858 sacm-statement = ( 859 statement-metadata = ( 860 publish-timestamp = 1461934031, 861 data-origin = 24e67957-3d31-4878-8892-da2b35e121c2, 862 statement-type = observation 863 ), 864 content-element = ( 865 content-metadata = ( 866 collection-timestamp = 146193322, 867 data-source = fb02e551-7101-4e68-8dec-1fde6bd10981 868 ), 869 hostname = "arbutus" 870 ) 871 ) 873 Figure 4: Example of a simple SACM statement including a single 874 content-element. 876 sacm-statement = ( 877 statement-metadata = ( 878 publish-timestamp = 1461934031, 879 data-origin = 24e67957-3d31-4878-8892-da2b35e121c2 880 statement-type = observation 881 ), 882 content-element = ( 883 content-metadata = ( 884 collection-timestamp = 146193322, 885 data-source = fb02e551-7101-4e68-8dec-1fde6bd10981 886 ), 887 coordinates = ( 888 latitude = N27.99619, 889 longitude = E86.92761 890 ) 891 ) 892 ) 894 sacm-statement = ( 895 statement-metadata = ( 896 publish-timestamp = 1461934744, 897 data-origin = e42885a1-0270-44e9-bb5c-865cf6bd4800, 898 statement-type = observation 899 ), 900 content-element = ( 901 content-metadata = ( 902 collection-timestamp = 146193821, 903 te-label = fb02e551-7101-4e68-8dec-1fde6bd10981 904 ), 905 coordinates = ( 906 latitude = N16.67622, 907 longitude = E141.55321 908 ) 909 ) 910 ) 912 Figure 5: Example of conflicting information originating from 913 different SACM components. 915 4.4. Relationships 917 An IE can be associated with another IE, e.g. a user-name attribute 918 can be associated with a content-authorization subject. These 919 references are expressed via the relationships subject, which can be 920 included in a corresponding content-metadata subject. The 921 relationships subject includes a list of one or more references. The 922 SACM IM does not enforce a SACM domain to use unique identifiers as 923 references. Therefore, there are at least two ways to reference 924 another 926 o The value of a reference represents a specific content-label that 927 is unique in a SACM domain (and has to be included in the 928 corresponding content-element metadata in order to be referenced), 929 or 931 o The reference is a subject that includes an appropriate number of 932 IEs in order to identify the referenced content-element by its 933 actual content. 935 It is recommended to provide unique identifiers in a SACM domain and 936 the SACM IM provides a corresponding naming-convention as a reference 937 in Section 4.1. The alternative highlighted above summarizes a valid 938 approach that does not require unique identifiers and is similar to 939 the approach of referencing target endpoints via identifying 940 attributes included in a characterization record. 942 content-element = ( 943 content-metadata = ( 944 collection-timestamp = 1461934031, 945 te-label = 946 fb02e551-7101-4e68-8dec-1fde6bd10981 947 relationships = ( 948 associated-with-user-account = 949 f3d70ef4-7e18-42af-a894-8955ba87c95d 950 ) 951 ), 952 hostname = "arbutus" 953 ) 955 content-element = ( 956 content-metadata = ( 957 content-label = f3d70ef4-7e18-42af-a894-8955ba87c95d 958 ), 959 user-account = ( 960 username = romeo 961 authentication = local 962 ) 963 ) 965 Figure 6: Example instance of a content-element subject associated 966 with another subject via its content metadata. 968 4.5. Event 970 Event subjects provide a structure to represent the change of IE 971 values that was detected by a collection task at a specific point of 972 time. It is mandatory to include the new values and the collection 973 timestamp in an event subject and it is recommended to include the 974 past values and a collection timestamp that were replaced by the new 975 IE values. Every event can also be associated with a subject- 976 specific event-timestamp and a lastseen-timestamp that might differ 977 from the corresponding collection-timestamps. If these are omitted 978 the collection-timestamp that is included in the content-metadata 979 subject is used instead. 981 sacm-statement = ( 982 statement-metadata = ( 983 publish-timestamp = 1461934031, 984 data-origin = 24e67957-3d31-4878-8892-da2b35e121c2, 985 statement-type = event 986 ), 987 event = ( 988 event-attributes = ( 989 event-name = "host-name change", 990 content-element = ( 991 content-metadata = ( 992 collection-timestamp = 146193322, 993 data-source = 994 fb02e551-7101-4e68-8dec-1fde6bd10981, 995 event-component = past-state 996 ), 997 hostname = "arbutus" 998 ), 999 content-element = ( 1000 content-metadata = ( 1001 collection-timestamp = 146195723, 1002 data-source = 1003 fb02e551-7101-4e68-8dec-1fde6bd10981, 1004 event-component = current-state 1005 ), 1006 hostname = "lilac" 1007 ) 1008 ) 1009 ) 1011 Figure 7: Example of a SACM statement containing an event. 1013 4.6. Categories 1015 Categories are special IEs that refer to multiple types of IEs via 1016 just one name. Therefore, they are similar to a type-choice. A 1017 prominent example of a category is when identifying a target 1018 endpoint. In some cases, a target endpoint will be identified by a 1019 set of identifying attributes and in other cases a target endpoint 1020 will be identified by a target endpoint label which is unique within 1021 a SACM domain. If a subject includes the targetEndpoint information 1022 element as one of its components, any of the category members 1023 (targetEndpointIdentifier or targetEndpointLabel) are valid to be 1024 used in its place. 1026 5. Abstract Data Types 1028 This section describes the set of valid abstract data types that can 1029 be used for the specification of the SACM Information Elements in 1030 Section 7. SACM currently supports two classes of datatypes that can 1031 be used to define Information Elements. 1033 o Simple: Datatypes that are atomic and are used to define the type 1034 of data represented by an attribute Information Element. 1036 o Structured: Datatypes that can be used to define the type of data 1037 represented by a subject Information Element. 1039 Note that further abstract data types may be specified by future 1040 extensions of the SACM information model. 1042 5.1. Simple Datatypes 1044 5.1.1. IPFIX Datatypes 1046 To facilitate the use of existing work, SACM supports the following 1047 abstract data types defined in Section 3 of [RFC7012]. 1049 o unsigned8, unsigned16, unsigned32, unsigned64 1051 o signed8, signed16, signed32, signed64 1053 o float32, float64 1055 o boolean 1057 o macAddress 1059 o octetArray 1060 o string 1062 o dateTimeSeconds, dateTimeMilliseconds, dateTimeMicroseconds, 1063 dateTimeNanoSeconds 1065 o ipv4Address, ipv6Address 1067 5.2. Structured Datatypes 1069 5.2.1. List Datatypes 1071 SACM defines the following abstract list data types that are used to 1072 represent the structured data associated with subjects. 1074 o list: indicates that the Information Element order is not 1075 significant but MAY be preserved. 1077 o orderedList: indicates that Information Element order is 1078 significant and MUST be preserved. 1080 The notation for defining a SACM structured datatype is based on 1081 regular expressions, which are composed of the keywords "list" or 1082 "orderedList" and an Information Element expression. IE expressions 1083 use some of the regular expression syntax and operators, but the 1084 terms in the expression are the names of defined Information Elements 1085 instead of character classes. The syntax for defining list and 1086 orderedList datatypes is described below, using BNF: 1088 -> ("list"|"orderedList") "(" ")" 1090 -> ? 1091 ( ("," | "|") ?)* 1093 -> "*" | "+" | "?" | 1094 ( "(" ("," )? ")" ) 1096 Figure 8: Syntax for Defining List Datatypes 1098 As seen above, multiple occurrences of an Information Element may be 1099 present in a structured datatype. The cardinality of an Information 1100 Element within a structured Information Element definition is defined 1101 by the following operators: 1103 * - zero or more occurrences 1105 + - one or more occurrences 1107 ? - zero or one occurrence 1109 (m,n) - between m and n occurrences 1111 Figure 9: Specifying Cardinality for Structured Datatypes 1113 The absence of a cardinality operator implies one mandatory 1114 occurrence of the Information Element. 1116 Below is an example of a structured Information Element definition. 1118 personInfo = list(firstName, middleNames?, lastName) 1119 firstName = string 1120 middleNames = orderedList(middleName+) 1121 middleName = string 1122 lastName = string 1124 As an example, consider the name "John Ronald Reuel Tolkien". 1125 Below are instances of this name, structured according to the 1126 personInfo definition. 1128 personInfo = (firstName="John", middleNames(middleName="Ronald", 1129 middleName="Reuel"), lastName="Tolkien") 1131 personInfo = (middleNames(middleName="Ronald", middleName=" Reuel"), 1132 lastName="Tolkien", firstName="John") 1134 The instance below is not legal with respect to the definition 1135 of personInfo because the order in middleNames is not preserved. 1137 personInfo = (firstName="John", middleNames(middleName=" Reuel", 1138 middleName="Ronald"), lastName="Tolkien") 1140 Figure 10: Example of Defining a Structured List Datatype 1142 5.2.2. Enumeration Datatype 1144 SACM defines the following abstract enumeration datatype that is used 1145 to represent the restriction of an attribute value to a set of 1146 values. 1148 name, hex-value, description 1149 -> -> ";" ";" 1150 -> [0-9a-zA-Z]+ 1151 -> 0x[0-9a-fA-F]+ 1152 -> [0-9a-zA-Z\.\,]+ 1154 Figure 11: Syntax for Defining an Enumeration Datatype 1156 Below is an example of a structured Information Element definition 1157 for an enumeration. 1159 Red ; 0x1 ; The color is red. 1160 Orange ; 0x2 ; The color is orange. 1161 Yellow ; 0x3 ; The color is yellow. 1162 Green ; 0x4 ; The color is green. 1163 ... 1165 Figure 12: Example of Defining a Structured Enumeration Datatype 1167 5.2.3. Category Datatype 1169 SACM defines the following abstract category datatype that is used to 1170 represent a type-choice between a set of information elements. 1172 -> "category(" ")" 1173 -> ("|" )* 1174 -> [0-9a-zA-Z]+ 1176 Figure 13: Syntax for Defining an Category Datatype 1178 Below is an example of a structured Information Element definition 1179 for a category. 1181 targetEndpoint = category(targetEndpointIdentifier | 1182 targetEndpointLabel) 1184 Figure 14: Example of Defining a Structured Category Datatype 1186 6. Information Model Assets 1188 In order to represent the Information Elements related to the areas 1189 listed in Section 3.1, the information model defines the information 1190 needs (or metadata about those information needs) related to 1191 following types of assets which are defined in 1192 [I-D.ietf-sacm-terminology] (and included below for convenience) 1193 which are of interest to SACM. Specifically: 1195 o Endpoint 1196 o Software Component 1198 o Hardware Component 1200 o Identity 1202 o Guidance 1204 o Evaluation Results 1206 The following figure shows the make up of an Endpoint asset which 1207 contains zero or more hardware components and zero or more software 1208 components each of which may have zero or more instances running an 1209 endpoint at any given time as well as zero or more identities that 1210 act on behalf of the endpoint when interfacing with other endpoints, 1211 tools, or services. An endpoint may also contain other endpoints in 1212 the case of a virtualized environment. 1214 +---------+*______in>_______*+-----+ 1215 |Hardware | |! !| 1216 |Component| +---------+ |! !| 1217 +---------+ |Software |in> |! !| 1218 |Component|____|! !| 1219 +---------+* *|! !| 1220 1| |! !| 1221 *| | | +----------+ 1222 +---------+ |End- |*_____*| Identity | 1223 |Software |in> |point| acts +----------+ 1224 |Instance |____| | for> 1225 +---------+* 1|! !| 1226 |! !| 1227 |! !| 1228 |! !| 1229 |! !|____ 1230 |! !|0..1| 1231 +-----+ | 1232 |* | 1233 |_______| 1234 in> 1236 Figure 15: Model of an Endpoint 1238 6.1. Asset 1240 As defined in [RFC4949], an asset is a system resource that is (a) 1241 required to be protected by an information system's security policy, 1242 (b) intended to be protected by a countermeasure, or (c) required for 1243 a system's mission. 1245 In the scope of SACM, an asset can be composed of other assets. 1246 Examples of Assets include: Endpoints, Software, Guidance, or 1247 Identity. Furthermore, an asset is not necessarily owned by an 1248 organization. 1250 6.2. Endpoint 1252 From [RFC5209], an endpoint is any computing device that can be 1253 connected to a network. Such devices normally are associated with a 1254 particular link layer address before joining the network and 1255 potentially an IP address once on the network. This includes: 1256 laptops, desktops, servers, cell phones, or any device that may have 1257 an IP address. 1259 To further clarify, an endpoint is any physical or virtual device 1260 that may have a network address. Note that, network infrastructure 1261 devices (e.g. switches, routers, firewalls), which fit the 1262 definition, are also considered to be endpoints within this document. 1264 Physical endpoints are always composites that are composed of 1265 hardware components and software components. Virtual endpoints are 1266 composed entirely of software components and rely on software 1267 components that provide functions equivalent to hardware components. 1269 The SACM architecture differentiates two essential categories of 1270 endpoints: Endpoints whose security posture is intended to be 1271 assessed (target endpoints) and endpoints that are specifically 1272 excluded from endpoint posture assessment (excluded endpoints). 1274 6.3. Hardware Component 1276 Hardware components are the distinguishable physical components that 1277 compose an endpoint. The composition of an endpoint can be changed 1278 over time by adding or removing hardware components. In essence, 1279 every physical endpoint is potentially a composite of multiple 1280 hardware components, typically resulting in a hierarchical 1281 composition of hardware components. The composition of hardware 1282 components is based on interconnects provided by specific hardware 1283 types (e.g. mainboard is a hardware type that provides local busses 1284 as an interconnect). In general, a hardware component can be 1285 distinguished by its serial number. 1287 Examples of a hardware components include: motherboards, network 1288 interfaces, graphics cards, hard drives, etc. 1290 6.4. Software Component 1292 A software package installed on an endpoint (including the operating 1293 system) as well as a unique serial number if present (e.g. a text 1294 editor associated with a unique license key). 1296 It should be noted that this includes both benign and harmful 1297 software packages. Examples of benign software components include: 1298 applications, patches, operating system kernel, boot loader, 1299 firmware, code embedded on a webpage, etc. Examples of malicious 1300 software components include: malware, trojans, viruses, etc. 1302 6.4.1. Software Instance 1304 A running instance of the software component (e.g. on a multi-user 1305 system, one logged-in user has one instance of a text editor running 1306 and another logged-in user has another instance of the same text 1307 editor running, or on a single-user system, a user could have 1308 multiple independent instances of the same text editor running). 1310 6.5. Identity 1312 Any mechanism that can be used to identify an asset during an 1313 authentication process. Examples include usernames, user and device 1314 certificates, etc. Note, that this is different than the identity of 1315 assets in the context of designation as described in Section 11.1. 1317 6.6. Guidance 1319 Guidance is input instructions to processes and tasks, such as 1320 collection or evaluation. Guidance influences the behavior of a SACM 1321 component and is considered content of the management plane. 1322 Guidance can be manually or automatically generated or provided. 1323 Typically, the tasks that provide guidance to SACM components have a 1324 low-frequency and tend to be sporadic. A prominent example of 1325 guidance are target endpoint profiles,but guidance can have many 1326 forms, including: 1328 Configuration, e.g. a SACM component's name, or a CMDB's IPv6 1329 address. 1331 Profiles, e.g. a set of expected states for network behavior 1332 associated with target endpoints employed by specific users. 1334 Policies, e.g. an interval to refresh the registration of a SACM 1335 component, or a list of required capabilities for SACM components 1336 in a specific location. 1338 6.6.1. Collection Guidance 1340 A collector may need guidance to govern what it collects and when. 1341 Collection Guidance provides instructions for a Collector that 1342 specifies which endpoint attributes to collect, when to collect them, 1343 and how to collect them. Collection Guidance is composed of Target 1344 Endpoint Attribute Guidance, Frequency Guidance, and Method Guidance. 1346 o Target Endpoint Attribute Guidance: Set of endpoint attributes 1347 that are supposed to be collected from a target endpoint. The 1348 definition of the set of endpoint attributes is typically based on 1349 an endpoint characterization record. 1351 o Frequency Guidance: Specifies when endpoint attributes are to be 1352 collected. 1354 o Method Guidance: Indicates how endpoint attributes are to be 1355 collected. 1357 6.6.2. Evaluation Guidance 1359 An evaluator typically needs guidance to govern what it considers to 1360 be a good or bad security posture. Evaluation Guidance provides 1361 instructions for an Evaluator that specifies which endpoint 1362 attributes to evaluate, the desired state of those endpoint 1363 attributes, and any special requirements that enable an Evaluator to 1364 determine if the endpoint attributes can be used in the evaluation 1365 (e.g. freshness of data, how it was collected, etc.). Evaluation 1366 Guidance is composed of Target Endpoint Attribute Guidance, Expected 1367 Endpoint Attribute Value Guidance, and Frequency Guidance. 1369 o Target Endpoint Attribute Guidance: Set of target endpoint 1370 attributes that are supposed to be used in an evaluation as well 1371 as any requirements on the endpoint attributes. The definition of 1372 the set of endpoint attributes is typically based on an endpoint 1373 characterization record. 1375 o Expected Endpoint Attribute Value Guidance: The expected values of 1376 the endpoint attributes described in the Target Endpoint Attribute 1377 Guidance. 1379 o Frequency Guidance: Specifies when endpoint attributes are to be 1380 evaluated. 1382 o Method Guidance: Indicates how endpoint attributes are to be 1383 collected. 1385 6.6.3. Classification Guidance 1387 A SACM Component carrying out the Target Endpoint Classification Task 1388 may need guidance on how to classify an endpoint. Specifically, how 1389 to associate endpoint classes with a specific target endpoint 1390 characterization record. Target Endpoint Classes function as 1391 guidance for collection, evaluation, remediation and security posture 1392 assessment in general. Classification Guidance is composed of Target 1393 Endpoint Attribute Guidance and Class Guidance. 1395 o Target Endpoint Attribute Guidance: Set of target endpoint 1396 attributes that are supposed to be used to identify the endpoint 1397 characterization record. 1399 o Class Guidance: A list of target endpoint classes that are to be 1400 associated with the identified target endpoint characterization 1401 record. 1403 6.6.4. Storage Guidance 1405 An SACM Component typically needs guidance to govern what information 1406 it should store and where. Storage Guidance provides instructions 1407 for a SACM Component that specifies which security automation 1408 information should be stored, for how long, and on which endpoint. 1409 Storage Guidance is composed of Target Endpoint Attribute Guidance, 1410 Expected Security Automation Information Guidance, and Retention 1411 Guidance. 1413 o Target Endpoint Attribute Guidance: Set of target endpoint 1414 attributes that are supposed to be used to identify the endpoint 1415 where the security automation information is to be stored. 1417 o Expected Security Automation Information Guidance: The security 1418 automation information that is expected to be stored (guidance, 1419 collected posture attributes, results, etc.). 1421 o Retention Guidance: Specifies how long the security automation 1422 information should be stored. 1424 6.6.5. Evaluation Results 1426 Evaluation Results are the output of comparing the actual state of an 1427 endpoint against the expected state of an endpoint. In addition to 1428 the actual results of the comparison, Evaluation Results should 1429 include the Evaluation Guidance and actual target endpoint attributes 1430 values used to perform the evaluation. 1432 7. Information Model Elements 1434 This section defines the specific Information Elements and 1435 relationships that will be implemented by data models and transported 1436 between SACM Components. 1438 7.1. sacmStatement 1440 elementId: TBD 1441 name: sacmStatement 1442 dataType: orderedList 1443 status: current 1444 description: Associates SACM Statement Metadata 1445 which provides data origin information about 1446 the providing SACM Component with one or more 1447 SACM Content Elements that contain security 1448 automation information. 1449 structure: orderedList(sacmStatementMetadata, 1450 sacmContentElement+) 1452 7.2. sacmStatementMetadata 1454 elementId: TBD 1455 name: sacmStatementMetadata 1456 dataType: orderedList 1457 status: current 1458 description: Contains IEs that provide 1459 information about the data origin of the 1460 providing SACM Component as well as the 1461 information necessary for other SACM 1462 Components to understand the type of 1463 security automation information in the 1464 SACM Statement's SACM Content Element(s). 1465 structure: orderedList(publicationTimestamp, 1466 dataOrigin, anyIE*) 1468 7.3. sacmContentElement 1470 elementId: TBD 1471 name: sacmContentElement 1472 dataType: list 1473 status: current 1474 description: Associates SACM Content Element 1475 Metadata which provides information about the 1476 data source and type of security automation 1477 information with the actual security automation 1478 information. 1479 structure: TODO 1481 7.4. sacmContentElementMetadata 1483 elementId: TBD 1484 name: sacmContentElementMetadata 1485 dataType: orderedList 1486 status: current 1487 description: Contains IEs that provide 1488 information about the data source and type of 1489 security automation information such that other 1490 SACM Components are able to parse and understand 1491 the security automation information contained 1492 within the SACM Statement's SACM Content Element(s). 1493 structure: orderedList(collectionTimestamp, 1494 targetEndpoint, anyIE*) 1496 7.5. targetEndpoint 1498 elementId: TBD 1499 name: targetEndpoint 1500 dataType: category 1501 status: current 1502 description: Information that identifies a target 1503 endpoint on the network. This may be a set of 1504 attributes that can be used to identify an endpoint 1505 on the network or a label that is unique to a SACM 1506 domain. 1507 structure: category(targetEndpointIdentifier | 1508 targetEndpointLabel) 1510 7.6. targetEndpointIdentifier 1512 elementId: TBD 1513 name: targetEndpointIdentifier 1514 dataType: list 1515 status: current 1516 description: A set of attributes that uniquely 1517 identify a target endpoint on the network. 1518 structure: list(anyIE+) 1520 7.7. targetEndpointLabel 1522 elementId: TBD 1523 name: targetEndpointLabel 1524 dataType: string 1525 status: current 1526 description: A label that uniquely identifies 1527 a target endpoint on SACM domain. 1529 7.8. anyIE 1531 elementId: TBD 1532 name: anyIE 1533 dataType: category 1534 status: current 1535 description: This category is a placeholder 1536 for any information element defined within 1537 the SACM Information Model. Its purpose is 1538 to provide an extension point in other 1539 information elements that enable them to 1540 support the specific needs of an enterprise, 1541 user, product, or service. 1543 7.9. accessPrivilegeType 1545 elementId: TBD 1546 name: accessPrivilegeType 1547 dataType: string 1548 status: current 1549 description: A set of types that represent access 1550 privileges (read, write, none, etc.). 