sacm C. Inacio
Internet-Draft CMU
Intended status: Standards Track July 25, 2019
Expires: January 26, 2020
SACM Information Model
draft-inacio-sacm-infomodel-00
Abstract
This defines the information model for the Security Automation and
Continuous Monitoring (SACM) standards. The working group faces a
set of complex issues when trying to define an information model that
complicates this effort:
o There are many standards in the SACM space which are not
interoperable
o There exists an extremely large and diverse set of data types
which are desirable to exchange
o Many data types depend on the operating systems from which they
are collected; making a universal typing harder
o A goal of SACM is to cover a diverse set of system types
These complex needs create a information model which is difficult to
unify within the environment. Instead, this information model design
is focused on minimum needed functionality with the desire to include
a type system design into the information model allowing for easy
expandability. It is envisioned that this information model will
serve the following purposes:
o Enough well specified elements in order to exchange key data
fields between systems
o Sufficient typing system to expand key fields over time and use of
a registry to standardize common expansions
o Meta information such that compplete information exchange using
various other formats understood by all parties can be used as
needed to exchange complete records on demand
o Sufficient action verbs defined to allow orchestration between
various systems to allow unified control of federated components
Inacio Expires January 26, 2020 [Page 1]
Internet-Draft sacm-infomodel July 2019
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 26, 2020.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3
2. Minimal Needed Information Elements . . . . . . . . . . . . . 4
3. Information Element Metadata . . . . . . . . . . . . . . . . 4
3.1. Information Elements . . . . . . . . . . . . . . . . . . 4
3.1.1. IPv4 Address . . . . . . . . . . . . . . . . . . . . 4
3.1.2. IPv6 Address . . . . . . . . . . . . . . . . . . . . 5
3.1.3. Hostname . . . . . . . . . . . . . . . . . . . . . . 5
3.1.4. AssettID . . . . . . . . . . . . . . . . . . . . . . 6
3.1.5. MACAddress . . . . . . . . . . . . . . . . . . . . . 6
3.1.6. Timestamp . . . . . . . . . . . . . . . . . . . . . . 6
3.1.7. Action . . . . . . . . . . . . . . . . . . . . . . . 7
3.1.8. Action Parameters . . . . . . . . . . . . . . . . . . 7
3.1.9. AdditionalDataType . . . . . . . . . . . . . . . . . 7
Inacio Expires January 26, 2020 [Page 2]
Internet-Draft sacm-infomodel July 2019
3.1.10. AdditionalData . . . . . . . . . . . . . . . . . . . 8
3.1.11. Extra . . . . . . . . . . . . . . . . . . . . . . . . 8
4. Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
7. Normative References . . . . . . . . . . . . . . . . . . . . 9
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 9
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
The set of elements which are desired to standarize are the subset of
data elements used within the SACM standards and related standards.
To this end, the core capability to reasonably identify a network end
point and minimally describe an event along with enough information
that two parties involved in the communication may determine a way
forward for further information exchange. The minimal set of
activity and endpoint identifiers will allow parties participating in
SACM communications to effectively search their respecitive data
stores for relevent and related information and respond to queries or
accept events in kind.
This information model is intended to describe a minimal number of
elements which enable this functionality, but also sufficiently
describe the attributes which can define those elements. This
combination of information intends to provide enough meta information
about information elements to allow both in protocol definition of
types in possible data models as well as clear construction of future
standardized element definitions. Conversely, this information model
is not attempting to define all possible information elements that
need to be exchanged. Many information elements, especially those
related to host monitoring, are heavily related to the operating
system and related software for proper context - beyond the initial
scope of this standard.
1.1. Conventions and Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119][RFC8174] when, and only when, they appear in all
capitals, as shown here.
Additionally, the key words "*MIGHT*", "*COULD*", "*MAY WISH TO*",
"*WOULD PROBABLY*", "*SHOULD CONSIDER*", and "*MUST (BUT WE KNOW YOU
WON'T)*" in this document are to interpreted as described in RFC 6919
[RFC6919].
Inacio Expires January 26, 2020 [Page 3]
Internet-Draft sacm-infomodel July 2019
2. Minimal Needed Information Elements
IP Address, hostname, time/date, SWID/CoSWID ID's, firmware versions,
serial number, MAC address, certificate ID
3. Information Element Metadata
name, basic_data_type, octet_length, data_use_type (label, counter,
gauge), description, std/vendor type, structure/composite
The following fields are defined in the set of metadata about each
information element
name:
A descriptive but concise name to be used for human understanding
basic data type:
A fundamental data type supported by the this information model.
The predefined types include unsigned integers, signed integers,
octet array, string, IP addresses, MAC addresses
octet length:
The number of octets maximally used for this information
data use type:
This refines the basic data type expressing the usage of the
value. For example, some integers represent mathematical values
and may be added together (counts for example) while some things
may be expressed as an integer, but are really a type of label
(e.g. IP address)
description:
A longer textual description of this data type
registration domain:
The domain in which this information element is defined.
