idnits 2.17.1 draft-mandm-sacm-rolie-configuration-checklist-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 253: '... value attribute SHOULD be one of the ...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 15, 2018) is 2113 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 386 Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group B. Munyan 3 Internet-Draft A. Montville 4 Intended status: Informational Center for Internet Security 5 Expires: January 16, 2019 S. Banghart 6 NIST 7 July 15, 2018 9 Definition of the ROLIE configuration checklist Extension 10 draft-mandm-sacm-rolie-configuration-checklist-01 12 Abstract 14 This document extends the Resource-Oriented Lightweight Information 15 Exchange (ROLIE) core by defining a new information-type to ROLIE's 16 atom:category pertaining to security configuration checklists. 17 Additional supporting requirements are also defined which describe 18 the use of specific formats and link relations pertaining to the new 19 information-type. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on January 16, 2019. 38 Copyright Notice 40 Copyright (c) 2018 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 57 3. The 'configuration-checklist' information type . . . . . . . 3 58 4. Data format requirements . . . . . . . . . . . . . . . . . . 4 59 4.1. Data Format 1 . . . . . . . . . . . . . . . . . . . . . . 4 60 4.1.1. Description . . . . . . . . . . . . . . . . . . . . . 4 61 4.1.2. Requirements . . . . . . . . . . . . . . . . . . . . 4 62 5. rolie:property Extensions . . . . . . . . . . . . . . . . . . 5 63 6. Use of the atom:link element . . . . . . . . . . . . . . . . 5 64 7. Use of atom:category . . . . . . . . . . . . . . . . . . . . 6 65 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 66 9. Security Considerations . . . . . . . . . . . . . . . . . . . 8 67 10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 8 68 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 69 11.1. Normative References . . . . . . . . . . . . . . . . . . 8 70 11.2. Informative References . . . . . . . . . . . . . . . . . 8 71 11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9 72 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 74 1. Introduction 76 This document defines an extension to the Resource-Oriented 77 Lightweight Information Exchange (ROLIE) [RFC8322] protocol [RFC8322] 78 to support the publication of configuration checklist information. 79 Many enterprises operate according to guidance provided to them by a 80 control framework ( [CIS_Critical_Controls] , [PCI_DSS] , 81 [NIST_800-53] etc.), which often prescribe that an enterprise define 82 a standard, secure configuration for each technology they operate. 83 Such standard secure configurations are often referred to as 84 configuration checklists. These configuration checklists contain a 85 set of configuration recommendations for a given endpoint. A 86 configuration recommendation prescribes expected values pertaining to 87 one or more discrete endpoint attributes. 89 2. Terminology 91 Configuration Checklist A configuration checklist is an organized 92 collection of rules about a particular kind of system or platform. 94 Configuration Item Generally synonymous with endpoint attribute. 96 Configuration Recommendation A configuration recommendation is an 97 expression of the desired posture of one or more configuration items. 98 A configuration recommendation generally includes the description of 99 the recommendation, a rationale statement, and the expected state of 100 collected posture information. 102 TODO: Others?? TBD 104 TODO: There needs to be a "normative" reference to the SCAP 1.2/3 105 specifications and schema definitions 107 3. The 'configuration-checklist' information type 109 This document defines and registers a new information-type: 110 "configuration-checklist". 112 The "configuration-checklist" information type represents a body of 113 information describing a set of configuration recommendations. A 114 configuration recommendation is, minimally, a configurable item 115 paired with a recommended value or range of value. Depending on the 116 source, a configuration recommendation may carry with it additional 117 information (i.e. description, references, rationale, etc.). 118 Provided below is a non-exhaustive list of information that may be 119 considered as components of a configuration checklist. 121 o A "Data Stream": 123 o A "Benchmark" 125 o A "Profile" 127 o A "Value" 129 o A "Rule" or "Group" of Rules 131 * Description 133 * Rationale 135 * Remediation Instructions 137 * Information, described in the dialect of a supported "check 138 system", indicating the method(s) used to audit the checklist 139 configuration item. 141 o Applicable Platform Information 143 o Information regarding a set of patches to be evaluated 144 o Any supported "tailoring" information, providing a method for 145 evaluating entities to refine the recommendations in the data 146 stream without modifying the published data stream content. (WKM 147 NOTE: Does "tailoring" need to be here? Why would any tailoring 148 be included in a published feed? Unless the organization is re- 149 publishing the content with their tailoring included.) 151 4. Data format requirements 153 This section defines usage guidance and additional requirements 154 related to data formats above and beyond those specified in [RFC8322] 155 . The following formats are expected to be commonly used to express 156 software descriptor information. For this reason, this document 157 specifies additional requirements to ensure interoperability. 159 TODO, integrate this information: 161 o scap-1.2 163 o PDF 165 o xccdf-1.2-collection 167 o oval 169 o cvrf 171 o cve (should we reuse the enumref?); Look at the "enumref" and see 172 if we can copy/paste configuration checklist-specific information 173 in a similar manner? Can we then include that enum reference in 174 the ROLIE extension document or should we create a new "enumref" 175 document separately? 