1552 7.10. accountName 1554 elementId: TBD 1555 name: accountName 1556 dataType: string 1557 status: current 1558 description: A label that uniquely identifies an account 1559 that can require some form of (user) authentication to 1560 access. 1562 7.11. administrativeDomainType 1564 elementId: TBD 1565 name: administrativeDomainType 1566 dataType: string 1567 status: current 1568 description: A label the is supposed to uniquely 1569 identify an administrative domain. 1571 7.12. addressAssociationType 1572 elementId: TBD 1573 name: addressAssociationType 1574 dataType: string 1575 status: current 1576 description: A label the is supposed to uniquely 1577 identify an administrative domain. 1579 7.13. addressMaskValue 1581 elementId: TBD 1582 name: addressMaskValue 1583 dataType: string 1584 status: current 1585 description: A value that expresses a generic address 1586 subnetting bitmask. 1588 7.14. addressType 1590 elementId: TBD 1591 name: addressType 1592 dataType: string 1593 status: current 1594 description: A set of types that specifies the type 1595 of address that is expressed in an address subject 1596 (e.g. ethernet, modbus, zigbee). 1598 7.15. addressValue 1600 elementId: TBD 1601 name: addressValue 1602 dataType: string 1603 status: current 1604 description: A value that expresses a generic network 1605 address. 1607 7.16. applicationComponent 1609 elementId: TBD 1610 name: applicationComponent 1611 dataType: string 1612 status: current 1613 description: A label that references a "sub"-application 1614 that is part of the application (e.g. an add-on, a 1615 cipher-suite, a library). 1617 7.17. applicationLabel 1619 elementId: TBD 1620 name: applicationLabel 1621 dataType: string 1622 status: current 1623 description: A label that is supposed to uniquely 1624 reference an application. 1626 7.18. applicationType 1628 elementId: TBD 1629 name: applicationType 1630 dataType: string 1631 status: current 1632 description: A set of types (FIXME maybe a finite set 1633 is not realistic here - value not enumerator?) that 1634 identifies the type of (user-space) application 1635 (e.g. text-editor, policy-editor, service-client, 1636 service-server, calendar, rouge-like RPG). 1638 7.19. applicationManufacturer 1640 elementId: TBD 1641 name: applicationManufacturer 1642 dataType: string 1643 status: current 1644 description: The name of the vendor that created the 1645 application. 1647 7.20. authenticator 1649 elementId: TBD 1650 name: authenticator 1651 dataType: string 1652 status: current 1653 description: A label that references a SACM component 1654 that can authenticate target endpoints (can be used in 1655 a target-endpoint subject to express that the target 1656 endpoint was authenticated by that SACM component. 1658 7.21. authenticationType 1659 elementId: TBD 1660 name: authenticationType 1661 dataType: string 1662 status: current 1663 description: A set of types that express which type 1664 of authentication was used to enable a network 1665 interaction/connection. 1667 7.22. birthdate 1669 elementId: TBD 1670 name: birthdate 1671 dataType: string 1672 status: current 1673 description: A label for the registered day of 1674 birth of a natural person (e.g. the date of birth 1675 of a person as an ISO date string). 1676 references: http://rs.tdwg.org/ontology/voc/Person#birthdate 1678 7.23. bytesReceived 1680 elementId: TBD 1681 name: bytesReceived 1682 dataType: string 1683 status: current 1684 description: A value that represents a number of octets 1685 received on a network interface. 1687 7.24. bytesReceived 1689 elementId: TBD 1690 name: bytesReceived 1691 dataType: string 1692 status: current 1693 description: A value that represents the number of 1694 octets received on a network interface. 1696 7.25. bytesSent 1698 elementId: TBD 1699 name: bytesSent 1700 dataType: string 1701 status: current 1702 description: A value that represents the number of 1703 octets sent on a network interface. 1705 7.26. certificate 1707 elementId: TBD 1708 name: certificate 1709 dataType: string 1710 status: current 1711 description: A value that expresses a certificate that 1712 can be collected from a target endpoint. 1714 7.27. collectionTaskType 1716 elementId: TBD 1717 name: collectionTaskType 1718 dataType: string 1719 status: current 1720 description: A set of types that defines how collected 1721 SACM content was acquired (e.g. network-observation, 1722 remote-acquisition, self-reported, derived, authority, 1723 verified). 1725 7.28. confidence 1727 elementId: TBD 1728 name: confidence 1729 dataType: string 1730 status: current 1731 description: A representation of the subjective probability 1732 that the assessed value is correct. If no confidence value 1733 is given, it is assumed that the confidence is 1. Acceptable 1734 values are between 0 and 1. 1736 7.29. contentAction 1738 elementId: TBD 1739 name: contentAction 1740 dataType: string 1741 status: current 1742 description: A set of types that express a type of 1743 action (e.g. add, delete, update). It can be associated, 1744 for instance, with an event subject or with a network 1745 observation. 1747 7.30. countryCode 1748 elementId: TBD 1749 name: countryCode 1750 dataType: string 1751 status: current 1752 description: A set of types according to ISO 3166-1. 1754 7.31. dataOrigin 1756 elementId: TBD 1757 name: dataOrigin 1758 dataType: string 1759 status: current 1760 description: A label that uniquely identifies a SACM 1761 component in and across SACM domains. 1763 7.32. dataSource 1765 elementId: TBD 1766 name: dataSource 1767 dataType: string 1768 status: current 1769 description: A label that is supposed to uniquely 1770 identify the data source (e.g. a target endpoint or 1771 sensor) that provided an initial endpoint attribute 1772 record. 1774 7.33. default-depth 1776 elementId: TBD 1777 name: default-depth 1778 dataType: string 1779 status: current 1780 description: A value that expresses how often a circular 1781 reference of subject is allowed to repeat, or how deep 1782 a recursive nesting may occur, respectively. 1784 7.34. discoverer 1786 elementId: TBD 1787 name: discoverer 1788 dataType: string 1789 status: current 1790 description: A label that refers to the SACM component 1791 that discovered a target endpoint (can be used in a 1792 target-endpoint subject to express, for example, that 1793 the target endpoint was authenticated by that SACM 1794 component). 1796 7.35. emailAddress 1798 elementId: TBD 1799 name: emailAddress 1800 dataType: string 1801 status: current 1802 description: A value that expresses an email-address. 1804 7.36. eventType 1806 elementId: TBD 1807 name: eventType 1808 dataType: string 1809 status: current 1810 description: a set of types that define the categories 1811 of an event (e.g. access-level-change, 1812 change-of-privilege, change-of-authorization, 1813 environmental-event, or provisioning-event). 1815 7.37. eventThreshold 1817 elementId: TBD 1818 name: eventThreshold 1819 dataType: string 1820 status: current 1821 description: If applicable, a value that can be 1822 included in an event subject to indicate what numeric 1823 threshold value was crossed to trigger that event. 1825 7.38. eventThresholdName 1827 elementId: TBD 1828 name: eventThresholdName 1829 dataType: string 1830 status: current 1831 description: If an event is created due to a crossed 1832 threshold, the threshold might have a name associated 1833 with it that can be expressed via this value. 1835 7.39. eventTrigger 1837 elementId: TBD 1838 name: eventTrigger 1839 dataType: string 1840 status: current 1841 description: This value is used to express more 1842 complex trigger conditions that may cause the creation 1843 of an event. 1845 7.40. firmwareId 1847 elementId: TBD 1848 name: firmwareId 1849 dataType: string 1850 status: current 1851 description: A label that represents the BIOS or 1852 firmware ID of a specific target endpoint. 1854 7.41. hostName 1856 elementId: TBD 1857 name: hostName 1858 dataType: string 1859 status: current 1860 description: A label typically associated with an 1861 endpoint, but, not always intended to be unique given 1862 scope. 1864 7.42. interfaceLabel 1866 elementId: TBD 1867 name: interfaceLabel 1868 dataType: string 1869 status: current 1870 description: A unique label that can be used to 1871 reference a network interface. 1873 7.43. ipv6AddressSubnetMask 1875 elementId: TBD 1876 name: ipv6AddressSubnetMask 1877 dataType: string 1878 status: current 1879 description: An IPv6 subnet bitmask. 1881 7.44. ipv6AddressSubnetMaskCidrNotation 1883 elementId: TBD 1884 name: ipv6AddressSubnetMaskCidrNotation 1885 dataType: string 1886 status: current 1887 description: An IPv6 subnet bitmask in CIDR notation. 1889 7.45. ipv6AddressValue 1891 elementId: TBD 1892 name: ipv6AddressValue 1893 dataType: ipv6Address 1894 status: current 1895 description: An IPv6 subnet bitmask in CIDR notation. 1897 7.46. ipv4AddressSubnetMask 1899 elementId: TBD 1900 name: ipv4AddressSubnetMask 1901 dataType: string 1902 status: current 1903 description: An IPv4 subnet bitmask. 1905 7.47. ipv4AddressSubnetMaskCidrNotation 1907 elementId: TBD 1908 name: ipv4AddressSubnetMaskCidrNotation 1909 dataType: string 1910 status: current 1911 description: An IPv4 subnet bitmask in CIDR notation. 1913 7.48. ipv4AddressValue 1915 elementId: TBD 1916 name: ipv4AddressValue 1917 dataType: ipv4Address 1918 status: current 1919 description: An IPv4 address value. 1921 7.49. layer2InterfaceType 1923 elementId: TBD 1924 name: layer2InterfaceType 1925 dataType: string 1926 status: current 1927 description: A set of types referenced by IANA ifType. 1929 7.50. layer4PortAddress 1930 elementId: TBD 1931 name: layer4PortAddress 1932 dataType: unsigned32 1933 status: current 1934 description: A layer 4 port address 1935 typically associated with TCP and UDP 1936 protocols. 1938 7.51. layer4Protocol 1940 elementId: TBD 1941 name: layer4Protocol 1942 dataType: string 1943 status: current 1944 description: A set of types that express a layer 4 1945 protocol (e.g. UDP or TCP). 1947 7.52. locationName 1949 elementId: TBD 1950 name: locationName 1951 dataType: string 1952 status: current 1953 description: A value that represents a named region of 1954 physical space. 1956 7.53. networkZoneLocation 1958 elementId: TBD 1959 name: networkZoneLocation 1960 dataType: string 1961 status: current 1962 description: The zone location of an endpoint on the 1963 network (e.g. internet, enterprise DMZ, 1964 enterprise WAN, enclave DMZ, enclave). 1966 7.54. layer2NetworkLocation 1968 elementId: TBD 1969 name: layer2NetworkLocation 1970 dataType: string 1971 status: current 1972 description: The location of a layer-2 interface on 1973 the network (e.g. link-layer neighborhood, 1974 shared broadcast domain). 1976 7.55. layer3NetworkLocation 1978 elementId: TBD 1979 name: layer3NetworkLocation 1980 dataType: string 1981 status: current 1982 description: The location of a layer-3 interface on 1983 the network (e.g. next-hop routing neighbor). 1985 7.56. macAddressValue 1987 elementId: TBD 1988 name: macAddressValue 1989 dataType: string 1990 status: current 1991 description: A value that expresses an Ethernet address. 1993 7.57. methodLabel 1995 elementId: TBD 1996 name: methodLabel 1997 dataType: string 1998 status: current 1999 description: A label that references a specific method 2000 registered and used in a SACM domain (e.g. method to 2001 match and re-identify target endpoints via identifying 2002 attributes). 2004 7.58. methodRepository 2006 elementId: TBD 2007 name: methodRepository 2008 dataType: string 2009 status: current 2010 description: A label that references a SACM component 2011 methods can be registered at and that can provide 2012 guidance in the form of registered methods to other 2013 SACM components. 2015 7.59. networkAccessLevelType 2017 elementId: TBD 2018 name: networkAccessLevelType 2019 dataType: string 2020 status: current 2021 description: A set of types that express categories 2022 of network access-levels (e.g. block, quarantine, etc.). 2024 7.60. networkId 2026 elementId: TBD 2027 name: networkId 2028 dataType: string 2029 status: current 2030 description: Most networks such as AS, OSBF domains, 2031 or VLANs can have an ID. 2033 7.61. networkInterfaceName 2035 elementId: TBD 2036 name: networkInterfaceName 2037 dataType: string 2038 status: current 2039 description: A label that uniquely identifies an 2040 interface associated with a distinguishable endpoint. 2042 7.62. networkLayer 2044 elementId: TBD 2045 name: networkLayer 2046 dataType: string 2047 status: current 2048 description: A set of layers that expresses the specific 2049 network layer an interface operates on. 2051 7.63. networkName 2053 elementId: TBD 2054 name: networkName 2055 dataType: string 2056 status: current 2057 description: A label that is associated with a network. 2058 Some networks, for example, effective 2059 layer2-broadcast-domains are difficult to "grasp" and 2060 therefore quite difficult to name. 2062 7.64. organizationId 2064 elementId: TBD 2065 name: organizationId 2066 dataType: string 2067 status: current 2068 description: A label that uniquely identifies an 2069 organization via a PEN. 2071 7.65. patchId 2073 elementId: TBD 2074 name: patchId 2075 dataType: string 2076 status: current 2077 description: A label that uniquely identifies a specific 2078 software patch. 2080 7.66. patchName 2082 elementId: TBD 2083 name: patchName 2084 dataType: string 2085 status: current 2086 description: The vendor's name of a software patch. 2088 7.67. personFirstName 2090 elementId: TBD 2091 name: personFirstName 2092 dataType: string 2093 status: current 2094 description: The first name of a natural person. 2096 7.68. personLastName 2098 elementId: TBD 2099 name: personLastName 2100 dataType: string 2101 status: current 2102 description: The last name of a natural person. 2104 7.69. personMiddleName 2106 elementId: TBD 2107 name: personMiddleName 2108 dataType: string 2109 status: current 2110 description: The middle name of a natural person. 2112 7.70. phoneNumber 2113 elementId: TBD 2114 name: phoneNumber 2115 dataType: string 2116 status: current 2117 description: A label that expresses the U.S. national 2118 phone number (e.g. pattern value="((\d{3}) )?\d{3}-\d{4}"). 2120 7.71. phoneNumberType 2122 elementId: TBD 2123 name: phoneNumberType 2124 dataType: string 2125 status: current 2126 description: A set of types that express the type of 2127 a phone number (e.g. DSN, Fax, Home, Mobile, Pager, 2128 Secure, Unsecure, Work, Other). 2130 7.72. privilegeName 2132 elementId: TBD 2133 name: privilegeName 2134 dataType: string 2135 status: current 2136 description: The attribute name of the privilege 2137 represented as an AVP. 2139 7.73. privilegeValue 2141 elementId: TBD 2142 name: privilegeValue 2143 dataType: string 2144 status: current 2145 description: The value content of the privilege 2146 represented as an AVP. 2148 7.74. protocol 2150 elementId: TBD 2151 name: protocol 2152 dataType: string 2153 status: current 2154 description: A set of types that defines specific 2155 protocols above layer 4 (e.g. http, https, dns, ipp, 2156 or unknown). 2158 7.75. publicKey 2160 elementId: TBD 2161 name: publicKey 2162 dataType: string 2163 status: current 2164 description: The value of a public key (regardless of its 2165 method of creation, crypto-system, or signature scheme) 2166 that can be collected from a target endpoint. 2168 7.76. relationshipContentElementGuid 2170 elementId: TBD 2171 name: relationshipContentElementGuid 2172 dataType: string 2173 status: current 2174 description: A reference to a specific content element 2175 used in a relationship subject. 2177 7.77. relationshipStatementElementGuid 2179 elementId: TBD 2180 name: relationshipStatementElementGuid 2181 dataType: string 2182 status: current 2183 description: A reference to a specific SACM statement 2184 used in a relationship subject. 2186 7.78. relationshipObjectLabel 2188 elementId: TBD 2189 name: relationshipObjectLabel 2190 dataType: string 2191 status: current 2192 description: A reference to a specific label used in 2193 content (e.g. a te-label or a user-id). This 2194 reference is typically used if matching content 2195 attribute can be done efficiantly and can also be 2196 included in addition to a 2197 relationship-content-element-guid reference. 2199 7.79. relationshipType 2200 elementId: TBD 2201 name: relationshipType 2202 dataType: string 2203 status: current 2204 description: A set of types that is in every instance 2205 of a relationship subject to highlight what kind of 2206 relationship exists between the subject the relationship 2207 is included in (e.g. associated_with_user, 2208 applies_to_session, seen_on_interface, 2209 associated_with_flow, contains_virtual_device). 2211 7.80. roleName 2213 elementId: TBD 2214 name: roleName 2215 dataType: string 2216 status: current 2217 description: A label that references a collection of 2218 privileges assigned to a specific entity. 2220 7.81. sessionStateType 2222 elementId: TBD 2223 name: sessionStateType 2224 dataType: string 2225 status: current 2226 description: A set of types a discernible session (an 2227 ongoing network interaction) can be in (e.g. 2228 Authenticating, Authenticated, Postured, Started, 2229 Disconnected). 2231 7.82. statementGuid 2233 elementId: TBD 2234 name: statementGuid 2235 dataType: string 2236 status: current 2237 description: A label that expresses a global unique 2238 ID referencing a specific SACM statement that was 2239 produced by a SACM component. 2241 7.83. statementType 2242 elementId: TBD 2243 name: statementType 2244 dataType: string 2245 status: current 2246 description: A set of types that define the type of 2247 content that is included in a SACM statement (e.g. 2248 Observation, DirectoryContent, Correlation, Assessment, 2249 Guidance, Event). 2251 7.84. status 2253 elementId: TBD 2254 name: status 2255 dataType: string 2256 status: current 2257 description: A set of types that defines possible 2258 result values for a finding in general (e.g. true, 2259 false, error, unknown, not applicable, not evaluated). 2261 7.85. subAdministrativeDomain 2263 elementId: TBD 2264 name: subAdministrativeDomain 2265 dataType: string 2266 status: current 2267 description: A label for related child domains an 2268 administrative domain can be composed of (used in the 2269 subject administrativeDomain). 2271 7.86. subInterfaceLabel 2273 elementId: TBD 2274 name: subInterfaceLabel 2275 dataType: string 2276 status: current 2277 description: A unique label a sub network interface 2278 (e.g. a tagged vlan on a trunk) can be referenced 2279 with. 2281 7.87. superAdministrativeDomain 2283 elementId: TBD 2284 name: superAdministrativeDomain 2285 dataType: string 2286 status: current 2287 description: a label for related parent domains an 2288 administrative domain is part of (used 2289 in the subject administrativeDomain). 2291 7.88. superInterfaceLabel 2293 elementId: TBD 2294 name: superInterfaceLabel 2295 dataType: string 2296 status: current 2297 description: a unique label a super network interface 2298 (e.g. a physical interface a tunnel 2299 interface terminates on) can be referenced 2300 with. 2302 7.89. teAssessmentState 2304 elementId: TBD 2305 name: teAssessmentState 2306 dataType: string 2307 status: current 2308 description: a set of types that defines the state of 2309 assessment of a target-endpoint (e.g. 2310 in-discovery, discovered, in-classification, 2311 classified, in-assessment, assessed). 2313 7.90. teLabel 2315 elementId: TBD 2316 name: teLabel 2317 dataType: string 2318 status: current 2319 description: an identifying label created from a set 2320 of identifying attributes used to reference 2321 a specific target endpoint. 2323 7.91. teId 2325 elementId: TBD 2326 name: teId 2327 dataType: string 2328 status: current 2329 description: an identifying label that is created 2330 randomly, is supposed to be unique, and 2331 used to reference a specific target 2332 endpoint. 2334 7.92. timestampType 2335 elementId: TBD 2336 name: timestampType 2337 dataType: string 2338 status: current 2339 description: a set of types that express what type of 2340 action or event happened at that point 2341 of time (e.g. discovered, classified, 2342 collected, published). Can be included in 2343 a generic timestamp subject. 2345 7.93. unitsReceived 2347 elementId: TBD 2348 name: unitsReceived 2349 dataType: string 2350 status: current 2351 description: a value that represents a number of units 2352 (e.g. frames, packets, cells or segments) 2353 received on a network interface. 2355 7.94. unitsSent 2357 elementId: TBD 2358 name: unitsSent 2359 dataType: string 2360 status: current 2361 description: a value that represents a number of units 2362 (e.g. frames, packets, cells or segments) 2363 sent on a network interface. 2365 7.95. userDirectory 2367 elementId: TBD 2368 name: userDirectory 2369 dataType: string 2370 status: current 2371 description: a label that identifies a specific type 2372 of user-directory (e.g. ldap, active-directory, 2373 local-user). 2375 7.96. sacmUserId 2377 elementId: TBD 2378 name: sacmUserId 2379 dataType: string 2380 status: current 2381 description: a label that references a specific user 2382 known in a SACM domain. 2384 7.97. webSite 2386 elementId: TBD 2387 name: webSite 2388 dataType: string 2389 status: current 2390 description: a URI that references a web-site. 2392 7.98. WGS84Longitude 2394 elementId: TBD 2395 name: WGS84Longitude 2396 dataType: float64 2397 status: current 2398 description: a label that represents WGS 84 rev 2004 2399 longitude. 2401 7.99. WGS84Latitude 2403 elementId: TBD 2404 name: WGS84Latitude 2405 dataType: float64 2406 status: current 2407 description: a label that represents WGS 84 rev 2004 2408 latitude. 2410 7.100. WGS84Altitude 2412 elementId: TBD 2413 name: WGS84Altitude 2414 dataType: float64 2415 status: current 2416 description: a label that represents WGS 84 rev 2004 2417 altitude. 2419 7.101. hardwareSerialNumber 2421 elementId: TBD 2422 name: hardwareSerialNumber 2423 dataType: string 2424 status: current 2425 description: A globally unique identifier for a 2426 particular piece of hardware assigned 2427 by the vendor. 2429 7.102. interfaceName 2431 elementId: TBD 2432 name: interfaceName 2433 dataType: string 2434 status: current 2435 description: A short name uniquely describing an 2436 interface, e.g. "Eth1/0". See [RFC2863] 2437 for the definition of the ifName object. 2439 7.103. interfaceIndex 2441 elementId: TBD 2442 name: interfaceIndex 2443 dataType: unsigned32 2444 status: current 2445 description: The index of an interface installed on an endpoint. 2446 The value matches the value of managed object 2447 'ifIndex' as defined in [RFC2863]. Note that ifIndex 2448 values are not assigned statically to an interface 2449 and that the interfaces may be renumbered every time 2450 the device's management system is re-initialized, 2451 as specified in [RFC2863]. 2453 7.104. interfaceMacAddress 2455 elementId: TBD 2456 name: interfaceMacAddress 2457 dataType: macAddress 2458 status: current 2459 description: The IEEE 802 MAC address associated with a network 2460 interface on an endpoint. 2462 7.105. interfaceType 2464 elementId: TBD 2465 name: interfaceType 2466 dataType: unsigned32 2467 status: current 2468 description: The type of a network interface. The value matches 2469 the value of managed object 'ifType' as defined in 2470 [IANA registry ianaiftype-mib]. 2472 7.106. interfaceFlags 2473 elementId: TBD 2474 name: interfaceFlags 2475 dataType: unsigned16 2476 status: current 2477 description: This information element specifies the flags 2478 associated with a network interface. Possible 2479 values include: 2480 structure: 2481 Up ; 0x1 ; Interface is up. 2482 Broadcast ; 0x2 ; Broadcast address valid. 2483 Debug ; 0x4 ; Turn on debugging. 2484 Loopback ; 0x8 ; Is a loopback net. 2485 Point-to-point ; 0x10 ; Interface is point-to-point 2486 link. 2487 No trailers ; 0x20 ; Avoid use of trailers. 2488 Resources allocated ; 0x40 ; Resources allocated. 2489 No ARP ; 0x80 ; No address resolution protocol. 2490 Receive all ; 0x100 ; Receive all packets. 