composite structure:
The definition of the composite structure of following elements,
e.g. list, set, map
3.1. Information Elements
3.1.1. IPv4 Address
Inacio Expires January 26, 2020 [Page 4]
Internet-Draft sacm-infomodel July 2019
+---------------------+----------------------------------------+
| Field | Value |
+---------------------+----------------------------------------+
| Name | IPv4 |
| Basic data type | 32-bit unsigned integer |
| Octet length | 4 |
| Data use type | Label |
| Description | An Internet Protocol version 4 address |
| Registration domain | standard |
| Composite structure | N/A |
| Comments | |
+---------------------+----------------------------------------+
3.1.2. IPv6 Address
+---------------------+----------------------------------------+
| Field | Value |
+---------------------+----------------------------------------+
| Name | IPv6 |
| Basic data type | octet array |
| Octet length | 16 |
| Data use type | Label |
| Description | An Internet Protocol version 6 address |
| Registration domain | standard |
| Composite structure | N/A |
| Comments | |
+---------------------+----------------------------------------+
3.1.3. Hostname
+---------------------+---------------------------------------------+
| Field | Value |
+---------------------+---------------------------------------------+
| Name | Hostname |
| Basic data type | string |
| Octet length | up to 256 |
| Data use type | Label |
| Description | Fully qualified domain name of endpoint |
| | system |
| Registration domain | standard |
| Composite structure | N/A |
| Comments | |
+---------------------+---------------------------------------------+
Inacio Expires January 26, 2020 [Page 5]
Internet-Draft sacm-infomodel July 2019
3.1.4. AssettID
+---------------------+--------------------------+
| Field | Value |
+---------------------+--------------------------+
| Name | AssettID |
| Basic data type | string |
| Octet length | up to 256 |
| Data use type | Label |
| Description | AssettID of topic assett |
| Registration domain | standard |
| Composite structure | N/A |
| Comments | |
+---------------------+--------------------------+
3.1.5. MACAddress
+---------------------+---------------------------+
| Field | Value |
+---------------------+---------------------------+
| Name | MACAddress |
| Basic data type | string |
| Octet length | 6 |
| Data use type | Label |
| Description | IEEE 802 Hardware Address |
| Registration domain | standard |
| Composite structure | N/A |
| Comments | |
+---------------------+---------------------------+
3.1.6. Timestamp
+---------------------+---------------------------+
| Field | Value |
+---------------------+---------------------------+
| Name | timestamp |
| Basic data type | ISO time formatted string |
| Octet length | variable |
| Data use type | time/date |
| Description | time date string |
| Registration domain | standard |
| Composite structure | N/A |
| Comments | |
+---------------------+---------------------------+
Inacio Expires January 26, 2020 [Page 6]
Internet-Draft sacm-infomodel July 2019
3.1.7. Action
+-------------------+-----------------------------------------------+
| Field | Value |
+-------------------+-----------------------------------------------+
| Name | Action |
| Basic data type | enumeration |
| Octet length | 2 |
| Data use type | label |
| Description | |
| Registration | standard |
| domain | |
| Composite | |
| structure | |
| Comments | RunAssessment, AssessmentResult, Subscribe, |
| | PubEvent, |
+-------------------+-----------------------------------------------+
3.1.8. Action Parameters
+-----------------+-------------------------------------------------+
| Field | Value |
+-----------------+-------------------------------------------------+
| Name | Action Parameters |
| Basic data type | list |
| Octet length | variable |
| Data use type | variable |
| Description | parameters for the action command, defined per |
| | action command |
| Registration | standard |
| domain | |
| Composite | list |
| structure | |
| Comments | |
+-----------------+-------------------------------------------------+
3.1.9. AdditionalDataType
Inacio Expires January 26, 2020 [Page 7]
Internet-Draft sacm-infomodel July 2019
+--------------+----------------------------------------------------+
| Field | Value |
+--------------+----------------------------------------------------+
| Name | AdditionalDataType |
| Basic data | 16-bit integer |
| type | |
| Octet length | 2 |
| Data use | label |
| type | |
| Description | An enumeration of registered additional data types |
| | that can be contained in the AdditionalData field |
| Registration | standard |
| domain | |
| Composite | N/A |
| structure | |
| Comments | |
+--------------+----------------------------------------------------+
3.1.10. AdditionalData
+----------------+--------------------------------------------------+
| Field | Value |
+----------------+--------------------------------------------------+
| Name | AdditionalData |
| Basic data | octet-array |
| type | |
| Octet length | variable |
| Data use type | opaque |
| Description | This is an envelope to contain other |
| | standardized data exchange formats |
| Registration | standard |
| domain | |
| Composite | N/A |
| structure | |
| Comments | formats like OVAL or IF-MAP may be contained in |
| | here |
+----------------+--------------------------------------------------+
3.1.11. Extra
[ed: remove before publication]
Inacio Expires January 26, 2020 [Page 8]
Internet-Draft sacm-infomodel July 2019
+---------------------+----------+
| Field | Value |
+---------------------+----------+
| Name | |
| Basic data type | |
| Octet length | |
| Data use type | |
| Description | |
| Registration domain | standard |
| Composite structure | |
| Comments | |
+---------------------+----------+
4. Updates
o 25-July-2019 - initial document
5. IANA Considerations
This will create a IANA registery of elements, eventually. IANA
language to be added
6. Security Considerations
To be completed.
7. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC6919] Barnes, R., Kent, S., and E. Rescorla, "Further Key Words
for Use in RFCs to Indicate Requirement Levels", RFC 6919,
DOI 10.17487/RFC6919, April 2013,
<https://www.rfc-editor.org/info/rfc6919>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
Appendix A. Acknowledgements
The contributions of the SACM working group have greatly impacted the
thinking presented here. In particular, we wish to thank Bill
Munyan, Adam Monteville, and Henk Birkholz.
Inacio Expires January 26, 2020 [Page 9]
Internet-Draft sacm-infomodel July 2019
Author's Address
Christopher Inacio
Carnegie Mellon University
4500 5th Ave.
Pittsburgh PA 15213
United States
Email: inacio@cert.org
Inacio Expires January 26, 2020 [Page 10]