177 o vulnerability 179 4.1. Data Format 1 181 4.1.1. Description 183 This is data section 1 TODO 185 4.1.2. Requirements 187 This is requirement 1 TODO 189 5. rolie:property Extensions 191 This document provides new registrations for valid rolie:property 192 names. These properties provide optional exposure point for valuable 193 information in the linked content document. Exposing this 194 information in a rolie:property element means that clients do not 195 need to download the linked document to determine if it contains 196 information they are interested in. 198 A breadth of metadata may be included with a configuration checklist 199 as identifying information. A publishing organization may wish to 200 recognize or attribute checklist authors or contributors, or maintain 201 a revision/version history over time. Other metadata that may be 202 included could indicate the various categories of products to which 203 the checklist applies, such as Operating System, Network Device, or 204 Application Server. 206 The following list describes various 'rolie:property' constructs. 208 o contributor (0..n) 210 * An unbounded number of "rolie:property" elements with a "name" 211 attribute of "contributor" may be included to indicate those 212 individuals noted as recognized contributors to the 213 configuration checklist and/or the recommendations contained 214 within. 216 o checklist version: The "value" of the "checklist version" property 217 indicates the version number of the configuration checklist, such 218 as "3.1.1" 220 o title: The "value" of the "title" property indicates the document 221 title of the configuration checklist, such as "CIS Benchmark for 222 Microsoft Windows Server 2012 R2" 224 o overview 226 6. Use of the atom:link element 228 The following link relations are defined in the following table. 229 These relations are not registered in the Link Relation IANA table 230 due to their niche usage. These link relations are valid for any 231 link element in a checklist Entry. 233 +-----------------+-------------------------------------------------+ 234 | Name | Description | 235 +-----------------+-------------------------------------------------+ 236 | ancestor | Links to a configuration checklist supersceded | 237 | | by that described in this entry | 238 | | | 239 | target-platform | Links to a software descriptor resource | 240 | | defining the software subject to this | 241 | | configuration checklist entry | 242 | | | 243 | version | Links to a text resource indicating the version | 244 | | of the configuration checklist | 245 +-----------------+-------------------------------------------------+ 247 7. Use of atom:category 249 This document registers an additional atom:category name: 250 'urn:ietf:params:rolie:category:checklist:nistncpproductcategory' 252 When the name attribute of a category element is this names, the 253 value attribute SHOULD be one of the valid product categories from 254 the NIST NCP Product Category List, such as: 256 o Antivirus Software 258 o Application Server 260 o Auditing 262 o Authentication 264 o Automation/Productivity Application Suite 266 o Client and Server Encryption 268 o Configuration Management Software 270 o Database Management System 272 o Desktop Application 274 o Desktop Client 276 o DHCP Server 278 o Directory Service 280 o DNS Server 281 o Email Server 283 o Encryption Software 285 o Enterprise Application 287 o File Encryption 289 o Firewall 291 o Firmware 293 o Handheld Device 295 o Identity Management 297 o Intrusion Detection System 299 o KVM 301 o Mail Server 303 o Malware 305 o Mobile Solution 307 o Monitoring 309 o Multi-Functional Peripheral 311 o Network Router 313 o Network Switch 315 o Office Suite 317 o Operating System 319 o Peripheral Device 321 o Security Server 323 o Server 325 o Virtual Machine 327 o Virtualization Software 328 o Web Browser 330 o Web Server 332 o Wireless Email 334 o Wireless Network 336 8. IANA Considerations 338 Per this document, IANA has added an entry to the "ROLIE Security 339 Resource Information Type Sub-Registry" registry located at 340 https://www.iana.org/assignments/rolie/category/information-type [1]. 342 name: configuration-checklist 344 index: TBD 346 reference: This document, Section TODO 348 TODO add Propertyies and Categories 350 9. Security Considerations 352 Any user of this extension should be familiar with the security 353 considerations of ROLIE [RFC8322]. 355 10. Privacy Considerations 357 Any user of this extension should be familiar with the privacy 358 considerations of ROLIE [RFC8322]. 360 11. References 362 11.1. Normative References 364 [RFC8322] Field, J., Banghart, S., and D. Waltermire, "Resource- 365 Oriented Lightweight Information Exchange (ROLIE)", 366 RFC 8322, DOI 10.17487/RFC8322, February 2018, 367 . 369 11.2. Informative References 371 [CIS_Critical_Controls] 372 "CIS Critical Security Controls", August 2016, 373 . 375 [NIST_800-53] 376 Hanson, R., "NIST 800-53", September 2007, 377 . 380 [PCI_DSS] "PCI Data Security Standard", April 2016, 381 . 384 11.3. URIs 386 [1] https://www.iana.org/assignments/rolie/category/information-type 388 Authors' Addresses 390 Bill Munyan 391 Center for Internet Security 392 31 Tech Valley Drive 393 East Greenbush, NY 12061 394 USA 396 Email: bill.munyan.ietf@gmail.com 398 Adam Montville 399 Center for Internet Security 400 31 Tech Valley Drive 401 East Greenbush, NY 12061 402 USA 404 Email: adam.w.montville@gmail.com 406 Stephen A. Banghart 407 National Institute of Standards and Technology 408 100 Bureau Drive 409 Gaithersburg, Maryland 410 USA 412 Phone: (301)975-4288 413 Email: sab3@nist.gov