2492 7.107. networkInterface 2494 elementId: TBD 2495 name: networkInterface 2496 dataType: orderedList 2497 status: current 2498 description: Information about a network interface 2499 installed on an endpoint. The 2500 following high-level digram 2501 describes the structure of 2502 networkInterface information 2503 element. 2504 structure: orderedList(interfaceName, interfaceIndex, macAddress, 2505 interfaceType, flags) 2507 7.108. softwareIdentifier 2509 elementId: TBD 2510 name: softwareIdentifier 2511 dataType: string 2512 status: current 2513 description: A globally unique identifier for a particular 2514 software application. 2516 7.109. softwareTitle 2517 elementId: TBD 2518 name: softwareTitle 2519 dataType: string 2520 status: current 2521 description: The title of the software application. 2523 7.110. softwareCreator 2525 elementId: TBD 2526 name: softwareCreator 2527 dataType: string 2528 status: current 2529 description: The software developer (e.g., vendor or author). 2531 7.111. simpleSoftwareVersion 2533 elementId: TBD 2534 name: simpleSoftwareVersion 2535 dataType: string 2536 status: current 2537 description: The version string for a software application that 2538 conforms to the format of a list of hierarchical 2539 non-negative integers separated by a single character 2540 delimiter format. 2542 7.112. rpmSoftwareVersion 2544 elementId: TBD 2545 name: rpmSoftwareVersion 2546 dataType: string 2547 status: current 2548 description: The version string for a software application that 2549 conforms to the EPOCH:VERSION-RELEASE format. 2551 7.113. ciscoTrainSoftwareVersion 2553 elementId: TBD 2554 name: ciscoTrainSoftwareVersion 2555 dataType: string 2556 status: current 2557 description: The version string for a software application that 2558 conforms to the Cisco IOS Train string format. 2560 7.114. softwareVersion 2561 elementId: TBD 2562 name: softwareVerison 2563 dataType: category 2564 status: current 2565 description: The version of the software application. Software 2566 applications may be versioned using a number of 2567 schemas. The following high-level digram describes 2568 the structure of the softwareVersion information 2569 element. 2570 structure: category(simpleSoftwareVersion | rpmSoftwareVersion | 2571 ciscoTrainSoftwareVersion) 2573 7.115. softwareLastUpdated 2575 elementId: TBD 2576 name: softwareLastUpdated 2577 dataType: dateTimeSeconds 2578 status: current 2579 description: The date and time when the software instance 2580 was last updated on the system (e.g., new 2581 version instlalled or patch applied) 2583 7.116. softwareClass 2584 elementId: TBD 2585 name: softwareClass 2586 dataType: enumeration 2587 status: current 2588 description: The class of the software instance. 2589 structure: 2590 Unknown ; 0x1 ; The class is not known. 2591 Other ; 0x2 ; The class is known, but, 2592 something other than a value 2593 listed in the enumeration. 2594 Driver ; 0x3 ; The class is a device driver. 2595 Configuration Software ; 0x4 ; The class is configuration 2596 software. 2597 Application Software ; 0x5 ; The class is application 2598 software. 2599 Instrumentation ; 0x6 ; The class is instrumentation. 2600 Diagnostic Software ; 0x8 ; The class is diagnostic 2601 software. 2602 Operating System ; 0x9 ; The class is operating 2603 system. 2604 Middleware ; 0xA ; The class is middleware. 2605 Firmware ; 0xB ; The class is firmware. 2606 BIOS/FCode ; 0xC ; The class is BIOS or FCode. 2607 Support/Service Pack ; 0xD ; The class is a support or 2608 service pack. 2609 Software Bundle ; 0xE ; The class is a software 2610 bundle. 2611 References: See Classifications of the DMTF 2612 CIM_SoftwareIdentity schema. 2614 7.117. softwareInstance 2616 elementId: TBD 2617 name: softwareInstance 2618 dataType: orderedList 2619 status: current 2620 description: Information about an instance of software 2621 installed on an endpoint. The following 2622 high-level digram describes the structure of 2623 the softwareInstance information element. 2624 structure: orderedList(softwareIdentifier, softwareTitle, 2625 softwareCreator, softwareVersion, 2626 softwareLastUpdated, softwareClass) 2628 7.118. globallyUniqueIdentifier 2630 elementId: TBD 2631 name: globallyUniqueIdentifier 2632 dataType: unsigned8 2633 status: current 2634 description: TODO. 2636 7.119. creationTimestamp 2638 elementId: TBD 2639 name: creationTimestamp 2640 dataType: dateTimeSeconds 2641 status: current 2642 description: The date and time when the posture 2643 information was created by a SACM Component. 2645 7.120. collectionTimestamp 2647 elementId: TBD 2648 name: collectionTimestamp 2649 dataType: dateTimeSeconds 2650 status: current 2651 description: The date and time when the posture 2652 information was collected or observed by a SACM 2653 Component. 2655 7.121. publicationTimestamp 2657 elementId: TBD 2658 name: publicationTimestamp 2659 dataType: dateTimeSeconds 2660 status: current 2661 description: The date and time when the posture 2662 information was published. 2664 7.122. relayTimestamp 2666 elementId: TBD 2667 name: relayTimestamp 2668 dataType: dateTimeSeconds 2669 status: current 2670 description: The date and time when the posture 2671 information was relayed to another SACM Component. 2673 7.123. storageTimestamp 2675 elementId: TBD 2676 name: storageTimestamp 2677 dataType: dateTimeSeconds 2678 status: current 2679 description: The date and time when the posture 2680 information was stored in a Repository. 2682 7.124. type 2684 elementId: TBD 2685 name: type 2686 dataType: enumeration 2687 status: current 2688 description: The type of data model use to represent 2689 some set of endpoint information. The following 2690 table lists the set of data models supported by SACM. 2691 structure: TBD 2693 7.125. protocolIdentifier 2695 elementId: TBD 2696 name: protocolIdentifier 2697 dataType: unsigned8 2698 status: current 2699 description: The value of the protocol number in the IP packet 2700 header. The protocol number identifies the IP packet 2701 payload type. Protocol numbers are defined in the 2702 IANA Protocol Numbers registry. 2704 In Internet Protocol version 4 (IPv4), this is 2705 carried in the Protocol field. In Internet Protocol 2706 version 6 (IPv6), this is carried in the Next Header 2707 field in the last extension header of the packet. 2709 7.126. sourceTransportPort 2711 elementId: TBD 2712 name: sourceTransportPort 2713 dataType: unsigned16 2714 status: current 2715 description: The source port identifier in the transport header. 2716 For the transport protocols UDP, TCP, and SCTP, this 2717 is the source port number given in the respective 2718 header. This field MAY also be used for future 2719 transport protocols that have 16-bit source port 2720 identifiers. 2722 7.127. sourceIPv4PrefixLength 2724 elementId: TBD 2725 name: sourceIPv4PrefixLength 2726 dataType: unsigned8 2727 status: current 2728 description: The number of contiguous bits that are relevant in 2729 the sourceIPv4Prefix Information Element. 2731 7.128. ingressInterface 2733 elementId: TBD 2734 name: ingressInterface 2735 dataType: unsigned32 2736 status: current 2737 description: The index of the IP interface where packets of this 2738 Flow are being received. The value matches the 2739 value of managed object 'ifIndex' as defined in 2740 [RFC2863]. Note that ifIndex values are not assigned 2741 statically to an interface and that the interfaces 2742 may be renumbered every time the device's management 2743 system is re-initialized, as specified in [RFC2863]. 2745 7.129. destinationTransportPort 2747 elementId: TBD 2748 name: destinationTransportPort 2749 dataType: unsigned16 2750 status: current 2751 description: The destination port identifier in the transport 2752 header. For the transport protocols UDP, TCP, and 2753 SCTP, this is the destination port number given in 2754 the respective header. This field MAY also be used 2755 for future transport protocols that have 16-bit 2756 destination port identifiers. 2758 7.130. sourceIPv6PrefixLength 2760 elementId: TBD 2761 name: sourceIPv6PrefixLength 2762 dataType: unsigned8 2763 status: current 2764 description: The number of contiguous bits that are relevant in 2765 the sourceIPv6Prefix Information Element. 2767 7.131. sourceIPv4Prefix 2769 elementId: TBD 2770 name: sourceIPv4Prefix 2771 dataType: ipv4Address 2772 status: current 2773 description: IPv4 source address prefix. 2775 7.132. destinationIPv4Prefix 2777 elementId: TBD 2778 name: destinationIPv4Prefix 2779 dataType: ipv4Address 2780 status: current 2781 description: IPv4 destination address prefix. 2783 7.133. sourceMacAddress 2785 elementId: TBD 2786 name: sourceMacAddress 2787 dataType: macAddress 2788 status: current 2789 description: The IEEE 802 source MAC address field. 2791 7.134. ipVersion 2793 elementId: TBD 2794 name: ipVersion 2795 dataType: unsigned8 2796 status: current 2797 description: The IP version field in the IP packet header. 2799 7.135. interfaceDescription 2801 elementId: TBD 2802 name: interfaceDescription 2803 dataType: string 2804 status: current 2805 description: The description of an interface, e.g. 2806 "FastEthernet 1/0" or "ISP connection". 2808 7.136. applicationDescription 2810 elementId: TBD 2811 name: applicationDescription 2812 dataType: string 2813 status: current 2814 description: Specifies the description of an application. 2816 7.137. applicationId 2818 elementId: TBD 2819 name: applicationId 2820 dataType: octetArray 2821 status: current 2822 description: Specifies an Application ID per [RFC6759]. 2824 7.138. applicationName 2826 elementId: TBD 2827 name: applicationName 2828 dataType: string 2829 status: current 2830 description: Specifies the name of an application. 2832 7.139. exporterIPv4Address 2834 elementId: TBD 2835 name: exporterIPv4Address 2836 dataType: ipv4Address 2837 status: current 2838 description: The IPv4 address used by the Exporting Process. 2839 This is used by the Collector to identify the 2840 Exporter in cases where the identity of the Exporter 2841 may have been obscured by the use of a proxy. 2843 7.140. exporterIPv6Address 2845 elementId: TBD 2846 name: exporterIPv6Address 2847 dataType: ipv6Address 2848 status: current 2849 description: The IPv6 address used by the Exporting Process. 2850 This is used by the Collector to identify the 2851 Exporter in cases where the identity of the 2852 Exporter may have been obscured by the use of a 2853 proxy. 2855 7.141. portId 2856 elementId: TBD 2857 name: portId 2858 dataType: unsigned32 2859 status: current 2860 description: An identifier of a line port that is unique per 2861 IPFIX Device hosting an Observation Point. 2862 Typically, this Information Element is used for 2863 limiting the scope of other Information Elements. 2865 7.142. templateId 2867 elementId: TBD 2868 name: templateId 2869 dataType: unsigned16 2870 status: current 2871 description: An identifier of a Template that is locally unique 2872 within a combination of a Transport session and an 2873 Observation Domain. 2875 Template IDs 0-255 are reserved for Template Sets, 2876 Options Template Sets, and other reserved Sets yet 2877 to be created. Template IDs of Data Sets are 2878 numbered from 256 to 65535. 2880 Typically, this Information Element is used for 2881 limiting the scope of other Information Elements. 2882 Note that after a re-start of the Exporting Process 2883 Template identifiers may be re-assigned. 2885 7.143. collectorIPv4Address 2887 elementId: TBD 2888 name: collectorIPv4Address 2889 dataType: ipv4Address 2890 status: current 2891 description: An IPv4 address to which the Exporting Process sends 2892 Flow information. 2894 7.144. collectorIPv6Address 2896 elementId: TBD 2897 name: collectorIPv6Address 2898 dataType: ipv6Address 2899 status: current 2900 description: An IPv6 address to which the Exporting Process sends 2901 Flow information. 2903 7.145. informationElementIndex 2905 elementId: TBD 2906 name: informationElementIndex 2907 dataType: unsigned16 2908 status: current 2909 description: A zero-based index of an Information Element 2910 referenced by informationElementId within a Template 2911 referenced by templateId; used to disambiguate 2912 scope for templates containing multiple identical 2913 Information Elements. 2915 7.146. informationElementId 2917 elementId: TBD 2918 name: informationElementId 2919 dataType: unsigned16 2920 status: current 2921 description: This Information Element contains the ID of another 2922 Information Element. 2924 7.147. informationElementDataType 2926 elementId: TBD 2927 name: informationElementDataType 2928 dataType: unsigned8 2929 status: current 2930 description: A description of the abstract data type of an IPFIX 2931 information element.These are taken from the 2932 abstract data types defined in section 3.1 of the 2933 IPFIX Information Model [RFC5102]; see that section 2934 for more information on the types described in the 2935 informationElementDataType sub-registry. 2937 These types are registered in the IANA IPFIX 2938 Information Element Data Type subregistry. This 2939 subregistry is intended to assign numbers for type 2940 names, not to provide a mechanism for adding data 2941 types to the IPFIX Protocol, and as such requires a 2942 Standards Action [RFC5226] to modify. 2944 7.148. informationElementDescription 2945 elementId: TBD 2946 name: informationElementDescription 2947 dataType: string 2948 status: current 2949 description: A UTF-8 [RFC3629] encoded Unicode string containing 2950 a human-readable description of an Information 2951 Element. The content of the 2952 informationElementDescription MAY be annotated with 2953 one or more language tags [RFC4646], encoded 2954 in-line [RFC2482] within the UTF-8 string, in order 2955 to specify the language in which the description is 2956 written. Description text in multiple languages MAY 2957 tag each section with its own language tag; in this 2958 case, the description information in each language 2959 SHOULD have equivalent meaning. In the absence of 2960 any language tag, the "i-default" [RFC2277] language 2961 SHOULD be assumed. See the Security Considerations 2962 section for notes on string handling for Information 2963 Element type records. 2965 7.149. informationElementName 2967 elementId: TBD 2968 name: informationElementName 2969 dataType: string 2970 status: current 2971 description: A UTF-8 [RFC3629] encoded Unicode string containing 2972 the name of an Information Element, intended as a 2973 simple identifier. See the Security Considerations 2974 section for notes on string handling for Information 2975 Element type records. 2977 7.150. informationElementRangeBegin 2979 elementId: TBD 2980 name: informationElementRangeBegin 2981 dataType: unsigned64 2982 status: current 2983 description: Contains the inclusive low end of the range of 2984 acceptable values for an Information Element. 2986 7.151. informationElementRangeEnd 2987 elementId: TBD 2988 name: informationElementRangeEnd 2989 dataType: unsigned64 2990 status: current 2991 description: Contains the inclusive high end of the range of 2992 acceptable values for an Information Element. 2994 7.152. informationElementSemantics 2996 elementId: TBD 2997 name: informationElementSemantics 2998 dataType: unsigned8 2999 status: current 3000 description: A description of the semantics of an IPFIX 3001 Information Element. These are taken from the data 3002 type semantics defined in section 3.2 of the IPFIX 3003 Information Model [RFC5102]; see that section for 3004 more information on the types defined in the 3005 informationElementSemantics sub-registry. This 3006 field may take the values in Table ; the special 3007 value 0x00 (default) is used to note that no 3008 semantics apply to the field; it cannot be 3009 manipulated by a Collecting Process or File Reader 3010 that does not understand it a priori. 3012 These semantics are registered in the IANA IPFIX 3013 Information Element Semantics subregistry. This 3014 subregistry is intended to assign numbers for 3015 semantics names, not to provide a mechanism for 3016 adding semantics to the IPFIX Protocol, and as such 3017 requires a Standards Action [RFC5226] to modify. 3019 7.153. informationElementUnits 3020 elementId: TBD 3021 name: informationElementUnits 3022 dataType: unsigned16 3023 status: current 3024 description: A description of the units of an IPFIX Information 3025 Element. These correspond to the units implicitly 3026 defined in the Information Element definitions in 3027 section 5 of the IPFIX Information Model [RFC5102]; 3028 see that section for more information on the types 3029 described in the informationElementsUnits 3030 sub-registry. This field may take the values in 3031 Table 3 below; the special value 0x00 (none) is 3032 used to note that the field is unitless. 3034 These types are registered in the IANA IPFIX 3035 Information Element Units subregistry; new types 3036 may be added on a First Come First Served [RFC5226] 3037 basis. 3039 7.154. applicationCategoryName 3041 elementId: TBD 3042 name: applicationCategoryName 3043 dataType: string 3044 status: current 3045 description: An attribute that provides a first level 3046 categorization for each Application ID. 3048 7.155. mibObjectValueInteger 3050 elementId: TBD 3051 name: mibObjectValueInteger 3052 dataType: signed64 3053 status: current 3054 description: An IPFIX Information Element which denotes that the 3055 integer value of a MIB object will be exported. 3056 The MIB Object Identifier ("mibObjectIdentifier") 3057 for this field MUST be exported in a MIB Field 3058 Option or via another means. This Information 3059 Element is used for MIB objects with the Base 3060 Syntax of Integer32 and INTEGER with IPFIX Reduced 3061 Size Encoding used as required. The value is 3062 encoded as per the standard IPFIX Abstract Data Type 3063 of signed64. 3065 7.156. mibObjectValueOctetString 3067 elementId: TBD 3068 name: mibObjectValueOctetString 3069 dataType: octetArray 3070 status: current 3071 description: An IPFIX Information Element which denotes that an 3072 Octet String or Opaque value of a MIB object will 3073 be exported. The MIB Object Identifier 3074 ("mibObjectIdentifier") for this field MUST be 3075 exported in a MIB Field Option or via another means. 3076 This Information Element is used for MIB objects 3077 with the Base Syntax of OCTET STRING and Opaque. The 3078 value is encoded as per the standard IPFIX Abstract 3079 Data Type of octetArray. 3081 7.157. mibObjectValueOID 3083 elementId: TBD 3084 name: mibObjectValueOID 3085 dataType: octetArray 3086 status: current 3087 description: An IPFIX Information Element which denotes that an 3088 Object Identifier or OID value of a MIB object will 3089 be exported. The MIB Object Identifier 3090 ("mibObjectIdentifier") for this field MUST be 3091 exported in a MIB Field Option or via another means. 3092 This Information Element is used for MIB objects 3093 with the Base Syntax of OBJECT IDENTIFIER. Note - 3094 In this case the "mibObjectIdentifier" will define 3095 which MIB object is being exported while the value 3096 contained in this Information Element will be an 3097 OID as a value. The mibObjectValueOID Information 3098 Element is encoded as ASN.1/BER [BER] in an 3099 octetArray. 3101 7.158. mibObjectValueBits 3102 elementId: TBD 3103 name: mibObjectValueBits 3104 dataType: octetArray 3105 status: current 3106 description: An IPFIX Information Element which denotes that a 3107 set of Enumerated flags or bits from a MIB object 3108 will be exported. The MIB Object Identifier 3109 ("mibObjectIdentifier") for this field MUST be 3110 exported in a MIB Field Option or via another means. 3111 This Information Element is used for MIB objects 3112 with the Base Syntax of BITS. The flags or bits are 3113 encoded as per the standard IPFIX Abstract Data Type 3114 of octetArray, with sufficient length to accommodate 3115 the required number of bits. If the number of bits 3116 is not an integer multiple of octets then the most 3117 significant bits at end of the octetArray MUST be 3118 set to zero. 3120 7.159. mibObjectValueIPAddress 3122 elementId: TBD 3123 name: mibObjectValueIPAddress 3124 dataType: ipv4Address 3125 status: current 3126 description: An IPFIX Information Element which denotes that the 3127 IPv4 Address of a MIB object will be exported. The 3128 MIB Object Identifier ("mibObjectIdentifier") for 3129 this field MUST be exported in a MIB Field Option 3130 or via another means. This Information Element is 3131 used for MIB objects with the Base Syntax of 3132 IPaddress. The value is encoded as per the standard 3133 IPFIX Abstract Data Type of ipv4Address. 3135 7.160. mibObjectValueCounter 3136 elementId: TBD 3137 name: mibObjectValueCounter 3138 dataType: unsigned64 3139 status: current 3140 description: An IPFIX Information Element which denotes that the 3141 counter value of a MIB object will be exported. 3142 The MIB Object Identifier ("mibObjectIdentifier") 3143 for this field MUST be exported in a MIB Field 3144 Option or via another means. This Information 3145 Element is used for MIB objects with the Base 3146 Syntax of Counter32 or Counter64 with IPFIX Reduced 3147 Size Encoding used as required. The value is encoded 3148 as per the standard IPFIX Abstract Data Type 3149 of unsigned64. 3151 7.161. mibObjectValueGauge 3153 elementId: TBD 3154 name: mibObjectValueGauge 3155 dataType: unsigned32 3156 status: current 3157 description: An IPFIX Information Element which denotes that the 3158 Gauge value of a MIB object will be exported. The 3159 MIB Object Identifier ("mibObjectIdentifier") for 3160 this field MUST be exported in a MIB Field Option 3161 or via another means. This Information Element is 3162 used for MIB objects with the Base Syntax of Gauge32. 3163 The value is encoded as per the standard IPFIX 3164 Abstract Data Type of unsigned64. This value will 3165 represent a non-negative integer, which may increase 3166 or decrease, but shall never exceed a maximum 3167 value, nor fall below a minimum value. 3169 7.162. mibObjectValueTimeTicks 3171 elementId: TBD 3172 name: mibObjectValueTimeTicks 3173 dataType: unsigned32 3174 status: current 3175 description: An IPFIX Information Element which denotes that the 3176 TimeTicks value of a MIB object will be exported. 3177 The MIB Object Identifier ("mibObjectIdentifier") 3178 for this field MUST be exported in a MIB Field 3179 Option or via another means. This Information 3180 Element is used for MIB objects with the Base 3181 Syntax of TimeTicks. The value is encoded as per 3182 the standard IPFIX Abstract Data Type of unsigned32. 3184 7.163. mibObjectValueUnsigned 3186 elementId: TBD 3187 name: mibObjectValueUnsigned 3188 dataType: unsigned64 3189 status: current 3190 description: An IPFIX Information Element which denotes that an 3191 unsigned integer value of a MIB object will be 3192 exported. The MIB Object Identifier 3193 ("mibObjectIdentifier") for this field MUST be 3194 exported in a MIB Field Option or via another means. 3195 This Information Element is used for MIB objects 3196 with the Base Syntax of unsigned64 with IPFIX 3197 Reduced Size Encoding used as required. The value is 3198 encoded as per the standard IPFIX Abstract Data Type 3199 of unsigned64. 3201 7.164. mibObjectValueTable 3203 elementId: TBD 3204 name: mibObjectValueTable 3205 dataType: orderedList 3206 status: current 3207 description: An IPFIX Information Element which denotes that a 3208 complete or partial conceptual table will be 3209 exported. The MIB Object Identifier 3210 ("mibObjectIdentifier") for this field MUST be 3211 exported in a MIB Field Option or via another means. 3212 This Information Element is used for MIB objects 3213 with a SYNTAX of SEQUENCE. This is encoded as a 3214 subTemplateList of mibObjectValue Information 3215 Elements. The template specified in the 3216 subTemplateList MUST be an Options Template and 3217 MUST include all the Objects listed in the INDEX 3218 clause as Scope Fields. 3219 structure: orderedList(mibObjectValueRow+) 3221 7.165. mibObjectValueRow 3222 elementId: TBD 3223 name: mibObjectValueRow 3224 dataType: orderedList 3225 status: current 3226 description: An IPFIX Information Element which denotes that a 3227 single row of a conceptual table will be exported. 3228 The MIB Object Identifier ("mibObjectIdentifier") 3229 for this field MUST be exported in a MIB Field 3230 Option or via another means. This Information 3231 Element is used for MIB objects with a SYNTAX of 3232 SEQUENCE. This is encoded as a subTemplateList of 3233 mibObjectValue Information Elements. The 3234 subTemplateList exported MUST contain exactly one 3235 row (i.e., one instance of the subtemplate). The 3236 template specified in the subTemplateList MUST be 3237 an Options Template and MUST include all the 3238 Objects listed in the INDEX clause as Scope Fields. 3239 structure: orderedList(mibObjectValue+) 3241 7.166. mibObjectIdentifier 3243 elementId: TBD 3244 name: mibObjectIdentifier 3245 dataType: octetArray 3246 status: current 3247 description: An IPFIX Information Element which denotes that a 3248 MIB Object Identifier (MIB OID) is exported in the 3249 (Options) Template Record. The mibObjectIdentifier 3250 Information Element contains the OID assigned to 3251 the MIB Object Type Definition encoded as 3252 ASN.1/BER [BER]. 3254 7.167. mibSubIdentifier 3256 elementId: TBD 3257 name: mibSubIdentifier 3258 dataType: unsigned32 3259 status: current 3260 description: A non-negative sub-identifier of an Object 3261 Identifier (OID). 3263 7.168. mibIndexIndicator 3264 elementId: TBD 3265 name: mibIndexIndicator 3266 dataType: unsigned64 3267 status: current 3268 description: This set of bit fields is used for marking the 3269 Information Elements of a Data Record that serve as 3270 INDEX MIB objects for an indexed Columnar MIB 3271 object. Each bit represents an Information Element 3272 in the Data Record with the n-th bit representing 3273 the n-th Information Element. A bit set to value 1 3274 indicates that the corresponding Information Element 3275 is an index of the Columnar Object represented by 3276 the mibFieldValue. A bit set to value 0 indicates 3277 that this is not the case. 3279 If the Data Record contains more than 64 3280 Information Elements, the corresponding Template 3281 SHOULD be designed such that all INDEX 3282 Fields are among the first 64 Information Elements, 3283 because the mibIndexIndicator only contains 64 bits. 3284 If the Data Record contains less than 64 3285 Information Elements, then the extra bits in the 3286 mibIndexIndicator for which no corresponding 3287 Information Element exists MUST have the value 0, 3288 and must be disregarded by the Collector. This 3289 Information Element may be exported with 3290 IPFIX Reduced Size Encoding. 3292 7.169. mibCaptureTimeSemantics 3293 elementId: TBD 3294 name: mibCaptureTimeSemantics 3295 dataType: unsigned8 3296 status: current 3297 description: Indicates when in the lifetime of the flow the MIB 3298 value was retrieved from the MIB for a 3299 mibObjectIdentifier. This is used to indicate if 3300 the value exported was collected from the MIB 3301 closer to flow creation or flow export time and 3302 will refer to the Timestamp fields included in the 3303 same record. This field SHOULD be used when 3304 exporting a mibObjectValue that specifies counters 3305 or statistics. 3307 If the MIB value was sampled by SNMP prior to the 3308 IPFIX Metering Process or Exporting Process 3309 retrieving the value (i.e., the data is already 3310 stale) and it's important to know the exact sampling 3311 time, then an additional observationTime* element 3312 should be paired with the OID using structured data. 3313 Similarly, if different mibCaptureTimeSemantics 3314 apply to different mibObject elements within the 3315 Data Record, then individual mibCaptureTimeSemantics 3316 should be paired with each OID using structured data. 3318 Values: 3319 0. undefined 3320 1. begin - The value for the MIB object is captured 3321 from the MIB when the Flow is first observed 3322 2. end - The value for the MIB object is captured 3323 from the MIB when the Flow ends 3324 3. export - The value for the MIB object is 3325 captured from the MIB at export time 3326 4. average - The value for the MIB object is an 3327 average of multiple captures from the MIB over the 3328 observed life of the Flow 3330 7.170. mibContextEngineID 3332 elementId: TBD 3333 name: mibContextEngineID 3334 dataType: octetArray 3335 status: current 3336 description: A mibContextEngineID that specifies the SNMP engine 3337 ID for a MIB field being exported over IPFIX. 3338 Definition as per [RFC3411] section 3.3. 3340 7.171. mibContextName 3342 elementId: TBD 3343 name: mibContextName 3344 dataType: string 3345 status: current 3346 description: This Information Element denotes that a MIB Context 3347 Name is specified for a MIB field being exported 3348 over IPFIX. Reference [RFC3411] section 3.3. 3350 7.172. mibObjectName 3352 elementId: TBD 3353 name: mibObjectName 3354 dataType: string 3355 status: current 3356 description: The name (called a descriptor in [RFC2578] 3357 of an object type definition. 3359 7.173. mibObjectDescription 3361 elementId: TBD 3362 name: mibObjectDescription 3363 dataType: string 3364 status: current 3365 description: The value of the DESCRIPTION clause of an MIB object 3366 type definition. 3368 7.174. mibObjectSyntax 3370 elementId: TBD 3371 name: mibObjectSyntax 3372 dataType: string 3373 status: current 3374 description: The value of the SYNTAX clause of an MIB object type 3375 definition, which may include a Textual Convention 3376 or Subtyping. See [RFC2578]. 3378 7.175. mibModuleName 3380 elementId: TBD 3381 name: mibModuleName 3382 dataType: string 3383 status: current 3384 description: The textual name of the MIB module that defines a MIB 3385 Object. 3387 7.176. interface 3389 elementId: TBD 3390 name: interface 3391 dataType: list 3392 structure: list (interfaceName, hwAddress, inetAddr, netmask) 3393 status: current 3394 description: Represents an interface and its configuration 3395 options. 3397 7.177. iflisteners 3399 elementId: TBD 3400 name: iflisteners 3401 dataType: list 3402 structure: list (interfaceName, physicalProtocol, hwAddress, 3403 programName, pid, userId) 3404 status: current 3405 description: Stores the results of checking for applications that 3406 are bound to an ethernet interface on the system. 3408 7.178. physicalProtocol 3410 elementId: TBD 3411 name: physicalProtocol 3412 dataType: enumeration 3413 structure: 3414 ETH_P_LOOP ; 0x1 ; Ethernet loopback packet. 3415 ETH_P_PUP ; 0x2 ; Xerox PUP packet. 3416 ETH_P_PUPAT ; 0x3 ; Xerox PUP Address Transport packet. 3417 ETH_P_IP ; 0x4 ; Internet protocol packet. 3418 ETH_P_X25 ; 0x5 ; CCITT X.25 packet. 3419 ETH_P_ARP ; 0x6 ; Address resolution packet. 3420 ETH_P_BPQ ; 0x7 ; G8BPQ AX.25 ethernet packet. 3421 ETH_P_IEEEPUP ; 0x8 ; Xerox IEEE802.3 PUP packet. 3422 ETH_P_IEEEPUPAT ; 0x9 ; Xerox IEEE802.3 PUP address transport 3423 packet. 3424 ETH_P_DEC ; 0xA ; DEC assigned protocol. 3425 ETH_P_DNA_DL ; 0xB ; DEC DNA Dump/Load. 3426 ETH_P_DNA_RC ; 0xC ; DEC DNA Remote Console. 3427 ETH_P_DNA_RT ; 0xD ; DEC DNA Routing. 3428 ETH_P_LAT ; 0xE ; DEC LAT. 3429 ETH_P_DIAG ; 0xF ; DEC Diagnostics. 3430 ETH_P_CUST ; 0x10 ; DEC Customer use. 3431 ETH_P_SCA ; 0x11 ; DEC Systems Comms Arch. 3432 ETH_P_RARP ; 0x12 ; Reverse address resolution packet. 3433 ETH_P_ATALK ; 0x13 ; Appletalk DDP. 3434 ETH_P_AARP ; 0x14 ; Appletalk AARP. 3436 ETH_P_8021Q ; 0x15 ; 802.1Q VLAN Extended Header. 3437 ETH_P_IPX ; 0x16 ; IPX over DIX. 3438 ETH_P_IPV6 ; 0x17 ; IPv6 over bluebook. 3439 ETH_P_SLOW ; 0x18 ; Slow Protocol. See 802.3ad 43B. 3440 ETH_P_WCCP ; 0x19 ; Web-cache coordination protocol. 3441 ETH_P_PPP_DISC ; 0x1A ; PPPoE discovery messages. 3442 ETH_P_PPP_SES ; 0x1B ; PPPoE session messages. 3443 ETH_P_MPLS_UC ; 0x1C ; MPLS Unicast traffic. 3444 ETH_P_MPLS_MC ; 0x1D ; MPLS Multicast traffic. 3445 ETH_P_ATMMPOA ; 0x1E ; MultiProtocol Over ATM. 3446 ETH_P_ATMFATE ; 0x1F ; Frame-based ATM Transport over Ethernet. 3447 ETH_P_AOE ; 0x20 ; ATA over Ethernet. 3448 ETH_P_TIPC ; 0x21 ; TIPC. 3449 ETH_P_802_3 ; 0x22 ; Dummy type for 802.3 frames. 3450 ETH_P_AX25 ; 0x23 ; Dummy protocol id for AX.25. 3451 ETH_P_ALL ; 0x24 ; Every packet. 3452 ETH_P_802_2 ; 0x25 ; 802.2 frames. 3453 ETH_P_SNAP ; 0x26 ; Internal only. 3454 ETH_P_DDCMP ; 0x27 ; DEC DDCMP: Internal only 3455 ETH_P_WAN_PPP ; 0x28 ; Dummy type for WAN PPP frames. 3456 ETH_P_PPP_MP ; 0x29 ; Dummy type for PPP MP frames. 3457 ETH_P_PPPTALK ; 0x2A ; Dummy type for Atalk over PPP. 3458 ETH_P_LOCALTALK ; 0x2B ; Localtalk pseudo type. 3459 ETH_P_TR_802_2 ; 0x2C ; 802.2 frames. 3460 ETH_P_MOBITEX ; 0x2D ; Mobitex. 3461 ETH_P_CONTROL ; 0x2E ; Card specific control frames. 3462 ETH_P_IRDA ; 0x2F ; Linux-IrDA. 3463 ETH_P_ECONET ; 0x30 ; Acorn Econet. 3464 ETH_P_HDLC ; 0x31 ; HDLC frames. 3465 ETH_P_ARCNET ; 0x32 ; 1A for ArcNet. 3466 ; 0x33 ; The empty string value is permitted here 3467 to allow for detailed error reporting. 3468 status: current 3469 description: The physical layer protocol used by the AF_PACKET 3470 socket. 3472 7.179. hwAddress 3474 elementId: TBD 3475 name: hwAddress 3476 dataType: string 3477 status: current 3478 description: The hardware address associated 3479 with the interface. 3481 7.180. programName 3483 elementId: TBD 3484 name: programName 3485 dataType: string 3486 status: current 3487 description: The name of the communicating 3488 program. 3490 7.181. userId 3492 elementId: TBD 3493 name: userId 3494 dataType: unsigned32 3495 status: current 3496 description: The numeric user id. 3498 7.182. inetlisteningserver 3500 elementId: TBD 3501 name: inetlisteningserver 3502 dataType: list 3503 structure: list (transportProtocol, localAddress, 3504 localPort, localFullAddress, programName, foreignAddress, 3505 foreignPort, foreignFullAddress, pid, userId) 3506 status: current 3507 description: Stores the results of checking for network servers 3508 currently active on a system. It holds information pertaining to 3509 a specific protocol-address-port combination. 3511 7.183. transportProtocol 3513 elementId: TBD 3514 name: transportProtocol 3515 dataType: string 3516 status: current 3517 description: The transport-layer 3518 protocol (tcp or udp). 3520 7.184. localAddress 3522 elementId: TBD 3523 name: localAddress 3524 dataType: ipAddress 3525 status: current 3526 description: This is the IP address being listened to. Note that 3527 the IP address can be IPv4 or IPv6. 3529 7.185. localPort 3531 elementId: TBD 3532 name: localPort 3533 dataType: unsigned32 3534 status: current 3535 description: This is the TCP or UDP port 3536 being listened to. 3538 7.186. localFullAddress 3540 elementId: TBD 3541 name: localFullAddress 3542 dataType: string 3543 status: current 3544 description: The IP address and network port on which the program 3545 listens, including the local address and the local port. Note 3546 that the IP address can be IPv4 or IPv6. 3548 7.187. foreignAddress 3550 elementId: TBD 3551 name: foreignAddress 3552 dataType: ipAddress 3553 status: current 3554 description: The IP address with which the program is 3555 communicating, or with which it will communicate. Note that the 3556 IP address can be IPv4 or IPv6. 3558 7.188. foreignFullAddress 3560 elementId: TBD 3561 name: foreignFullAddress 3562 dataType: ipAddress 3563 status: current 3564 description: The IP address and network port to which the program 3565 is communicating or will accept communications from, including 3566 the foreign address and foreign port. Note that the IP address 3567 can be IPv4 or IPv6. 3569 7.189. selinuxboolean 3570 elementId: TBD 3571 name: selinuxboolean 3572 dataType: list 3573 structure: list (selinuxName, currentStatus, 3574 pendingStatus) 3575 status: current 3576 description: Describes the current and pending status of a 3577 SELinux boolean. 3579 7.190. selinuxName 3581 elementId: TBD 3582 name: selinuxName 3583 dataType: string 3584 status: current 3585 description: The name of the SELinux 3586 boolean. 3588 7.191. currentStatus 3590 elementId: TBD 3591 name: currentStatus 3592 dataType: boolean 3593 status: current 3594 description: Indicates current state of 3595 the specified SELinux boolean. 3597 7.192. pendingStatus 3599 elementId: TBD 3600 name: pendingStatus 3601 dataType: boolean 3602 status: current 3603 description: Indicates the pending 3604 state of the specified SELinux boolean. 3606 7.193. selinuxsecuritycontext 3608 elementId: TBD 3609 name: selinuxsecuritycontext 3610 dataType: list 3611 structure: list (filepath, path, filename, pid, 3612 username, role, domainType, lowSensitivity, lowCategory, 3613 highSensitivity, highCategory, rawlowSensitivity, 3614 rawlowCategory, rawhighSensitivity, rawhighCategory) 3615 status: current 3616 description: Describes the SELinux security 3617 context of a file or process on the local system. 3619 7.194. filepath 3621 elementId: TBD 3622 name: filepath 3623 dataType: string 3624 status: current 3625 description: Specifies the absolute path for a file on the 3626 machine. A directory cannot be specified as a filepath. 3628 7.195. path 3630 elementId: TBD 3631 name: path 3632 dataType: string 3633 status: current 3634 description: Specifies the directory component of 3635 the absolute path to a file on the machine. 3637 7.196. filename 3639 elementId: TBD 3640 name: filename 3641 dataType: string 3642 status: current 3643 description: The name of the file. 3645 7.197. pid 3647 elementId: TBD 3648 name: pid 3649 dataType: unsigned32 3650 status: current 3651 description: The process ID of the 3652 process. 3654 7.198. role 3656 elementId: TBD 3657 name: role 3658 dataType: string 3659 status: current 3660 description: Specifies the types that a process 3661 may transition to (domain transitions). 3663 7.199. domainType 3665 elementId: TBD 3666 name: domainType 3667 dataType: string 3668 status: current 3669 description: Specifies the domain in which the file is accessible 3670 or the domain in which a process executes. 3672 7.200. lowSensitivity 3674 elementId: TBD 3675 name: lowSensitivity 3676 dataType: string 3677 status: current 3678 description: Specifies the current sensitivity of a file or 3679 process. 3681 7.201. lowCategory 3683 elementId: TBD 3684 name: lowCategory 3685 dataType: string 3686 status: current 3687 description: Specifies the set of 3688 categories associated with the low sensitivity. 3690 7.202. highSensitivity 3692 elementId: TBD 3693 name: highSensitivity 3694 dataType: string 3695 status: current 3696 description: Specifies the maximum 3697 range for a file or the clearance for a process. 3699 7.203. highCategory 3701 elementId: TBD 3702 name: highCategory 3703 dataType: string 3704 status: current 3705 description: Specifies the set of 3706 categories associated with the high sensitivity. 3708 7.204. rawlowSensitivity 3710 elementId: TBD 3711 name: rawlowSensitivity 3712 dataType: string 3713 status: current 3714 description: Specifies the current sensitivity of a file or 3715 process but in its raw context. 3717 7.205. rawlowCategory 3719 elementId: TBD 3720 name: rawlowCategory 3721 dataType: string 3722 status: current 3723 description: Specifies the set of categories associated with the 3724 low sensitivity but in its raw context. 3726 7.206. rawhighSensitivity 3728 elementId: TBD 3729 name: rawhighSensitivity 3730 dataType: string 3731 status: current 3732 description: Specifies the maximum range for a file or the 3733 clearance for a process but in its raw context. 3735 7.207. rawhighCategory 3737 elementId: TBD 3738 name: rawhighCategory 3739 dataType: string 3740 status: current 3741 description: Specifies the set of categories associated with the 3742 high sensitivity but in its raw context. 3744 7.208. systemdunitdependency 3746 elementId: TBD 3747 name: systemdunitdependency 3748 dataType: list 3749 structure: list (unit, dependency) 3750 status: current 3752 description: Stores the dependencies of the systemd 3753 unit. 3755 7.209. unit 3757 elementId: TBD 3758 name: unit 3759 dataType: string 3760 status: current 3761 description: Refers to the full systemd unit name, which has a 3762 form of "$name.$type". For example "cupsd.service". This name is 3763 usually also the filename of the unit configuration file. 3765 7.210. dependency 3767 elementId: TBD 3768 name: dependency 3769 dataType: string 3770 status: current 3771 description: Refers to the name of a unit that was confirmed to 3772 be a dependency of the given unit. 3774 7.211. systemdunitproperty 3776 elementId: TBD 3777 name: systemdunitproperty 3778 dataType: list 3779 structure: list (unit, property, systemdunitValue) 3781 status: current 3782 description: Stores the properties and values of a systemd unit. 3784 7.212. property 3786 elementId: TBD 3787 name: property 3788 dataType: string 3789 status: current 3790 description: The property associated with a 3791 systemd unit. 3793 7.213. systemdunitValue 3795 elementId: TBD 3796 name: systemdunitValue 3797 dataType: string 3798 status: current 3799 description: The value of the property associated with a systemd 3800 unit. Exactly one value shall be used for all property types 3801 except dbus arrays - each array element shall be represented by 3802 one value. 3804 7.214. file 3806 elementId: TBD 3807 name: file 3808 dataType: list 3809 structure: list (filepath, path, filename, fileType, userId, 3810 aTime, cTime, mTime, size) 3811 status: current 3812 description: The metadata associated with a file on the endpoint. 3814 7.215. fileType 3816 elementId: TBD 3817 name: fileType 3818 dataType: string 3819 status: current 3820 description: The file's type (e.g., regular file (regular), 3821 directory, named pipe (fifo), symbolic link, socket or block 3822 special.) 3824 7.216. groupId 3826 elementId: TBD 3827 name: groupId 3828 dataType: unsigned32 3829 status: current 3830 description: The group owner of the file, by 3831 group number. 3833 7.217. aTime 3835 elementId: TBD 3836 name: aTime 3837 dataType: dateTimeSeconds 3838 status: current 3839 description: The time that the file was last 3840 accessed. 3842 7.218. cTime 3844 elementId: TBD 3845 name: cTime 3846 dataType: dateTimeSeconds 3847 status: current 3848 description: The time of the last change 3849 to the file's inode. 3851 7.219. mTime 3853 elementId: TBD 3854 name: mTime 3855 dataType: dateTimeSeconds 3856 status: current 3857 description: The time of the last change to 3858 the file's contents. 3860 7.220. size 3862 elementId: TBD 3863 name: size 3864 dataType: unsigned32 3865 status: current 3866 description: This is the size of the file in 3867 bytes. 3869 7.221. suid 3871 elementId: TBD 3872 name: suid 3873 dataType: boolean 3874 status: current 3875 description: Indicates whether the program runs with the uid 3876 (thus privileges) of the file's owner, rather than the calling 3877 user. 3879 7.222. sgid 3881 elementId: TBD 3882 name: sgid 3883 dataType: boolean 3884 status: current 3885 description: Indicates whether the program runs with the gid 3886 (thus privileges) of the file's group owner, rather than the 3887 calling user's group. 3889 7.223. sticky 3891 elementId: TBD 3892 name: sticky 3893 dataType: boolean 3894 status: current 3895 description: Indicates whether users can delete each other's 3896 files in this directory, when said directory is writable by 3897 those users. 3899 7.224. hasExtendedAcl 3901 elementId: TBD 3902 name: hasExtendedAcl 3903 dataType: boolean 3904 status: current 3905 description: Indicates whether the file or directory hasACL 3906 permissions applied to it. If a system supports ACLs and the 3907 file or directory doesn't have an ACL, or it matches the standard 3908 UNIX permissions, the entity will have a status of 'exists' and 3909 a value of 'false'. If the system supports ACLs and the file or 3910 directory has an ACL, the entity will have a status of 'exists' 3911 and a value of 'true'. Lastly, if a system doesn't support ACLs, 3912 the entity will have a status of 'does not exist'. 3914 7.225. inetd 3916 elementId: TBD 3917 name: inetd 3918 dataType: list 3919 structure: list (serviceProtocol, serviceName, serverProgram, 3920 serverArguments, inetdEndpointType, execAsUser, waitStatus) 3921 status: current 3922 description: Holds information associated 3923 with different Internet services. 3925 7.226. serverProgram 3927 elementId: TBD 3928 name: serverProgram 3929 dataType: string 3930 status: current 3931 description: Either the pathname of a server program to be 3932 invoked by inetd to perform the requested service, or the value 3933 internal if inetd itself provides the service. 3935 7.227. inetdEndpointType 3936 elementId: TBD 3937 name: inetdEndpointType 3938 dataType: enumeration 3939 structure: 3940 stream ; 0x1 ; The stream value is used to describe a stream 3941 socket. 3942 dgram ; 0x2 ; The dgram value is used to describe a datagram 3943 socket. 3944 raw ; 0x3 ; The raw value is used to describe a raw socket. 3945 seqpacket ; 0x4 ; The seqpacket value is used to describe a 3946 sequenced packet socket. 3947 tli ; 0x5 ; The tli value is used to describe all TLI endpoints. 3948 sunrpc_tcp ; 0x6 ; The sunrpc_tcp value is used to describe all 3949 SUNRPC TCP endpoints. 3950 sunrpc_udp ; 0x7 ; The sunrpc_udp value is used to describe all 3951 SUNRPC UDP endpoints. 3952 ; 0x8 ; The empty string value is permitted here to allow for 3953 detailed error reporting. 3954 status: current 3955 description: The endpoint type (aka, socket type) associated with 3956 the service. 3958 7.228. execAsUser 3960 elementId: TBD 3961 name: execAsUser 3962 dataType: string 3963 status: current 3964 description: The user id of the user the 3965 server program should run under. 3967 7.229. waitStatus 3968 elementId: TBD 3969 name: waitStatus 3970 dataType: enumeration 3971 structure: wait ; 0x1 ; The value of 'wait' specifies that the 3972 server that is invoked by inetd will take over the listening 3973 socket associated with the service, and once launched, inetd will 3974 wait for that server to exit, if ever, before it resumes 3975 listening for new service requests. 3977 nowait ; 0x2 ; The value of 'nowait' specifies that the server 3978 that is invoked by inetd will not wait for any existing server 3979 to finish before taking over the listening socket associated with 3980 the service. 3982 ; 0x3 ; The empty string value is permitted here to allow for 3983 detailed error reporting. 3984 status: current 3985 description: Specifies whether the server that is invoked by 3986 inetd will take over the listening socket associated with the 3987 service, and whether once launched, inetd will wait for that 3988 server to exit, if ever, before it resumes listening for new 3989 service requests. The legal values are "wait" or "nowait". 3991 7.230. inetAddr 3993 elementId: TBD 3994 name: inetAddr 3995 dataType: ipAddress 3996 status: current 3997 description: The IP address of the specific interface. Note that 3998 the IP address can be IPv4 or IPv6. 4000 7.231. netmask 4002 elementId: TBD 4003 name: netmask 4004 dataType: ipAddress 4005 status: current 4006 description: The bitmask used to calculate 4007 the interface's IP network. 4009 7.232. passwordInfo 4010 elementId: TBD 4011 name: passwordInfo 4012 dataType: list 4013 structure: list (username, password, userId, groupId, gcos, 4014 homeDir, loginShell, lastLogin) 4015 status: current 4016 description: Describes user account information for a 4017 system. 4019 7.233. username 4021 elementId: TBD 4022 name: username 4023 dataType: string 4024 status: current 4025 description: The name of the user. 4027 7.234. password 4029 elementId: TBD 4030 name: password 4031 dataType: string 4032 status: current 4033 description: The encrypted version of the 4034 user's password. 4036 7.235. gcos 4038 elementId: TBD 4039 name: gcos 4040 dataType: string 4041 status: current 4042 description: 4044 7.236. homeDir 4046 elementId: TBD 4047 name: homeDir 4048 dataType: string 4049 status: current 4050 description: The user's home 4051 directory. 4053 7.237. loginShell 4054 elementId: TBD 4055 name: loginShell 4056 dataType: string 4057 status: current 4058 description: The user's shell 4059 program. 4061 7.238. lastLogin 4063 elementId: TBD 4064 name: lastLogin 4065 dataType: unsigned32 4066 status: current 4067 description: The date and time when the 4068 last login occurred. 4070 7.239. process 4072 elementId: TBD 4073 name: process 4074 dataType: list 4075 structure: list (commandLine, pid, ppid, priority, startTime) 4077 status: current 4078 description: Information about a process running on an endpoint. 4080 7.240. commandLine 4082 elementId: TBD 4083 name: commandLine 4084 dataType: string 4085 status: current 4086 description: The string used to start the 4087 process. This includes any parameters that are part of the 4088 command line. 4090 7.241. ppid 4092 elementId: TBD 4093 name: ppid 4094 dataType: unsigned32 4095 status: current 4096 description: The process ID of the process's 4097 parent process. 4099 7.242. priority 4101 elementId: TBD 4102 name: priority 4103 dataType: unsigned32 4104 status: current 4105 description: The scheduling priority with 4106 which the process runs. 4108 7.243. startTime 4110 elementId: TBD 4111 name: startTime 4112 dataType: string 4113 status: current 4114 description: The time of day the process 4115 started. 4117 7.244. routingtable 4119 elementId: TBD 4120 name: routingtable 4121 dataType: list 4122 structure: list (destination, gateway, flags, 4123 interfaceName) 4124 status: current 4125 description: Holds information about an individual routing table 4126 entry found in a system's primary routing table. 4128 7.245. destination 4130 elementId: TBD 4131 name: destination 4132 dataType: ipAddress 4133 status: current 4134 description: The destination IP address 4135 prefix of the routing table entry. 4137 7.246. gateway 4139 elementId: TBD 4140 name: gateway 4141 dataType: ipAddress 4142 status: current 4143 description: The gateway of the specified 4144 routing table entry. 4146 7.247. runlevelInfo 4148 elementId: TBD 4149 name: runlevelInfo 4150 dataType: list 4151 structure: list (serviceName, runlevel, start, kill) 4153 status: current 4154 description: Information about the start or kill state of a 4155 specified service at a given runlevel. 4157 7.248. runlevel 4159 elementId: TBD 4160 name: runlevel 4161 dataType: string 4162 status: current 4163 description: Specifies the system runlevel 4164 associated with a service. 4166 7.249. start 4168 elementId: TBD 4169 name: start 4170 dataType: boolean 4171 status: current 4172 description: Specifies whether the service is 4173 scheduled to start at the runlevel. 4175 7.250. kill 4177 elementId: TBD 4178 name: kill 4179 dataType: boolean 4180 status: current 4181 description: Specifies whether the service is 4182 scheduled to be killed at the runlevel. 4184 7.251. shadowItem 4186 elementId: TBD 4187 name: shadowItem 4188 dataType: list 4189 structure: list (username, password, chgLst, chgAllow, 4190 chgReq, expWarn, expInact, expDate, flags, encryptMethod) 4191 status: current 4192 description: 4194 7.252. chgLst 4196 elementId: TBD 4197 name: chgLst 4198 dataType: dateTimeSeconds 4199 status: current 4200 description: The date of the last password 4201 change. 4203 7.253. chgAllow 4205 elementId: TBD 4206 name: chgAllow 4207 dataType: unsigned32 4208 status: current 4209 description: Specifies how often in days a 4210 user may change their password. It can also be thought of 4211 as the minimum age of a password. 4213 7.254. chgReq 4215 elementId: TBD 4216 name: chgReq 4217 dataType: unsigned32 4218 status: current 4219 description: Describes how long a user can 4220 keep a password before the system forces her to change it. 4222 7.255. expWarn 4224 elementId: TBD 4225 name: expWarn 4226 dataType: unsigned32 4227 status: current 4228 description: Describes how long before 4229 password expiration the system begins warning the user. 4231 7.256. expInact 4233 elementId: TBD 4234 name: expInact 4235 dataType: unsigned32 4236 status: current 4237 description: Describes how many days of 4238 account inactivity the system will wait after a password 4239 expires before locking the account. 4241 7.257. expDate 4243 elementId: TBD 4244 name: expDate 4245 dataType: dateTimeSeconds 4246 status: current 4247 description: Specifies when will the 4248 account's password expire. 4250 7.258. encryptMethod 4252 elementId: TBD 4253 name: encryptMethod 4254 dataType: enumeration 4255 structure: DES ; 0x1 ; The DES method corresponds to the (none) 4256 prefix. 4257 BSDi ; 0x2 ; The BSDi method corresponds to BSDi modified 4258 DES or the '_' prefix. 4259 MD5 ; 0x3 ; The MD5 method corresponds to MD5 for Linux/BSD 4260 or the $1$ prefix. 4261 Blowfish ; 0x4 ; The Blowfish method corresponds to Blowfish 4262 (OpenBSD) or the $2$ or $2a$ prefixes. 4263 Sun MD5 ; 0x5 ; The Sun MD5 method corresponds to the $md5$ 4264 prefix. 4265 SHA-256 ; 0x6 ; The SHA-256 method corresponds to the $5$ 4266 prefix. 4267 SHA-512 ; 0x7 ; The SHA-512 method corresponds to the $6$ 4268 prefix. ; 0x8 ; The empty string value is permitted here to 4269 allow for empty elements associated with variable references. 4270 status: current 4271 description: Describes method that is used for hashing 4272 passwords. 4274 7.259. symlink 4276 elementId: TBD 4277 name: symlink 4278 dataType: list 4279 structure: list (symlinkFilepath, canonicalPath) 4280 status: current 4282 description: Identifies the result generated for a symlink. 4284 7.260. symlinkFilepath 4285 elementId: TBD 4286 name: symlinkFilepath 4287 dataType: string 4288 status: current 4289 description: Specifies the filepath to 4290 the subject symbolic link file. 4292 7.261. canonicalPath 4294 elementId: TBD 4295 name: canonicalPath 4296 dataType: string 4297 status: current 4298 description: Specifies the canonical 4299 path for the target of the symbolic link file specified by 4300 the filepath. 4302 7.262. sysctl 4304 elementId: TBD 4305 name: sysctl 4306 dataType: list 4307 structure: list (kernelParameterName, kernelParameterValue+, 4308 uname, machineClass, nodeName, osName, osRelease, 4309 osVersion, processorType) 4310 status: current 4311 description: Stores 4312 information retrieved from the local system about a kernel 4313 parameter and its respective value(s). 4315 7.263. kernelParameterName 4317 elementId: TBD 4318 name: kernelParameterName 4319 dataType: string 4320 status: current 4321 description: The name of a kernel 4322 parameter that was collected from the local system. 4324 7.264. kernelParameterValue 4326 elementId: TBD 4327 name: kernelParameterValue 4328 dataType: string 4329 status: current 4330 description: The current value(s) 4331 for the specified kernel parameter on the local system. 4333 7.265. uname 4335 elementId: TBD 4336 name: uname 4337 dataType: list 4338 structure: list (machineClass, nodeName, osName, osRelease, 4339 osVersion, processorType) 4340 status: current 4341 description: Information about the hardware the machine is running 4342 on. 4344 7.266. machineClass 4346 elementId: TBD 4347 name: machineClass 4348 dataType: string 4349 status: current 4350 description: Specifies the machine 4351 hardware name. 4353 7.267. nodeName 4355 elementId: TBD 4356 name: nodeName 4357 dataType: string 4358 status: current 4359 description: Specifies the host 4360 name. 4362 7.268. osName 4364 elementId: TBD 4365 name: osName 4366 dataType: string 4367 status: current 4368 description: Specifies the operating system 4369 name. 4371 7.269. osRelease 4373 elementId: TBD 4374 name: osRelease 4375 dataType: string 4376 status: current 4377 description: Specifies the build 4378 version. 4380 7.270. processorType 4382 elementId: TBD 4383 name: processorType 4384 dataType: string 4385 status: current 4386 description: Specifies the processor 4387 type. 4389 7.271. internetService 4391 elementId: TBD 4392 name: internetService 4393 dataType: list 4394 structure: list (serviceProtocol, serviceName, flags, 4395 noAccess, onlyFrom, port, server, serverArguments, 4396 socketType, registeredServiceType, user, wait, disabled) 4398 status: current 4399 description: Holds information associated with Internet services. 4401 7.272. serviceProtocol 4403 elementId: TBD 4404 name: serviceProtocol 4405 dataType: string 4406 status: current 4407 description: Specifies the protocol 4408 that is used by the service. 4410 7.273. serviceName 4412 elementId: TBD 4413 name: serviceName 4414 dataType: string 4415 status: current 4416 description: Specifies the name of the 4417 service. 4419 7.274. flags 4421 elementId: TBD 4422 name: flags 4423 dataType: string 4424 status: current 4425 description: Specifies miscellaneous settings 4426 associated with the service with executing a program. 4428 7.275. noAccess 4430 elementId: TBD 4431 name: noAccess 4432 dataType: string 4433 status: current 4434 description: Specifies the remote hosts to 4435 which the service is unavailable. 4437 7.276. onlyFrom 4439 elementId: TBD 4440 name: onlyFrom 4441 dataType: ipAddress 4442 status: current 4443 description: Specifies the remote hosts to 4444 which the service is available. 4446 7.277. port 4448 elementId: TBD 4449 name: port 4450 dataType: unsigned32 4451 status: current 4452 description: The port entity specifies the port 4453 used by the service. 4455 7.278. server 4457 elementId: TBD 4458 name: server 4459 dataType: string 4460 status: current 4461 description: Specifies the executable that is 4462 used to launch the service. 4464 7.279. serverArguments 4466 elementId: TBD 4467 name: serverArguments 4468 dataType: string 4469 status: current 4470 description: Specifies the arguments 4471 that are passed to the executable when launching the service. 4473 7.280. socketType 4475 elementId: TBD 4476 name: socketType 4477 dataType: string 4478 status: current 4479 description: Specifies the type of socket 4480 that is used by the service. Possible values include: stream, 4481 dgram, raw, or seqpacket. 4483 7.281. registeredServiceType 4485 elementId: TBD 4486 name: registeredServiceType 4487 dataType: enumeration 4488 structure: INTERNAL ; 0x1 ; The INTERNAL type is used to describe 4489 services like echo, chargen, and others whose functionality is 4490 supplied by xinetd itself. 4491 RPC ; 0x2 ; The RPC type is used to describe services that 4492 use remote procedure call ala NFS. 4493 UNLISTED ; 0x3 ; The UNLISTED type is used to describe 4494 services that aren't listed in /etc/protocols or /etc/rpc. 4495 TCPMUX ; 0x4 ; The TCPMUX type is used to describe services 4496 that conform to RFC 1078. This type indiciates that the service 4497 is responsible for handling the protocol handshake. 4498 TCPMUXPLUS ; 0x5 ; The TCPMUXPLUS type is used to describe 4499 services that conform to RFC 1078. This type indicates that 4500 xinetd is responsible for handling the protocol 4501 handshake. 4502 ; 0x6 ; The empty string value is permitted here to allow 4503 for detailed error reporting. 4504 status: current 4506 description: Specifies the type of internet service. 4508 7.282. wait 4510 elementId: TBD 4511 name: wait 4512 dataType: boolean 4513 status: current 4514 description: Specifies whether or not the service is single-threaded 4515 or multi-threaded and whether or not xinetd accepts the connection 4516 or the service accepts the connection. A value of 'true' indicates 4517 that the service is single-threaded and the service will accept the 4518 connection. A value of 'false' indicates that the service is multi- 4519 threaded and xinetd will accept the connection. 4521 7.283. disabled 4523 elementId: TBD 4524 name: disabled 4525 dataType: boolean 4526 status: current 4527 description: Specifies whether or not the 4528 service is disabled. A value of 'true' indicates that the 4529 service is disabled and will not start. A value of 4530 'false' indicates that the service is not disabled. 4532 7.284. windowsView 4534 elementId: TBD 4535 name: windowsView 4536 dataType: enumeration 4537 structure: 32_bit ; 0x1 ; Indicates the 32_bit windows view. 4538 64_bit ; 0x2 ; Indicates the 64_bit windows view. 4539 ; 0x3 ; The empty string value is permitted here to allow for 4540 empty elements associated with error conditions. 4541 status: current 4542 description: Indicates from which 4543 view (32-bit or 64-bit), the information was collected. 4544 A value of '32_bit' indicates the Item was collected from 4545 the 32-bit view. A value of '64-bit' indicates the Item 4546 was collected from the 64-bit view. 4548 7.285. fileauditedpermissions 4550 elementId: TBD 4551 name: fileauditedpermissions 4552 dataType: list 4553 structure: list (filepath, path, filename, 4554 trusteeSid, trusteeName, auditStandardDelete, 4555 auditStandardReadControl, auditStandardWriteDac, 4556 auditStandardWriteOwner, auditStandardSynchronize, 4557 auditAccessSystemSecurity, auditGenericRead, auditGenericWrite, 4558 auditGenericExecute, auditGenericAll, auditFileReadData, 4559 auditFileWriteData, auditFileAppendData, auditFileReadEa, 4560 auditFileWriteEa, auditFileExecute, auditFileDeleteChild, 4561 auditFileReadAttributes, auditFileWriteAttributes, 4562 windowsView) 4563 status: current 4564 description: Stores the audited access rights of a file that a 4565 system access control list (SACL) structure grants to a specified 4566 trustee. The trustee's audited access rights are determined checking 4567 all access control entries (ACEs) in the SACL. 4569 7.286. trusteeName 4571 elementId: TBD 4572 name: trusteeName 4573 dataType: string 4574 status: current 4575 description: Specifies the trustee name. A 4576 trustee can be a user, group, or program (such as a Windows 4577 service). 4579 7.287. auditStandardDelete 4581 elementId: TBD 4582 name: auditStandardDelete 4583 dataType: enumeration 4584 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4585 used to perform audits on all unsuccessful occurrences of 4586 specified events when auditing is enabled. 4587 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4588 all auditing options for the specified events. 4589 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4590 perform audits on all successful occurrences of the specified 4591 events when auditing is enabled. 4592 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4593 is used to perform audits on all successful and unsuccessful 4594 occurrences of the specified events when auditing is enabled. 4595 ; 0x5 ; The empty string value is permitted here to allow for 4596 detailed error reporting. 4597 status: current 4598 description: The right to delete the object. 4600 7.288. auditStandardReadControl 4601 elementId: TBD 4602 name: auditStandardReadControl 4603 dataType: enumeration 4604 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4605 used to perform audits on all unsuccessful occurrences of 4606 specified events when auditing is enabled. 4607 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4608 all auditing options for the specified events. 4609 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4610 perform audits on all successful occurrences of the specified 4611 events when auditing is enabled. 4612 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4613 is used to perform audits on all successful and unsuccessful 4614 occurrences of the specified events when auditing is enabled. 4615 ; 0x5 ; The empty string value is permitted here to allow for 4616 detailed error reporting. 4617 status: current 4618 description: The right to read the information in the object's 4619 security descriptor, not including the information in the SACL. 4621 7.289. auditStandardWriteDac 4623 elementId: TBD 4624 name: auditStandardWriteDac 4625 dataType: enumeration 4626 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4627 used to perform audits on all unsuccessful occurrences of 4628 specified events when auditing is enabled. 4629 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4630 all auditing options for the specified events. 4631 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4632 perform audits on all successful occurrences of the specified 4633 events when auditing is enabled. 4634 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4635 is used to perform audits on all successful and unsuccessful 4636 occurrences of the specified events when auditing is enabled. 4637 ; 0x5 ; The empty string value is permitted here to allow for 4638 detailed error reporting. 4639 status: current 4640 description: The right to modify the DACL in the object's security 4641 descriptor. 4643 7.290. auditStandardWriteOwner 4644 elementId: TBD 4645 name: auditStandardWriteOwner 4646 dataType: enumeration 4647 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4648 used to perform audits on all unsuccessful occurrences of 4649 specified events when auditing is enabled. 4650 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4651 all auditing options for the specified events. 4652 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4653 perform audits on all successful occurrences of the specified 4654 events when auditing is enabled. 4655 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4656 is used to perform audits on all successful and unsuccessful 4657 occurrences of the specified events when auditing is enabled. 4658 ; 0x5 ; The empty string value is permitted here to allow for 4659 detailed error reporting. 4660 status: current 4661 description: The right to change the owner in the object's security 4662 descriptor. 4664 7.291. auditStandardSynchronize 4666 elementId: TBD 4667 name: auditStandardSynchronize 4668 dataType: enumeration 4669 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4670 used to perform audits on all unsuccessful occurrences of 4671 specified events when auditing is enabled. 4672 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4673 all auditing options for the specified events. 4674 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4675 perform audits on all successful occurrences of the specified 4676 events when auditing is enabled. 4677 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4678 is used to perform audits on all successful and unsuccessful 4679 occurrences of the specified events when auditing is enabled. 4680 ; 0x5 ; The empty string value is permitted here to allow for 4681 detailed error reporting. 4682 status: current 4683 description: The right to use the object for synchronization. 4684 This enables a thread to wait until the object is in the signaled 4685 state. Some object types do not support this access right. 4687 7.292. auditAccessSystemSecurity 4688 elementId: TBD 4689 name: auditAccessSystemSecurity 4690 dataType: enumeration 4691 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4692 used to perform audits on all unsuccessful occurrences of 4693 specified events when auditing is enabled. 4694 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4695 all auditing options for the specified events. 4696 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4697 perform audits on all successful occurrences of the specified 4698 events when auditing is enabled. 4699 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4700 is used to perform audits on all successful and unsuccessful 4701 occurrences of the specified events when auditing is enabled. 4702 ; 0x5 ; The empty string value is permitted here to allow for 4703 detailed error reporting. 4704 status: current 4705 description: Indicates access to a system access control list (SACL). 4707 7.293. auditGenericRead 4709 elementId: TBD 4710 name: auditGenericRead 4711 dataType: enumeration 4712 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4713 used to perform audits on all unsuccessful occurrences of 4714 specified events when auditing is enabled. 4715 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4716 all auditing options for the specified events. 4717 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4718 perform audits on all successful occurrences of the specified 4719 events when auditing is enabled. 4720 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4721 is used to perform audits on all successful and unsuccessful 4722 occurrences of the specified events when auditing is enabled. 4723 ; 0x5 ; The empty string value is permitted here to allow for 4724 detailed error reporting. 4725 status: current 4726 description: Read access. 4728 7.294. auditGenericWrite 4729 elementId: TBD 4730 name: auditGenericWrite 4731 dataType: enumeration 4732 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4733 used to perform audits on all unsuccessful occurrences of 4734 specified events when auditing is enabled. 4735 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4736 all auditing options for the specified events. 4737 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4738 perform audits on all successful occurrences of the specified 4739 events when auditing is enabled. 4740 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4741 is used to perform audits on all successful and unsuccessful 4742 occurrences of the specified events when auditing is enabled. 4743 ; 0x5 ; The empty string value is permitted here to allow for 4744 detailed error reporting. 4745 status: current 4746 description: Write access. 4748 7.295. auditGenericExecute 4750 elementId: TBD 4751 name: auditGenericExecute 4752 dataType: enumeration 4753 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4754 used to perform audits on all unsuccessful occurrences of 4755 specified events when auditing is enabled. 4756 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4757 all auditing options for the specified events. 4758 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4759 perform audits on all successful occurrences of the specified 4760 events when auditing is enabled. 4761 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4762 is used to perform audits on all successful and unsuccessful 4763 occurrences of the specified events when auditing is enabled. 4764 ; 0x5 ; The empty string value is permitted here to allow for 4765 detailed error reporting. 4766 status: current 4767 description: Execute access. 4769 7.296. auditGenericAll 4770 elementId: TBD 4771 name: auditGenericAll 4772 dataType: enumeration 4773 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4774 used to perform audits on all unsuccessful occurrences of 4775 specified events when auditing is enabled. 4776 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4777 all auditing options for the specified events. 4778 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4779 perform audits on all successful occurrences of the specified 4780 events when auditing is enabled. 4781 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4782 is used to perform audits on all successful and unsuccessful 4783 occurrences of the specified events when auditing is enabled. 4784 ; 0x5 ; The empty string value is permitted here to allow for 4785 detailed error reporting. 4786 status: current 4787 description: Read, write, and execute access. 4789 7.297. auditFileReadData 4791 elementId: TBD 4792 name: auditFileReadData 4793 dataType: enumeration 4794 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4795 used to perform audits on all unsuccessful occurrences of 4796 specified events when auditing is enabled. 4797 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4798 all auditing options for the specified events. 4799 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4800 perform audits on all successful occurrences of the specified 4801 events when auditing is enabled. 4802 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4803 is used to perform audits on all successful and unsuccessful 4804 occurrences of the specified events when auditing is enabled. 4805 ; 0x5 ; The empty string value is permitted here to allow for 4806 detailed error reporting. 4807 status: current 4808 description: Grants the right to read data from the file. 4810 7.298. auditFileWriteData 4811 elementId: TBD 4812 name: auditFileWriteData 4813 dataType: enumeration 4814 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4815 used to perform audits on all unsuccessful occurrences of 4816 specified events when auditing is enabled. 4817 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4818 all auditing options for the specified events. 4819 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4820 perform audits on all successful occurrences of the specified 4821 events when auditing is enabled. 4822 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4823 is used to perform audits on all successful and unsuccessful 4824 occurrences of the specified events when auditing is enabled. 4825 ; 0x5 ; The empty string value is permitted here to allow for 4826 detailed error reporting. 4827 status: current 4828 description: Grants the right to write data to the file. 4830 7.299. auditFileAppendData 4832 elementId: TBD 4833 name: auditFileAppendData 4834 dataType: enumeration 4835 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4836 used to perform audits on all unsuccessful occurrences of 4837 specified events when auditing is enabled. 4838 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4839 all auditing options for the specified events. 4840 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4841 perform audits on all successful occurrences of the specified 4842 events when auditing is enabled. 4843 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4844 is used to perform audits on all successful and unsuccessful 4845 occurrences of the specified events when auditing is enabled. 4846 ; 0x5 ; The empty string value is permitted here to allow for 4847 detailed error reporting. 4848 status: current 4849 description: Grants the right to append data to the file. 4851 7.300. auditFileReadEa 4852 elementId: TBD 4853 name: auditFileReadEa 4854 dataType: enumeration 4855 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4856 used to perform audits on all unsuccessful occurrences of 4857 specified events when auditing is enabled. 4858 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4859 all auditing options for the specified events. 4860 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4861 perform audits on all successful occurrences of the specified 4862 events when auditing is enabled. 4863 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4864 is used to perform audits on all successful and unsuccessful 4865 occurrences of the specified events when auditing is enabled. 4866 ; 0x5 ; The empty string value is permitted here to allow for 4867 detailed error reporting. 4868 status: current 4869 description: Grants the right to read extended attributes. 4871 7.301. auditFileWriteEa 4873 elementId: TBD 4874 name: auditFileWriteEa 4875 dataType: enumeration 4876 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4877 used to perform audits on all unsuccessful occurrences of 4878 specified events when auditing is enabled. 4879 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4880 all auditing options for the specified events. 4881 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4882 perform audits on all successful occurrences of the specified 4883 events when auditing is enabled. 4884 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4885 is used to perform audits on all successful and unsuccessful 4886 occurrences of the specified events when auditing is enabled. 4887 ; 0x5 ; The empty string value is permitted here to allow for 4888 detailed error reporting. 4889 status: current 4890 description: Grants the right to write extended attributes. 4892 7.302. auditFileExecute 4893 elementId: TBD 4894 name: auditFileExecute 4895 dataType: enumeration 4896 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4897 used to perform audits on all unsuccessful occurrences of 4898 specified events when auditing is enabled. 4899 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4900 all auditing options for the specified events. 4901 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4902 perform audits on all successful occurrences of the specified 4903 events when auditing is enabled. 4904 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4905 is used to perform audits on all successful and unsuccessful 4906 occurrences of the specified events when auditing is enabled. 4907 ; 0x5 ; The empty string value is permitted here to allow for 4908 detailed error reporting. 4909 status: current 4910 description: Grants the right to execute a file. 4912 7.303. auditFileDeleteChild 4914 elementId: TBD 4915 name: auditFileDeleteChild 4916 dataType: enumeration 4917 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4918 used to perform audits on all unsuccessful occurrences of 4919 specified events when auditing is enabled. 4920 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4921 all auditing options for the specified events. 4922 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4923 perform audits on all successful occurrences of the specified 4924 events when auditing is enabled. 4925 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4926 is used to perform audits on all successful and unsuccessful 4927 occurrences of the specified events when auditing is enabled. 4928 ; 0x5 ; The empty string value is permitted here to allow for 4929 detailed error reporting. 4930 status: current 4931 description: Right to delete a directory and all the files it 4932 contains (its children), even if the files are read-only. 4934 7.304. auditFileReadAttributes 4935 elementId: TBD 4936 name: auditFileReadAttributes 4937 dataType: enumeration 4938 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4939 used to perform audits on all unsuccessful occurrences of 4940 specified events when auditing is enabled. 4941 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4942 all auditing options for the specified events. 4943 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4944 perform audits on all successful occurrences of the specified 4945 events when auditing is enabled. 4946 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4947 is used to perform audits on all successful and unsuccessful 4948 occurrences of the specified events when auditing is enabled. 4949 ; 0x5 ; The empty string value is permitted here to allow for 4950 detailed error reporting. 4951 status: current 4952 description: Grants the right to read file attributes. 4954 7.305. auditFileWriteAttributes 4956 elementId: TBD 4957 name: auditFileWriteAttributes 4958 dataType: enumeration 4959 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 4960 used to perform audits on all unsuccessful occurrences of 4961 specified events when auditing is enabled. 4962 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 4963 all auditing options for the specified events. 4964 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 4965 perform audits on all successful occurrences of the specified 4966 events when auditing is enabled. 4967 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 4968 is used to perform audits on all successful and unsuccessful 4969 occurrences of the specified events when auditing is enabled. 4970 ; 0x5 ; The empty string value is permitted here to allow for 4971 detailed error reporting. 4972 status: current 4973 description: Grants the right to change file attributes. 4975 7.306. fileeffectiverights 4976 elementId: TBD 4977 name: fileeffectiverights 4978 dataType: list 4979 structure: list (filepath, path, filename, 4980 trusteeSid, trusteeName, standardDelete, standardReadControl, 4981 standardWriteDac, standardWriteOwner, 4982 standardSynchronize, accessSystemSecurity, genericRead, 4983 genericWrite, genericExecute, genericAll, fileReadData, 4984 fileWriteData, fileAppendData, fileReadEa, fileWriteEa, 4985 fileExecute, fileDeleteChild, fileReadAttributes, 4986 fileWriteAttributes, windowsView) 4987 status: current 4988 description: Stores the effective rights of a file that a 4989 discretionary access control list (DACL) structure grants 4990 to a specified trustee. The trustee's effective rights 4991 are determined checking all access-allowed and access-denied 4992 access control entries (ACEs) in the DACL. 4994 7.307. standardDelete 4996 elementId: TBD 4997 name: standardDelete 4998 dataType: boolean 4999 status: current 5000 description: The right to delete the 5001 object. 5003 7.308. standardReadControl 5005 elementId: TBD 5006 name: standardReadControl 5007 dataType: boolean 5008 status: current 5009 description: The right to read 5010 the information in the object's security descriptor, not 5011 including the information in the SACL. 5013 7.309. standardWriteDac 5015 elementId: TBD 5016 name: standardWriteDac 5017 dataType: boolean 5018 status: current 5019 description: The right to modify the 5020 DACL in the object's security descriptor. 5022 7.310. standardWriteOwner 5024 elementId: TBD 5025 name: standardWriteOwner 5026 dataType: boolean 5027 status: current 5028 description: The right to change 5029 the owner in the object's security descriptor. 5031 7.311. standardSynchronize 5033 elementId: TBD 5034 name: standardSynchronize 5035 dataType: boolean 5036 status: current 5037 description: The right to use the 5038 object for synchronization. This enables a thread to wait 5039 until the object is in the signaled state. Some object 5040 types do not support this access right. 5042 7.312. accessSystemSecurity 5044 elementId: TBD 5045 name: accessSystemSecurity 5046 dataType: boolean 5047 status: current 5048 description: Indicates access to 5049 a system access control list (SACL). 5051 7.313. genericRead 5053 elementId: TBD 5054 name: genericRead 5055 dataType: boolean 5056 status: current 5057 description: Read access. 5059 7.314. genericWrite 5061 elementId: TBD 5062 name: genericWrite 5063 dataType: boolean 5064 status: current 5065 description: Write access. 5067 7.315. genericExecute 5069 elementId: TBD 5070 name: genericExecute 5071 dataType: boolean 5072 status: current 5073 description: Execute access. 5075 7.316. genericAll 5077 elementId: TBD 5078 name: genericAll 5079 dataType: boolean 5080 status: current 5081 description: Read, write, and execute 5082 access. 5084 7.317. fileReadData 5086 elementId: TBD 5087 name: fileReadData 5088 dataType: boolean 5089 status: current 5090 description: Grants the right to read 5091 data from the file 5093 7.318. fileWriteData 5095 elementId: TBD 5096 name: fileWriteData 5097 dataType: boolean 5098 status: current 5099 description: Grants the right to write 5100 data to the file. 5102 7.319. fileAppendData 5104 elementId: TBD 5105 name: fileAppendData 5106 dataType: boolean 5107 status: current 5108 description: Grants the right to 5109 append data to the file. 5111 7.320. fileReadEa 5113 elementId: TBD 5114 name: fileReadEa 5115 dataType: boolean 5116 status: current 5117 description: Grants the right to read 5118 extended attributes. 5120 7.321. fileWriteEa 5122 elementId: TBD 5123 name: fileWriteEa 5124 dataType: boolean 5125 status: current 5126 description: Grants the right to write 5127 extended attributes. 5129 7.322. fileExecute 5131 elementId: TBD 5132 name: fileExecute 5133 dataType: boolean 5134 status: current 5135 description: Grants the right to execute 5136 a file. 5138 7.323. fileDeleteChild 5140 elementId: TBD 5141 name: fileDeleteChild 5142 dataType: boolean 5143 status: current 5144 description: Right to delete a 5145 directory and all the files it contains (its children), 5146 even if the files are read-only. 5148 7.324. fileReadAttributes 5150 elementId: TBD 5151 name: fileReadAttributes 5152 dataType: boolean 5153 status: current 5154 description: Grants the right to 5155 read file attributes. 5157 7.325. fileWriteAttributes 5159 elementId: TBD 5160 name: fileWriteAttributes 5161 dataType: boolean 5162 status: current 5163 description: Grants the right to 5164 change file attributes. 5166 7.326. groupInfo 5168 elementId: TBD 5169 name: groupInfo 5170 dataType: list 5171 structure: list (group, username, subgroup) 5172 status: current 5173 description: Specifies the different users and subgroups, that 5174 directly belong to specific groups. 5176 7.327. group 5178 elementId: TBD 5179 name: group 5180 dataType: string 5181 status: current 5182 description: Represents the name of a particular 5183 group. 5185 7.328. subgroup 5187 elementId: TBD 5188 name: subgroup 5189 dataType: string 5190 status: current 5191 description: Represents the name of a 5192 particular subgroup in the specified group. 5194 7.329. groupSidInfo 5196 elementId: TBD 5197 name: groupSidInfo 5198 dataType: list 5199 structure: list (groupSid, userSid, subgroupSid) 5200 status: current 5201 description: Specifies the different users and subgroups, that 5202 directly belong to specific groups 5203 (identified by SID). 5205 7.330. userSidInfo 5207 elementId: TBD 5208 name: userSidInfo 5209 dataType: list 5210 structure: list (userSid, enabled, groupSid, lastLogon) 5212 status: current 5213 description: Specifies the different groups (identified by SID) 5214 that a user belongs to. 5216 7.331. userSid 5218 elementId: TBD 5219 name: userSid 5220 dataType: string 5221 status: current 5222 description: Represents the SID of a 5223 particular user. 5225 7.332. subgroupSid 5227 elementId: TBD 5228 name: subgroupSid 5229 dataType: string 5230 status: current 5231 description: Represents the SID of a 5232 particular subgroup. 5234 7.333. lockoutpolicy 5236 elementId: TBD 5237 name: lockoutpolicy 5238 dataType: list 5239 structure: list (forceLogoff, lockoutDuration, 5240 lockoutObservationWindow, lockoutThreshold) 5241 status: current 5242 description: Specifies various attributes associated 5243 with lockout information for users and global groups in the 5244 security database. 5246 7.334. forceLogoff 5247 elementId: TBD 5248 name: forceLogoff 5249 dataType: unsigned32 5250 status: current 5251 description: Specifies, in seconds, the 5252 amount of time between the end of the valid logon time and 5253 the time when the user is forced to log off the 5254 network. 5256 7.335. lockoutDuration 5258 elementId: TBD 5259 name: lockoutDuration 5260 dataType: unsigned32 5261 status: current 5262 description: Specifies, in seconds, 5263 how long a locked account remains locked before it is 5264 automatically unlocked. 5266 7.336. lockoutObservationWindow 5268 elementId: TBD 5269 name: lockoutObservationWindow 5270 dataType: unsigned32 5271 status: current 5272 description: Specifies the 5273 maximum time, in seconds, that can elapse between any two 5274 failed logon attempts before lockout occurs. 5276 7.337. lockoutThreshold 5278 elementId: TBD 5279 name: lockoutThreshold 5280 dataType: unsigned32 5281 status: current 5282 description: Specifies the number of 5283 invalid password authentications that can occur before an 5284 account is marked "locked out." 5286 7.338. passwordpolicy 5287 elementId: TBD 5288 name: passwordpolicy 5289 dataType: list 5290 structure: list (maxPasswdAge, minPasswdAge, 5291 minPasswdLen, passwordHistLen, passwordComplexity, 5292 reversibleEncryption) 5293 status: current 5294 description: Specifies 5295 policy information associated with passwords. 5297 7.339. maxPasswdAge 5299 elementId: TBD 5300 name: maxPasswdAge 5301 dataType: unsigned32 5302 status: current 5303 description: Specifies, in seconds (from 5304 a DWORD), the maximum allowable password age. A value of 5305 TIMEQ_FOREVER (max DWORD value, 4294967295) indicates 5306 that the password never expires. The minimum valid value 5307 for this element is ONE_DAY (86400). See the 5308 USER_MODALS_INFO_0 structure returned by a call to 5309 NetUserModalsGet(). 5311 7.340. minPasswdAge 5313 elementId: TBD 5314 name: minPasswdAge 5315 dataType: unsigned32 5316 status: current 5317 description: Specifies the minimum 5318 number of seconds that can elapse between the time a password 5319 changes and when it can be changed again. A value of 5320 zero indicates that no delay is required between password 5321 updates. 5323 7.341. minPasswdLen 5325 elementId: TBD 5326 name: minPasswdLen 5327 dataType: unsigned32 5328 status: current 5329 description: Specifies the minimum 5330 allowable password length. Valid values for this element are 5331 zero through PWLEN. 5333 7.342. passwordHistLen 5335 elementId: TBD 5336 name: passwordHistLen 5337 dataType: unsigned32 5338 status: current 5339 description: Specifies the length of 5340 password history maintained. A new password cannot match any 5341 of the previous usrmod0_password_hist_len passwords. 5342 Valid values for this element are zero through DEF_MAX_PWHIST. 5344 7.343. passwordComplexity 5346 elementId: TBD 5347 name: passwordComplexity 5348 dataType: boolean 5349 status: current 5350 description: Indicates whether 5351 passwords must meet the complexity requirements put forth 5352 by the operating system. 5354 7.344. reversibleEncryption 5356 elementId: TBD 5357 name: reversibleEncryption 5358 dataType: boolean 5359 status: current 5360 description: Indicates whether 5361 or not passwords are stored using reversible encryption. 5363 7.345. portInfo 5365 elementId: TBD 5366 name: portInfo 5367 dataType: list 5368 structure: list (localAddress, localPort, transportProtocol, 5369 pid, foreignAddress, foreignPort) 5370 status: current 5371 description: Information about open listening ports. 5373 7.346. foreignPort 5375 elementId: TBD 5376 name: foreignPort 5377 dataType: string 5378 status: current 5379 description: The TCP or UDP port to which 5380 the program communicates. 5382 7.347. printereffectiverights 5384 elementId: TBD 5385 name: printereffectiverights 5386 dataType: list 5387 structure: list (printerName, trusteeSid, 5388 standardDelete, standardReadControl, standardWriteDac, 5389 standardWriteOwner, standardSynchronize, 5390 accessSystemSecurity, genericRead, genericWrite, 5391 genericExecute, genericAll, printerAccessAdminister, 5392 printerAccessUse, jobAccessAdminister, jobAccessRead) 5393 status: current 5394 description: Stores the effective rights of a printer that a 5395 discretionary access control list (DACL) structure grants to a 5396 specified trustee. The trustee's effective rights are determined 5397 checking all access-allowed and access-denied access control 5398 entries (ACEs) in the DACL. 5400 7.348. printerName 5402 elementId: TBD 5403 name: printerName 5404 dataType: string 5405 status: current 5406 description: Specifies the name of the 5407 printer. 5409 7.349. printerAccessAdminister 5411 elementId: TBD 5412 name: printerAccessAdminister 5413 dataType: boolean 5414 status: current 5415 description: 5417 7.350. printerAccessUse 5419 elementId: TBD 5420 name: printerAccessUse 5421 dataType: boolean 5422 status: current 5423 description: 5425 7.351. jobAccessAdminister 5426 elementId: TBD 5427 name: jobAccessAdminister 5428 dataType: boolean 5429 status: current 5430 description: 5432 7.352. jobAccessRead 5434 elementId: TBD 5435 name: jobAccessRead 5436 dataType: boolean 5437 status: current 5438 description: 5440 7.353. registry 5442 elementId: TBD 5443 name: registry 5444 dataType: list 5445 structure: list (registryHive, registryKey, registryKeyName, 5446 lastWriteTime, registryKeyType, registryKeyValue, 5447 windowsView) 5448 status: current 5449 description: Specifies information that can be 5450 collected about a particular registry key. 5452 7.354. registryHive 5453 elementId: TBD 5454 name: registryHive 5455 dataType: enumeration 5456 structure: HKEY_CLASSES_ROOT ; 0x1 ; This registry subtree 5457 contains information that associates file types with programs 5458 and configuration data for automation (e.g. COM 5459 objects and Visual Basic Programs). 5460 HKEY_CURRENT_CONFIG ; 0x2 ; This registry subtree contains 5461 configuration data for the current hardware profile. 5462 HKEY_CURRENT_USER ; 0x3 ; This registry subtree contains the 5463 user profile of the user that is currently logged into the 5464 system. 5465 HKEY_LOCAL_MACHINE ; 0x4 ; This registry subtree contains 5466 information about the local system. 5467 HKEY_USERS ; 0x5 ; This registry subtree contains user-specific 5468 data. 5469 ; 0x6 ; The empty string value is permitted here to allow 5470 for detailed error reporting. 5471 status: current 5472 description: The 5473 hive that the registry key belongs to. 5475 7.355. registryKey 5477 elementId: TBD 5478 name: registryKey 5479 dataType: string 5480 status: current 5481 description: Describes the registry key. 5482 Note that the hive portion of the string should not be 5483 included, as this data can be found under the hive 5484 element. 5486 7.356. registryKeyName 5488 elementId: TBD 5489 name: registryKeyName 5490 dataType: string 5491 status: current 5492 description: Describes the name of a 5493 registry key. 5495 7.357. lastWriteTime 5496 elementId: TBD 5497 name: lastWriteTime 5498 dataType: unsigned64 5499 status: current 5500 description: The last time that the key or any of its value entries 5501 were modified. The value of this entity represents the 5502 FILETIME structure which is a 64-bit value representing the 5503 number of 100-nanosecond intervals since January 1, 1601 5504 (UTC). Last write time can be queried on any key, with hives 5505 being classified as a type of key. When collecting only 5506 information about a registry hive or key the last write time 5507 will be the time the key or any of its entries were modified. 5508 When collecting only information about a registry name the 5509 last write time will be the time the containing key was 5510 modified. Thus when collecting information about a registry 5511 name, the last write time does not correlate directly 5512 to the specified name. See the RegQueryInfoKey function 5513 lpftLastWriteTime. 5515 7.358. registryKeyType 5517 elementId: TBD 5518 name: registryKeyType 5519 dataType: enumeration 5520 structure: reg_binary ; 0x1 ; The reg_binary type 5521 is used by registry keys that specify binary data in any 5522 form. 5523 reg_dword ; 0x2 ; The reg_dword type is used by 5524 registry keys that specify an unsigned 32-bit integer. 5525 reg_dword_little_endian ; 0x3 ; The reg_dword_little_endian 5526 type is used by registry keys that specify an unsigned 32-bit 5527 little-endian integer. It is designed to run on 5528 little-endian computer architectures. 5529 reg_dword_big_endian ; 0x4 ; The reg_dword_big_endian type 5530 is used by registry keys that specify an unsigned 32-bit 5531 big-endian integer. It is designed to run on big-endian 5532 computer architectures. 5533 reg_expand_sz ; 0x5 ; The reg_expand_sz type is used by 5534 registry keys to specify a null-terminated 5535 string that contains unexpanded references to environment 5536 variables (for example, "%PATH%"). 5537 reg_link ; 0x6 ; The reg_link type is used by the registry 5538 keys for null-terminated unicode strings. It is related to 5539 target path of a symbolic link created by the 5540 RegCreateKeyEx function. 5541 reg_multi_sz ; 0x7 ; The reg_multi_sz type is used by 5542 registry keys that specify an array of null-terminated 5543 strings, terminated by two null characters. 5545 reg_none; 0x8 ; 5546 The reg_none type is used by registry keys that have no 5547 defined value type. 5548 reg_qword; 0x9 ; The reg_qword type is used by registry keys 5549 that specify an unsigned 64-bit integer. 5550 reg_qword_little_endian; 0xA ; The reg_qword_little_endian 5551 type is used by registry keys that specify an unsigned 5552 64-bit integer in little-endian computer architectures. 5553 reg_sz; 0xB ; The reg_sz type is used by registry keys that 5554 specify a single null-terminated string. 5555 reg_resource_list; 0xC ; The reg_resource_list type is used 5556 by registry keys that specify a resource list. 5557 reg_full_resource_descriptor; 0xD ; The 5558 reg_full_resource_descriptor type is used by registry 5559 keys that specify a full resource descriptor. 5560 reg_resource_requirements_list; 0xE ; The 5561 reg_resource_requirements_list type is used by registry keys 5562 that specify a resource requirements list. 5563 ; 0xF ; The empty string value is permitted here to allow 5564 for detailed error reporting. 5565 status: current 5566 description: 5567 Specifies the type of data stored by the registry key. 5569 7.359. registryKeyValue 5570 elementId: TBD 5571 name: registryKeyValue 5572 dataType: string 5573 status: current 5574 description: Holds the actual value 5575 of the specified registry key. The representation of the 5576 value as well as the associated datatype attribute 5577 depends on type of data stored in the registry key. If the 5578 value being tested is of type REG_BINARY, then the 5579 datatype attribute should be set to 'binary' and the data 5580 represented by the value entity should follow the 5581 xsd:hexBinary form. (each binary octet is encoded as two hex 5582 digits) If the value being tested is of type 5583 REG_DWORD, REG_QWORD, REG_DWORD_LITTLE_ENDIAN, 5584 REG_DWORD_BIG_ENDIAN, or REG_QWORD_LITTLE_ENDIAN then the 5585 datatype attribute should be set to 'int' and the value 5586 entity should represent the data as an unsigned integer. 5587 DWORD and QWORD values represnt unsigned 32-bit and 64-bit 5588 integers, respectively. If the value being tested is of type 5589 REG_EXPAND_SZ, then the datatype attribute should be set to 5590 'string' and the pre-expanded string should be 5591 represented by the value entity. If the value being tested 5592 is of type REG_MULTI_SZ, then only a single string (one 5593 of the multiple strings) should be tested using the value 5594 entity with the datatype attribute set to 'string'. In 5595 order to test multiple values, multiple OVAL registry tests 5596 should be used. If the specified registry key is of 5597 type REG_SZ, then the datatype should be 'string' and the 5598 value entity should be a copy of the string. If the 5599 value being tested is of type REG_LINK, then the datatype 5600 attribute should be set to 'string' and the 5601 null-terminated Unicode string should be represented by the 5602 value entity. 5604 7.360. regkeyauditedpermissions 5605 elementId: TBD 5606 name: regkeyauditedpermissions 5607 dataType: list 5608 structure: list (registryKey, trusteeSid, trusteeName, 5609 standardDelete, standardReadControl, standardWriteDac, 5610 standardWriteOwner, standardSynchronize, 5611 accessSystemSecurity, genericRead, genericWrite, 5612 genericExecute, genericAll, keyQueryValue, keySetValue, 5613 keyCreateSubKey, keyEnumerateSubKeys, keyNotify, 5614 keyCreateLink, keyWow6464Key, keyWow6432Key, keyWow64Res, 5615 windowsView) 5616 status: current 5617 description: Stores the audited access rights of a registry key 5618 that a system access control list (SACL) structure grants to a 5619 specified trustee. The trustee's audited access rights are 5620 determined checking all access control entries (ACEs) in the SACL. 5622 7.361. auditKeyQueryValue 5624 elementId: TBD 5625 name: auditKeyQueryValue 5626 dataType: enumeration 5627 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 5628 used to perform audits on all unsuccessful occurrences of 5629 specified events when auditing is enabled. 5630 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 5631 all auditing options for the specified events. 5632 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 5633 perform audits on all successful occurrences of the specified 5634 events when auditing is enabled. 5635 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 5636 is used to perform audits on all successful and unsuccessful 5637 occurrences of the specified events when auditing is enabled. 5638 ; 0x5 ; The empty string value is permitted here to allow for 5639 detailed error reporting. 5640 status: current 5641 description: 5643 7.362. auditKeySetValue 5644 elementId: TBD 5645 name: auditKeySetValue 5646 dataType: enumeration 5647 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 5648 used to perform audits on all unsuccessful occurrences of 5649 specified events when auditing is enabled. 5650 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 5651 all auditing options for the specified events. 5652 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 5653 perform audits on all successful occurrences of the specified 5654 events when auditing is enabled. 5655 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 5656 is used to perform audits on all successful and unsuccessful 5657 occurrences of the specified events when auditing is enabled. 5658 ; 0x5 ; The empty string value is permitted here to allow for 5659 detailed error reporting. 5660 status: current 5661 description: 5663 7.363. auditKeyCreateSubKey 5665 elementId: TBD 5666 name: auditKeyCreateSubKey 5667 dataType: enumeration 5668 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 5669 used to perform audits on all unsuccessful occurrences of 5670 specified events when auditing is enabled. 5671 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 5672 all auditing options for the specified events. 5673 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 5674 perform audits on all successful occurrences of the specified 5675 events when auditing is enabled. 5676 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 5677 is used to perform audits on all successful and unsuccessful 5678 occurrences of the specified events when auditing is enabled. 5679 ; 0x5 ; The empty string value is permitted here to allow for 5680 detailed error reporting. 5681 status: current 5682 description: 5684 7.364. auditKeyEnumerateSubKeys 5685 elementId: TBD 5686 name: auditKeyEnumerateSubKeys 5687 dataType: enumeration 5688 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 5689 used to perform audits on all unsuccessful occurrences of 5690 specified events when auditing is enabled. 5691 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 5692 all auditing options for the specified events. 5693 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 5694 perform audits on all successful occurrences of the specified 5695 events when auditing is enabled. 5696 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 5697 is used to perform audits on all successful and unsuccessful 5698 occurrences of the specified events when auditing is enabled. 5699 ; 0x5 ; The empty string value is permitted here to allow for 5700 detailed error reporting. 5701 status: current 5702 description: 5704 7.365. auditKeyNotify 5706 elementId: TBD 5707 name: auditKeyNotify 5708 dataType: enumeration 5709 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 5710 used to perform audits on all unsuccessful occurrences of 5711 specified events when auditing is enabled. 5712 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 5713 all auditing options for the specified events. 5714 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 5715 perform audits on all successful occurrences of the specified 5716 events when auditing is enabled. 5717 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 5718 is used to perform audits on all successful and unsuccessful 5719 occurrences of the specified events when auditing is enabled. 5720 ; 0x5 ; The empty string value is permitted here to allow for 5721 detailed error reporting. 5722 status: current 5723 description: 5725 7.366. auditKeyCreateLink 5726 elementId: TBD 5727 name: auditKeyCreateLink 5728 dataType: enumeration 5729 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 5730 used to perform audits on all unsuccessful occurrences of 5731 specified events when auditing is enabled. 5732 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 5733 all auditing options for the specified events. 5734 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 5735 perform audits on all successful occurrences of the specified 5736 events when auditing is enabled. 5737 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 5738 is used to perform audits on all successful and unsuccessful 5739 occurrences of the specified events when auditing is enabled. 5740 ; 0x5 ; The empty string value is permitted here to allow for 5741 detailed error reporting. 5742 status: current 5743 description: 5745 7.367. auditKeyWow6464Key 5747 elementId: TBD 5748 name: auditKeyWow6464Key 5749 dataType: enumeration 5750 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 5751 used to perform audits on all unsuccessful occurrences of 5752 specified events when auditing is enabled. 5753 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 5754 all auditing options for the specified events. 5755 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 5756 perform audits on all successful occurrences of the specified 5757 events when auditing is enabled. 5758 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 5759 is used to perform audits on all successful and unsuccessful 5760 occurrences of the specified events when auditing is enabled. 5761 ; 0x5 ; The empty string value is permitted here to allow for 5762 detailed error reporting. 5763 status: current 5764 description: 5766 7.368. auditKeyWow6432Key 5767 elementId: TBD 5768 name: auditKeyWow6432Key 5769 dataType: enumeration 5770 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 5771 used to perform audits on all unsuccessful occurrences of 5772 specified events when auditing is enabled. 5773 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 5774 all auditing options for the specified events. 5775 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 5776 perform audits on all successful occurrences of the specified 5777 events when auditing is enabled. 5778 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 5779 is used to perform audits on all successful and unsuccessful 5780 occurrences of the specified events when auditing is enabled. 5781 ; 0x5 ; The empty string value is permitted here to allow for 5782 detailed error reporting. 5783 status: current 5784 description: 5786 7.369. auditKeyWow64Res 5788 elementId: TBD 5789 name: auditKeyWow64Res 5790 dataType: enumeration 5791 structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is 5792 used to perform audits on all unsuccessful occurrences of 5793 specified events when auditing is enabled. 5794 AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel 5795 all auditing options for the specified events. 5796 AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to 5797 perform audits on all successful occurrences of the specified 5798 events when auditing is enabled. 5799 AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE 5800 is used to perform audits on all successful and unsuccessful 5801 occurrences of the specified events when auditing is enabled. 5802 ; 0x5 ; The empty string value is permitted here to allow for 5803 detailed error reporting. 5804 status: current 5805 description: 5807 7.370. regkeyeffectiverights 5808 elementId: TBD 5809 name: regkeyeffectiverights 5810 dataType: list 5811 structure: list (registryHive, registryKey, trusteeSid, 5812 trusteeName, standardDelete, standardReadControl, 5813 standardWriteDac, standardWriteOwner, standardSynchronize, 5814 accessSystemSecurity, genericRead, genericWrite, 5815 genericExecute, genericAll, keyQueryValue, keySetValue, 5816 keyCreateSubKey, keyEnumerateSubKeys, keyNotify, 5817 keyCreateLink, keyWow6464Key, keyWow6432Key, keyWow64Res, 5818 windowsView) 5819 status: current 5820 description: Stores the effective rights of a registry key that a 5821 discretionary access control list (DACL) structure grants to a 5822 specified trustee. The trustee's effective rights are determined 5823 checking all access-allowed and access-denied access control 5824 entries (ACEs) in the DACL. 5826 7.371. keyQueryValue 5828 elementId: TBD 5829 name: keyQueryValue 5830 dataType: boolean 5831 status: current 5832 description: Specifies whether or not 5833 permission is granted to query the key's value. 5835 7.372. keySetValue 5837 elementId: TBD 5838 name: keySetValue 5839 dataType: boolean 5840 status: current 5841 description: Specifies whether or not 5842 permission is granted to set the key's value. 5844 7.373. keyCreateSubKey 5846 elementId: TBD 5847 name: keyCreateSubKey 5848 dataType: boolean 5849 status: current 5850 description: Specifies whether or not 5851 permission is granted to create a subkey. 5853 7.374. keyEnumerateSubKeys 5855 elementId: TBD 5856 name: keyEnumerateSubKeys 5857 dataType: boolean 5858 status: current 5859 description: Specifies whether or 5860 not permission is granted to list the subkeys associated 5861 with key. 5863 7.375. keyNotify 5865 elementId: TBD 5866 name: keyNotify 5867 dataType: boolean 5868 status: current 5869 description: 5871 7.376. keyCreateLink 5873 elementId: TBD 5874 name: keyCreateLink 5875 dataType: boolean 5876 status: current 5877 description: 5879 7.377. keyWow6464Key 5881 elementId: TBD 5882 name: keyWow6464Key 5883 dataType: boolean 5884 status: current 5885 description: 5887 7.378. keyWow6432Key 5889 elementId: TBD 5890 name: keyWow6432Key 5891 dataType: boolean 5892 status: current 5893 description: 5895 7.379. keyWow64Res 5896 elementId: TBD 5897 name: keyWow64Res 5898 dataType: boolean 5899 status: current 5900 description: 5902 7.380. service 5904 elementId: TBD 5905 name: service 5906 dataType: list 5907 structure: list (serviceName, displayName, description, 5908 serviceType, startType, currentState, controlsAccepted, 5909 startName, path, pid, serviceFlag, dependencies) 5910 status: current 5911 description: Stores information about Windows services that are 5912 present on the system. 5914 7.381. displayName 5916 elementId: TBD 5917 name: displayName 5918 dataType: string 5919 status: current 5920 description: Specifies the name of the 5921 service as specified in administrative tools. 5923 7.382. description 5925 elementId: TBD 5926 name: description 5927 dataType: string 5928 status: current 5929 description: Specifies the description of 5930 the service. 5932 7.383. serviceType 5933 elementId: TBD 5934 name: serviceType 5935 dataType: enumeration 5936 structure: SERVICE_FILE_SYSTEM_DRIVER ; 0x1 ; The 5937 SERVICE_FILE_SYSTEM_DRIVER type means that the service is 5938 a file system driver. The DWORD value that this 5939 corresponds to is 0x00000002. 5940 SERVICE_KERNEL_DRIVER ; 0x2 ; The SERVICE_KERNEL_DRIVER type 5941 means that the service is a driver. The DWORD value that 5942 this corresponds to is 0x00000001. 5943 SERVICE_WIN32_OWN_PROCESS ; 0x3 ; The SERVICE_WIN32_OWN_PROCESS 5944 type means that the service runs in its own process. The DWORD 5945 value that this corresponds to is 0x00000010. 5946 SERVICE_WIN32_SHARE_PROCESS ; 0x4 ; The 5947 SERVICE_WIN32_SHARE_PROCESS type means that the service runs 5948 in a process with other services. The DWORD value that this 5949 corresponds to is 0x00000020. 5950 SERVICE_INTERACTIVE_PROCESS ; 0x5 ; The 5951 SERVICE_WIN32_SHARE_PROCESS type means that the service runs 5952 in a process with other services. The DWORD value that this 5953 corresponds to is 0x00000100. 5954 ; 0x6 ; The empty string value is permitted here to allow for 5955 empty elements associated with error conditions. 5956 status: current 5957 description: 5958 Specifies the type of the service. 5960 7.384. startType 5961 elementId: TBD 5962 name: startType 5963 dataType: enumeration 5964 structure: SERVICE_AUTO_START ; 0x1 ; The SERVICE_AUTO_START type 5965 means that the service is started automatically by the Service 5966 Control Manager (SCM) during startup. The DWORD value that 5967 this corresponds to is 0x00000002. 5968 SERVICE_BOOT_START ; 0x2 ; The SERVICE_BOOT_START type means 5969 that the driver service is started by the system loader. The 5970 DWORD value that this corresponds to is 0x00000000. 5971 SERVICE_DEMAND_START ; 0x3 ; The SERVICE_DEMAND_START type 5972 means that the service is started by the Service Control 5973 Manager (SCM) when StartService() is called. The DWORD value 5974 that this corresponds to is 0x00000003. 5975 SERVICE_DISABLED ; 0x4 ; The SERVICE_DISABLED type means 5976 that the service cannot be started. The DWORD value that 5977 this corresponds to is 0x00000004. 5978 SERVICE_SYSTEM_START ; 0x5 ; The SERVICE_SYSTEM_START type 5979 means that the service is a device driver started by 5980 IoInitSystem(). The DWORD value that this corresponds to is 5981 0x00000001. 5982 ; 0x6 ; The empty string value is permitted here to allow 5983 for empty elements associated with error conditions. 5984 status: current 5985 description: Specifies when the service should be started. 5987 7.385. currentState 5988 elementId: TBD 5989 name: currentState 5990 dataType: enumeration 5991 structure: SERVICE_CONTINUE_PENDING ; 0x1 ; The 5992 SERVICE_CONTINUE_PENDING type means that the service has been 5993 sent a command to continue, however, the command has 5994 not yet been executed. The DWORD value that this corresponds 5995 to is 0x00000005. SERVICE_PAUSE_PENDING ; 0x2 ; The 5996 SERVICE_PAUSE_PENDING type means that the service has been 5997 sent a command to pause, however, the command has not 5998 yet been executed. The DWORD value that this corresponds to 5999 is 0x00000006. 6000 SERVICE_PAUSED ; 0x3 ; The SERVICE_PAUSED type means that 6001 the service is paused. The DWORD value that this corresponds 6002 to is 0x00000007. 6003 SERVICE_RUNNING ; 0x4 ; The SERVICE_RUNNING type means that 6004 the service is running. The DWORD value that this 6005 corresponds to is 0x00000004. 6006 SERVICE_START_PENDING ; 0x5 ; The SERVICE_START_PENDING type 6007 means that the service has been sent a command to start, 6008 however, the command has not yet been executed. The DWORD 6009 value that this corresponds to is 0x00000002. 6010 SERVICE_STOP_PENDING ; 0x6 ; The SERVICE_STOP_PENDING type 6011 means that the service 6012 has been sent a command to stop, however, the command has 6013 not yet been executed. The DWORD value that this 6014 corresponds to is 0x00000003. 6015 SERVICE_STOPPED ; 0x7 ; The SERVICE_STOPPED type means that 6016 the service is stopped. The DWORD value that this corresponds 6017 to is 0x00000001. 6018 ; 0x8 ; The empty string value is permitted here to allow 6019 for empty elements associated with error conditions. 6020 status: current 6021 description: Specifies the current state of 6022 the service. 6024 7.386. controlsAccepted 6026 elementId: TBD 6027 name: controlsAccepted 6028 dataType: enumeration 6029 structure: 6030 SERVICE_ACCEPT_NETBINDCHANGE ; 0x1 ; 6031 The SERVICE_ACCEPT_NETBINDCHANGE type means that the 6032 service is a network component and can accept changes in its 6033 binding without being stopped or restarted. The DWORD value 6034 that this corresponds to is 0x00000010. 6035 SERVICE_ACCEPT_PARAMCHANGE ; 0x2 ; The SERVICE_ACCEPT_PARAMCHANGE 6036 type means that the service can re-read its 6037 startup parameters without being stopped or restarted. The 6038 DWORD value that this corresponds to is 0x00000008. 6039 SERVICE_ACCEPT_PAUSE_CONTINUE ; 0x3 ; The 6040 SERVICE_ACCEPT_PAUSE_CONTINUE type means that the service 6041 can be paused or continued. The DWORD value that this 6042 corresponds to is 0x00000002. 6043 SERVICE_ACCEPT_PRESHUTDOWN ; 0x4 ; The 6044 SERVICE_ACCEPT_PRESHUTDOWN type means that the service can 6045 receive pre-shutdown notifications. The DWORD value 6046 that this corresponds to is 0x00000100. 6047 SERVICE_ACCEPT_SHUTDOWN ; 0x5 ; The SERVICE_ACCEPT_SHUTDOWN 6048 type means that the service can receive shutdown notifications. 6049 The DWORD value that this corresponds to is 0x00000004. 6050 SERVICE_ACCEPT_STOP ; 0x6 ; The SERVICE_ACCEPT_STOP type 6051 means that the service can be stopped. The DWORD value 6052 that this corresponds to is 0x00000001. 6053 SERVICE_ACCEPT_HARDWAREPROFILECHANGE ; 0x7 ; The 6054 SERVICE_ACCEPT_HARDWAREPROFILECHANGE type means that the 6055 service can receive notifications when the system's 6056 hardware profile changes. The DWORD value that this 6057 corresponds to is 0x00000020. 6058 SERVICE_ACCEPT_POWEREVENT ; 0x8 ; The SERVICE_ACCEPT_POWEREVENT 6059 type means that the service can receive notifications when the 6060 system's power status has changed. The DWORD value that this 6061 corresponds to is 0x00000040. 6062 SERVICE_ACCEPT_SESSIONCHANGE ; 0x9 ; The 6063 SERVICE_ACCEPT_SESSIONCHANGE type means that the service can 6064 receive notifications when the system's session 6065 status has changed. The DWORD value that this corresponds 6066 to is 0x00000080. 6067 SERVICE_ACCEPT_TIMECHANGE ; 0xA ; The SERVICE_ACCEPT_TIMECHANGE 6068 type means that the service can receive notifications when 6069 the system time changes. The DWORD value that this corresponds 6070 to is 0x00000200. 6071 SERVICE_ACCEPT_TRIGGEREVENT ; 0xB ; The 6072 SERVICE_ACCEPT_TRIGGEREVENT type means that the service can 6073 receive notifications when an event that the service 6074 has registered for occurs on the system. The DWORD value that 6075 this corresponds to is 0x00000400. 6076 ; 0xC ; The empty string value is permitted here to allow 6077 for empty elements associated with error conditions. 6078 status: current 6080 description: Specifies the control codes that a service will 6081 accept and process. 6083 7.387. startName 6085 elementId: TBD 6086 name: startName 6087 dataType: string 6088 status: current 6089 description: Specifies the account under 6090 which the process should run. 6092 7.388. serviceFlag 6094 elementId: TBD 6095 name: serviceFlag 6096 dataType: boolean 6097 status: current 6098 description: Specifies whether the 6099 service is in a system process that must always run (true) 6100 or if the service is in a non-system process or is not 6101 running (false). 6103 7.389. dependencies 6105 elementId: TBD 6106 name: dependencies 6107 dataType: string 6108 status: current 6109 description: Specifies the dependencies 6110 of this service on other services. 6112 7.390. serviceeffectiverights 6114 elementId: TBD 6115 name: serviceeffectiverights 6116 dataType: list 6117 structure: list (serviceName, trusteeSid, 6118 standardDelete, standardReadControl, standardWriteDac, 6119 standardWriteOwner, genericRead, genericWrite, 6120 genericExecute, serviceQueryConf, serviceChangeConf, 6121 serviceQueryStat, serviceEnumDependents, serviceStart, 6122 serviceStop, servicePause, serviceInterrogate, 6123 serviceUserDefined) 6124 status: current 6125 description: Stores the 6126 effective rights of a service that a discretionary access 6127 control list (DACL) structure grants to a specified 6128 trustee. The trustee's effective rights are determined by 6129 checking all access-allowed and access-denied access 6130 control entries (ACEs) in the DACL. 6132 7.391. trusteeSid 6134 elementId: TBD 6135 name: trusteeSid 6136 dataType: string 6137 status: current 6138 description: Specifies the SID that is 6139 associated with a user, group, system, or program (such as a 6140 Windows service). 6142 7.392. serviceQueryConf 6144 elementId: TBD 6145 name: serviceQueryConf 6146 dataType: boolean 6147 status: current 6148 description: Specifies whether or 6149 not permission is granted to query the service configuration. 6151 7.393. serviceChangeConf 6153 elementId: TBD 6154 name: serviceChangeConf 6155 dataType: boolean 6156 status: current 6157 description: Specifies whether or 6158 not permission is granted to change service configuration. 6160 7.394. serviceQueryStat 6162 elementId: TBD 6163 name: serviceQueryStat 6164 dataType: boolean 6165 status: current 6166 description: Specifies whether or 6167 not permission is granted to query the service control 6168 manager about the status of the service. 6170 7.395. serviceEnumDependents 6172 elementId: TBD 6173 name: serviceEnumDependents 6174 dataType: boolean 6175 status: current 6176 description: Specifies whether 6177 or not permission is granted to query for an enumeration of 6178 all the services dependent on the service. 6180 7.396. serviceStart 6182 elementId: TBD 6183 name: serviceStart 6184 dataType: boolean 6185 status: current 6186 description: Specifies whether or not 6187 permission is granted to start the service. 6189 7.397. serviceStop 6191 elementId: TBD 6192 name: serviceStop 6193 dataType: boolean 6194 status: current 6195 description: Specifies whether or not 6196 permission is granted to stop the service. 6198 7.398. servicePause 6200 elementId: TBD 6201 name: servicePause 6202 dataType: boolean 6203 status: current 6204 description: Specifies whether or not 6205 permission is granted to pause or continue the service. 6207 7.399. serviceInterrogate 6209 elementId: TBD 6210 name: serviceInterrogate 6211 dataType: boolean 6212 status: current 6213 description: Specifies whether or not permission is granted to 6214 request the service to report its status immediately. 6216 7.400. serviceUserDefined 6218 elementId: TBD 6219 name: serviceUserDefined 6220 dataType: boolean 6221 status: current 6222 description: Specifies whether or 6223 not permission is granted to specify a user-defined 6224 control code. 6226 7.401. sharedresourceauditedpermissions 6228 elementId: TBD 6229 name: sharedresourceauditedpermissions 6230 dataType: list 6231 structure: list (netname, trusteeSid, 6232 standardDelete, standardReadControl, standardWriteDac, 6233 standardWriteOwner, standardSynchronize, 6234 accessSystemSecurity, genericRead, genericWrite, 6235 genericExecute, genericAll) 6236 status: current 6237 description: Stores 6238 the audited access rights of a shared resource that a system 6239 access control list (SACL) structure grants to a 6240 specified trustee. The trustee's audited access rights are 6241 determined checking all access control entries (ACEs) 6242 in the SACL. 6244 7.402. netname 6246 elementId: TBD 6247 name: netname 6248 dataType: string 6249 status: current 6250 description: Specifies the name associated 6251 with a particular shared resource. 6253 7.403. sharedresourceeffectiverights 6255 elementId: TBD 6256 name: sharedresourceeffectiverights 6257 dataType: list 6258 structure: list (netname, trusteeSid, 6259 standardDelete, standardReadControl, standardWriteDac, 6260 standardWriteOwner, standardSynchronize, 6261 accessSystemSecurity, genericRead, genericWrite, 6262 genericExecute, genericAll) 6263 status: current 6264 description: Stores 6265 the effective rights of a shared resource that a 6266 discretionary access control list (DACL) structure grants 6267 to a specified trustee. The trustee's effective rights are 6268 determined checking all access-allowed and access-denied 6269 access control entries (ACEs) in the DACL. 6271 7.404. user 6273 elementId: TBD 6274 name: user 6275 dataType: list 6276 structure: list (username, enabled, group, lastLogon) 6277 status: current 6278 description: Specifies the groups to which a user belongs. 6280 7.405. enabled 6282 elementId: TBD 6283 name: enabled 6284 dataType: boolean 6285 status: current 6286 description: Represents whether the 6287 particular user is enabled or not. 6289 7.406. lastLogon 6291 elementId: TBD 6292 name: lastLogon 6293 dataType: unsigned32 6294 status: current 6295 description: The date and time when the 6296 last logon occurred. 6298 7.407. groupSid 6300 elementId: TBD 6301 name: groupSid 6302 dataType: string 6303 status: current 6304 description: Represents the SID of a 6305 particular group. If the specified user belongs to more than 6306 one group, then multiple groupSid elements are 6307 applicable. If the specified user is not a member of a single 6308 group, then a single groupSid element should be 6309 incldued with a status of 'does not exist'. If there is an 6310 error determining the groups that the user belongs to, 6311 then a single groupSid element should be included with a 6312 status of 'error'. 6314 7.408. endpointType 6315 elementId: TBD 6316 name: endpointType 6317 dataType: enumeration 6318 status: current 6319 description: The possible types of endpoint in the 6320 enterprise. 6321 structure: 6322 workstation; 0x1; Workstation Endpoint 6323 printer; 0x2; Printer Endpoint 6324 router; 0x3; Router Endpoint 6325 tablet; 0x4; Tablet Endpoint 6327 7.409. endpointPurpose 6329 elementId: TBD 6330 name: endpointPurpose 6331 dataType: string 6332 status: current 6333 description: A description of how the endpoint is 6334 used within the enterprise. 6335 Examples include end user system, 6336 and public web server. 6338 7.410. endpointCriticality 6340 elementId: TBD 6341 name: endpointCriticality 6342 dataType: string 6343 status: current 6344 description: An enterprise-defined rating which 6345 indicates the criticality of the 6346 endpoint. The rating should be 6347 specific enough to assess the impact 6348 to the overall enterprise if the 6349 endpoint is attacked or lost. 6351 7.411. ingestTimestamp 6353 elementId: TBD 6354 name: ingestTimestamp 6355 dataType: dateTimeSeconds 6356 status: current 6357 description: The point in time that the 6358 description of a vulnerability was 6359 received by the enterprise. 6361 7.412. vulnerabilityVersion 6363 elementId: TBD 6364 name: vulnerabilityVersion 6365 dataType: string 6366 status: current 6367 description: The version or iteration of the 6368 vulnerability description information 6369 (reported by the author, if applicable). 6371 7.413. vulnerabilityExternalId 6373 elementId: TBD 6374 name: vulnerabilityExternalId 6375 dataType: string 6376 status: current 6377 description: An external or third-party ID 6378 assigned to the vulnerability 6379 description. This could be multiple 6380 IDs in some cases (e.g., vendor bug 6381 ID, global ID, discoverer's local ID, 6382 third-party vulnerability database 6383 ID, etc.). 6385 7.414. vulnerabilitySeverity 6387 elementId: TBD 6388 name: vulnerabilitySeverity 6389 dataType: string 6390 status: current 6391 description: The severity of the vulnerability 6392 (reported by the author, if applicable). 6394 7.415. assessmentTimestamp 6396 elementId: TBD 6397 name: assessmentTimestamp 6398 dataType: dateTimeSeconds 6399 status: current 6400 description: The point in time that the assessment 6401 was performed against an endpoint. 6403 7.416. vulnerableSoftware 6404 elementId: TBD 6405 name: vulnerableSoftware 6406 dataType: list 6407 status: current 6408 description: A listing of software products 6409 installed on the endpoint which are 6410 known to have vulnerabilities. 6411 structure: list(softwareInstance*) 6413 7.417. endpointVulnerabilityStatus 6415 elementId: TBD 6416 name: endpointVulnerabilityStatus 6417 dataType: enumeration 6418 status: current 6419 description: Overall vulnerability status of an 6420 enterprise endpoint. 6421 structure: Pass; 0x1; Endpoint passed the 6422 vulnerability test(s). 6423 Fail; 0x2; Endpoint failed the 6424 vulnerability test(s). 6426 7.418. vulnerabilityDescription 6428 elementId: TBD 6429 name: vulnerabilityDescription 6430 dataType: string 6431 status: current 6432 description: A human-readable description of the 6433 vulnerability. 6435 8. Acknowledgements 6437 Many of the specifications in this document have been developed in a 6438 public-private partnership with vendors and end-users. The hard work 6439 of the SCAP community is appreciated in advancing these efforts to 6440 their current level of adoption. 6442 Over the course of developing the initial draft, Brant Cheikes, Matt 6443 Hansbury, Daniel Haynes, Scott Pope, Charles Schmidt, and Steve 6444 Venema have contributed text to many sections of this document. 6446 9. IANA Considerations 6448 This document specifies an initial set of Information Elements for 6449 SACM in Section 7. An Internet Assigned Numbers Authority (IANA) 6450 registry will be created and populated with the Information Elements 6451 in Section 7. New assignments for SACM Information Elements will be 6452 administered by IANA through Expert Review [RFC2434]. The designated 6453 experts MUST check the requested Information Elements for 6454 completeness and accuracy of the submission with respect to the 6455 template and requirements expressed in Section 4 and Section 4.1. 6456 Requests for Information Elements that duplicate the functionality of 6457 existing Information Elements SHOULD be declined. The smallest 6458 available Information Element identifier SHOULD be assigned to a new 6459 Information Element. The definition of new Information Elements MUST 6460 be published using a well-established and persistent publication 6461 medium. 6463 10. Security Considerations 6465 Posture Assessments need to be performed in a safe and secure manner. 6466 In that regard, there are multiple aspects of security that apply to 6467 the communications between components as well as the capabilities 6468 themselves. This information model only contains an initial listing 6469 of items that need to be considered with respect to security and will 6470 need to be augmented as the model continues to be developed. 6472 Security considerations include: 6474 Authentication: Every SACM Component and asset needs to be able to 6475 identify itself and verify the identity of other SACM 6476 Components and assets. 6478 Confidentiality: Communications between SACM Components need to be 6479 protected from eavesdropping or unauthorized collection. 6480 Some communications between SACM Components and assets may 6481 need to be protected as well. 6483 Integrity: The information exchanged between SACM Components needs 6484 to be protected from modification. Some exchanges between 6485 assets and SACM Components will also have this requirement. 6487 Restricted Access: Access to the information collected, evaluated, 6488 reported, and stored should only be viewable and consumable 6489 to authenticated and authorized entities. 6491 Considerations with respect to the operational aspects of collection, 6492 evaluation, and storage security automation information can be found 6493 in Section 11. 6495 Considerations concerning the privacy of security automation 6496 information can be found in Section 12. 6498 11. Operational Considerations 6500 The following sections outline a series of operational considerations 6501 for SACM deployments within an organization. This section may be 6502 expanded to include other considerations as the WG gains additional 6503 operational experience with SACM deployments and extending the 6504 information model. 6506 11.1. Endpoint Designation 6508 In order to successfully carry out endpoint posture assessment, it is 6509 necessary to be able to identify the endpoints on a network and track 6510 the changes to them over time. Specifically, enabling SACM 6511 Components to: 6513 o Tell whether two endpoint attribute assertions concern the same 6514 endpoint 6516 o Respond to compliance measurements, for example by reporting, 6517 remediating, and quarantining (SACM does not specify these 6518 responses, but SACM exists to enable them). 6520 Ideally, every endpoint would be identified by a unique identifier 6521 present on the endpoint, but, this is complicated due to different 6522 factors such as the variety of endpoints on a network, the ability of 6523 tools to reliably access such an identifer, and the ability of tools 6524 to correlate disparate identifiers. As a result, it is necessary for 6525 an endpoint to be identified by a set of attributes that uniquely 6526 identify it on a network. The set of attributes that uniquely 6527 identify an endpoint on a network will likely vary by organization; 6528 however, there are a number of properties to consider when selecting 6529 identifying attributes as some are better suited for identification 6530 purposes than others. 6532 Multiplicity: Is the attribute typically associated with a single 6533 endpoint or with multiple endpoints? If the attribute is 6534 associated with a single endpoint, it is better for 6535 identifying an endpoint on a network. 6537 Persistence: How likely is the attribute to change? Does it never 6538 change? Does it only change when the endpoint is 6539 reprovisioned? Does it only change due to an event? Does it 6540 change on an ad-hoc and often unpredictable basis? Does it 6541 constantly change? The less likely it is for an attribute to 6542 change over time, the better it is for identifying an 6543 endpoint on a network. 6545 Immutability: How difficult is it to change the attribute? Is the 6546 attribute hardware rooted and never changes? Can the 6547 attribute be changed by a user/process with the appropriate 6548 access? Can the attribute be changed without controlled 6549 access. The less likely an attribute is to change over time, 6550 the better chance it will be usable to identify an endpoint 6551 over time. 6553 Verifiable: Can the attribute be corroborated? Can the attribute be 6554 externally verified with source authentication? Can the 6555 attribute be externally verified without source 6556 authentication? Is it impossible to externally verify the 6557 attribute. Attributes that can be externally verified are 6558 more likely to be accurate and are better for identifying 6559 endpoints on a network. 6561 With that said, requiring SACM Components and end users to constantly 6562 refer to a set of attributes to identify an endpoint, is particularly 6563 burdensome. As a result, SACM supports the concept of a target 6564 endpoint label which associates an identifier (unique to a SACM 6565 domain) with the set of attributes used by an organization to 6566 identify endpoints on a network. Once defined for an endpoint, the 6567 target endpoint label can be used in place of the set of identifying 6568 attributes. 6570 11.2. Timestamp Accuracy 6572 An organization will likely have different collectors deployed across 6573 the network that will be configured to collect posture attributes on 6574 varying frequencies (periodic, ad-hoc, event-driven, on endpoint, off 6575 endpoint, etc.). Some collectors will detect changes as soon as they 6576 occur whereas others will detect them at a later point during a 6577 periodic scan or when an event has triggered the collection of 6578 posture attributes. Furthermore, some changes will be detected on 6579 the endpoint and others will be observed off of the endpoint. As a 6580 result of these differences, the accuracy of the timestamp associated 6581 with the collected information will vary. For example, if a 6582 collector is only running once every 12 hours, the change probably 6583 happened at some point in time prior to the scan and the timestamp is 6584 likely not accurate. Due to this, it is important for system 6585 administrators to determine if the accuracy of a timestamp is good 6586 enough for their intended purposes. 6588 12. Privacy Considerations 6590 In the IETF, there are privacy concerns with respect to endpoint 6591 identity and monitoring. This is especially true when the activity 6592 on an endpoint can be linked to a particular person. For example, by 6593 correlating endpoint attributes such as usernames, certificates, etc. 6594 with browser activity, it may be possible to gain insight in to user 6595 behavior and trends beyond what is required to carry out endpoint 6596 posture assessments. In the hands of the wrong person, this 6597 information could be used to negatively influence a user's behavior 6598 or to plan attacks against the organization's infrastructure. 6600 As a result, SACM data models should incorporate a mechanism by which 6601 an organization can designate which endpoint attributes are 6602 considered sensitive with respect to privacy. This will allow SACM 6603 Components to handle endpoint attributes in a manner consistent with 6604 the organization's privacy policies. Furthermore, organization's 6605 should put the proper mechanism in place to ensure endpoint 6606 attributes are protected when transmitted, stored, and accessed to 6607 ensure only authorized parties are granted access. 6609 It should also be noted that some of this is often mitigated by 6610 organizational policies that require a user of an organization's 6611 network to consent to some level of monitoring in return for access 6612 to the network and other resources. The information that is 6613 monitored and collected will vary by organization and further 6614 highlights the need for a mechanism by which an organization can 6615 specify what constitutes privacy sensitive information for them. 6617 13. References 6619 13.1. Normative References 6621 [PEN] Internet Assigned Numbers Authority, "Private Enterprise 6622 Numbers", July 2016, . 6625 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 6626 Requirement Levels", BCP 14, RFC 2119, 6627 DOI 10.17487/RFC2119, March 1997, 6628 . 6630 13.2. Informative References 6632 [I-D.ietf-sacm-requirements] 6633 Cam-Winget, N. and L. Lorenzin, "Secure Automation and 6634 Continuous Monitoring (SACM) Requirements", draft-ietf- 6635 sacm-requirements-01 (work in progress), October 2014. 6637 [I-D.ietf-sacm-terminology] 6638 Waltermire, D., Montville, A., Harrington, D., and N. Cam- 6639 Winget, "Terminology for Security Assessment", draft-ietf- 6640 sacm-terminology-05 (work in progress), August 2014. 6642 [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an 6643 IANA Considerations Section in RFCs", RFC 2434, 6644 DOI 10.17487/RFC2434, October 1998, 6645 . 6647 [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese, 6648 "IEEE 802.1X Remote Authentication Dial In User Service 6649 (RADIUS) Usage Guidelines", RFC 3580, 6650 DOI 10.17487/RFC3580, September 2003, 6651 . 6653 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 6654 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 6655 . 6657 [RFC5209] Sangster, P., Khosravi, H., Mani, M., Narayan, K., and J. 6658 Tardo, "Network Endpoint Assessment (NEA): Overview and 6659 Requirements", RFC 5209, DOI 10.17487/RFC5209, June 2008, 6660 . 6662 [RFC7012] Claise, B., Ed. and B. Trammell, Ed., "Information Model 6663 for IP Flow Information Export (IPFIX)", RFC 7012, 6664 DOI 10.17487/RFC7012, September 2013, 6665 . 6667 [RFC7632] Waltermire, D. and D. Harrington, "Endpoint Security 6668 Posture Assessment: Enterprise Use Cases", RFC 7632, 6669 DOI 10.17487/RFC7632, September 2015, 6670 . 6672 Appendix A. Change Log 6674 A.1. Changes in Revision 01 6676 Added some proposed normative text. 6678 For provenance: 6680 Added a class "Method" 6682 Added the produced-using relationship between an AVP and a method 6683 Added the produced-by relationship between a Guidance and a SACM 6684 Component 6686 Added the hosted-by relationship between a SACM Component and an 6687 Endpoint 6689 asserted-by and summarized-by have been renamed to produced-by. 6691 "User" is now "Account". If a user has different credentials, SACM 6692 cannot know that they belong to the same user. But, per Kim W, many 6693 organizations do have accounts that associate credentials. 6695 The multiplicity of the based-on relationships has been corrected. 6697 More relationships now have labels, per UML convention. 6699 The diagram no longer has causal arrow. They had become redundant 6700 and were nonstandard and clutter. 6702 Renamed "credential" to "identity", following industry usage. A 6703 credential includes proof, such as a key or password. A username or 6704 a distinguished name is called an "identity". 6706 Removed Session, because an endpoint's network activity is not SACM's 6707 initial focus 6709 Removed Authorization, for the same reason 6711 Added many-to-many relationship between Hardware Component and 6712 Endpoint, for clarity 6714 Added many-to-many relationship between Software Component and 6715 Endpoint, for clarity 6717 Added "contains" relationship between Network Interface and Network 6718 Interface 6720 Removed relationship between Network Interface and Account. The 6721 endpoint knows the identity it used to gain network access. The PDP 6722 also knows that. But they probably do not know the account. 6724 Added relationship between Network Interface and Identity. The 6725 endpoint and the PDP will typically know the identity. 6727 Made identity-to-account a many-to-one relationship. 6729 A.2. Changes in Revision 02 6731 Added Section Identifying Attributes. 6733 Split the figure into Figure Model of Endpoint and Figure Information 6734 Elements. 6736 Added Figure Information Elements Take 2, proposing a triple-store 6737 model. 6739 Some editorial cleanup 6741 A.3. Changes in Revision 03 6743 Moved Appendix A.1, Appendix A.2, and Mapping to SACM Use Cases into 6744 the Appendix. Added a reference to it in Section 1 6746 Added the Section 4 section. Provided notes for the type of 6747 information we need to add in this section. 6749 Added the Section 6 section. Moved sections on Endpoint, Hardware 6750 Component, Software Component, Hardware Instance, and Software 6751 Instance there. Provided notes for the type of information we need 6752 to add in this section. 6754 Removed the Provenance of Information Section. SACM is not going to 6755 solve provenance rather give organizations enough information to 6756 figure it out. 6758 Updated references to the Endpoint Security Posture Assessment: 6759 Enterprise Use Cases document to reflect that it was published as an 6760 RFC. 6762 Fixed the formatting of a few figures. 6764 Included references to [RFC3580] where RADIUS is mentioned. 6766 A.4. Changes in Revision 04 6768 Integrated the IPFIX [RFC7012] syntax into Section 4. 6770 Converted many of the existing SACM Information Elements to the IPFIX 6771 syntax. 6773 Included existing IPFIX Information Elements and datatypes that could 6774 likely be reused for SACM in Section 7 and Section 4 respectively. 6776 Removed the sections related to reports as described in 6777 https://github.com/sacmwg/draft-ietf-sacm-information-model/ 6778 issues/30. 6780 Cleaned up other text throughout the document. 6782 A.5. Changes in Revision 05 6784 Merged proposed changes from the I-D IM into the WG IM 6785 (https://github.com/sacmwg/draft-ietf-sacm-information-model/ 6786 issues/41). 6788 Fixed some formatting warnings. 6790 Removed a duplicate IE and added a few IE datatypes that were 6791 missing. 6793 A.6. Changes in Revision 06 6795 Clarified that the SACM statement and content-element subjects are 6796 conceptual and that they do not need to be explicitly defined in a 6797 data model as long as the necessary information is provided. 6799 Updated the IPFIX syntax used to define Information Elements. There 6800 are still a couple of open issues that need to be resolved. 6802 Updated some of the Information Elements contained in Section 7 to 6803 use the revised IPFIX syntax. The rest of the Information Elements 6804 will be converted in a later revision. 6806 Performed various clean-up and refactoring in Sections 6 and 7. 6807 Still need to go through Section 8. 6809 Removed appendices that were not referenced in the body of the draft. 6810 The text from them is still available in previous revisions of this 6811 document if needed. 6813 A.7. Changes in Revision 07 6815 Made various changes to the IPFIX syntax based on discussions at the 6816 IETF 96 Meeting. Changes included the addition of a structure 6817 property to the IE specification template, the creation of an 6818 enumeration datatype, and the specification of an IE naming 6819 convention. 6821 Provided text to define Collection Guidance, Evaluation Guidance, 6822 Classification Guidance, Storage Guidance, and Evaluation Results. 6824 Included additional IEs related to software, configuration, and the 6825 vulnerability assessment scenario. 6827 Added text for the IANA considerations, security considerations, 6828 operational considerations, and privacy considerations sections. 6830 Performed various other editorial changes and clean-up. 6832 A.8. Changes in Revision 08 6834 Clarified text that describes subjects and attributes. 6836 Clarified text that describes SACM Statements and Content Elements. 6838 Removed stray metadata property fields from the definitions of 6839 several IEs. 6841 Specified a syntax for defining category IEs. 6843 Added an anyCategory IE that represents any IE in the IM. 6845 Fixed several errors reported by the Travis-CI continuous integration 6846 service. 6848 Performed various other editorial changes and clean-up. 6850 A.9. Changes in Revision 09 6852 Added "derived", "authority", and "verified" to the 6853 collectionTaskType IE (https://github.com/sacmwg/draft-ietf-sacm- 6854 information-model/issues/18). 6856 Updated IE examples that use content-type to use statement-type 6857 (https://github.com/sacmwg/draft-ietf-sacm-information-model/ 6858 issues/56). 6860 Added "networkZoneLocation", "layer2NetworkLocation", and 6861 "layer3NetworkLocation" IEs (https://github.com/sacmwg/draft-ietf- 6862 sacm-information-model/issues/9). 6864 Created a softwareClass attribute IE and added it to the 6865 softwareInstance subject IE. Also, removed the os* attribute IEs 6866 (https://github.com/sacmwg/draft-ietf-sacm-information-model/ 6867 issues/10). 6869 A.10. Changes in Revision 10 6871 Added several IEs necessary for the SACM Vulnerability Assessment 6872 Scenario (https://github.com/sacmwg/draft-ietf-sacm-information- 6873 model/issues/43). 6875 Fixed various typos and formatting issues. 6877 Authors' Addresses 6879 David Waltermire (editor) 6880 National Institute of Standards and Technology 6881 100 Bureau Drive 6882 Gaithersburg, Maryland 20877 6883 USA 6885 Email: david.waltermire@nist.gov 6887 Kim Watson 6888 United States Department of Homeland Security 6889 DHS/CS&C/FNR 6890 245 Murray Ln. SW, Bldg 410 6891 MS0613 6892 Washington, DC 20528 6893 USA 6895 Email: kimberly.watson@hq.dhs.gov 6897 Clifford Kahn 6898 Pulse Secure, LLC 6899 2700 Zanker Road, Suite 200 6900 San Jose, CA 95134 6901 USA 6903 Email: cliffordk@pulsesecure.net 6905 Lisa Lorenzin 6906 Pulse Secure, LLC 6907 2700 Zanker Road, Suite 200 6908 San Jose, CA 95134 6909 USA 6911 Email: llorenzin@pulsesecure.net 6912 Michael Cokus 6913 The MITRE Corporation 6914 903 Enterprise Parkway, Suite 200 6915 Hampton, VA 23666 6916 USA 6918 Email: msc@mitre.org 6920 Daniel Haynes 6921 The MITRE Corporation 6922 202 Burlington Road 6923 Bedford, MA 01730 6924 USA 6926 Email: dhaynes@mitre.org 6928 Henk Birkholz 6929 Fraunhofer SIT 6930 Rheinstrasse 75 6931 Darmstadt 64295 6932 Germany 6934 Email: henk.birkholz@sit.fraunhofer.de