Network Working Group B. Munyan
Internet-Draft A. Montville
Intended status: Informational Center for Internet Security
Expires: January 16, 2019 S. Banghart
NIST
July 15, 2018
Definition of the ROLIE configuration checklist Extension
draft-mandm-sacm-rolie-configuration-checklist-01
Abstract
This document extends the Resource-Oriented Lightweight Information
Exchange (ROLIE) core by defining a new information-type to ROLIE's
atom:category pertaining to security configuration checklists.
Additional supporting requirements are also defined which describe
the use of specific formats and link relations pertaining to the new
information-type.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 16, 2019.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Munyan, et al. Expires January 16, 2019 [Page 1]
Internet-Draft rolie-cc-ext July 2018
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. The 'configuration-checklist' information type . . . . . . . 3
4. Data format requirements . . . . . . . . . . . . . . . . . . 4
4.1. Data Format 1 . . . . . . . . . . . . . . . . . . . . . . 4
4.1.1. Description . . . . . . . . . . . . . . . . . . . . . 4
4.1.2. Requirements . . . . . . . . . . . . . . . . . . . . 4
5. rolie:property Extensions . . . . . . . . . . . . . . . . . . 5
6. Use of the atom:link element . . . . . . . . . . . . . . . . 5
7. Use of atom:category . . . . . . . . . . . . . . . . . . . . 6
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
9. Security Considerations . . . . . . . . . . . . . . . . . . . 8
10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 8
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
11.1. Normative References . . . . . . . . . . . . . . . . . . 8
11.2. Informative References . . . . . . . . . . . . . . . . . 8
11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
This document defines an extension to the Resource-Oriented
Lightweight Information Exchange (ROLIE) [RFC8322] protocol [RFC8322]
to support the publication of configuration checklist information.
Many enterprises operate according to guidance provided to them by a
control framework ( [CIS_Critical_Controls] , [PCI_DSS] ,
[NIST_800-53] etc.), which often prescribe that an enterprise define
a standard, secure configuration for each technology they operate.
Such standard secure configurations are often referred to as
configuration checklists. These configuration checklists contain a
set of configuration recommendations for a given endpoint. A
configuration recommendation prescribes expected values pertaining to
one or more discrete endpoint attributes.
2. Terminology
Configuration Checklist A configuration checklist is an organized
collection of rules about a particular kind of system or platform.
Configuration Item Generally synonymous with endpoint attribute.
Munyan, et al. Expires January 16, 2019 [Page 2]
Internet-Draft rolie-cc-ext July 2018
Configuration Recommendation A configuration recommendation is an
expression of the desired posture of one or more configuration items.
A configuration recommendation generally includes the description of
the recommendation, a rationale statement, and the expected state of
collected posture information.
TODO: Others?? TBD
TODO: There needs to be a "normative" reference to the SCAP 1.2/3
specifications and schema definitions
3. The 'configuration-checklist' information type
This document defines and registers a new information-type:
"configuration-checklist".
The "configuration-checklist" information type represents a body of
information describing a set of configuration recommendations. A
configuration recommendation is, minimally, a configurable item
paired with a recommended value or range of value. Depending on the
source, a configuration recommendation may carry with it additional
information (i.e. description, references, rationale, etc.).
Provided below is a non-exhaustive list of information that may be
considered as components of a configuration checklist.
o A "Data Stream":
o A "Benchmark"
o A "Profile"
o A "Value"
o A "Rule" or "Group" of Rules
* Description
* Rationale
* Remediation Instructions
* Information, described in the dialect of a supported "check
system", indicating the method(s) used to audit the checklist
configuration item.
o Applicable Platform Information
o Information regarding a set of patches to be evaluated
Munyan, et al. Expires January 16, 2019 [Page 3]
Internet-Draft rolie-cc-ext July 2018
o Any supported "tailoring" information, providing a method for
evaluating entities to refine the recommendations in the data
stream without modifying the published data stream content. (WKM
NOTE: Does "tailoring" need to be here? Why would any tailoring
be included in a published feed? Unless the organization is re-
publishing the content with their tailoring included.)
4. Data format requirements
This section defines usage guidance and additional requirements
related to data formats above and beyond those specified in [RFC8322]
. The following formats are expected to be commonly used to express
software descriptor information. For this reason, this document
specifies additional requirements to ensure interoperability.
TODO, integrate this information:
o scap-1.2
o PDF
o xccdf-1.2-collection
o oval
o cvrf
o cve (should we reuse the enumref?); Look at the "enumref" and see
if we can copy/paste configuration checklist-specific information
in a similar manner? Can we then include that enum reference in
the ROLIE extension document or should we create a new "enumref"
document separately?
o vulnerability
4.1. Data Format 1
4.1.1. Description
This is data section 1 TODO
4.1.2. Requirements
This is requirement 1 TODO
Munyan, et al. Expires January 16, 2019 [Page 4]
Internet-Draft rolie-cc-ext July 2018
5. rolie:property Extensions
This document provides new registrations for valid rolie:property
names. These properties provide optional exposure point for valuable
information in the linked content document. Exposing this
information in a rolie:property element means that clients do not
need to download the linked document to determine if it contains
information they are interested in.
A breadth of metadata may be included with a configuration checklist
as identifying information. A publishing organization may wish to
recognize or attribute checklist authors or contributors, or maintain
a revision/version history over time. Other metadata that may be
included could indicate the various categories of products to which
the checklist applies, such as Operating System, Network Device, or
Application Server.
The following list describes various 'rolie:property' constructs.
o contributor (0..n)
* An unbounded number of "rolie:property" elements with a "name"
attribute of "contributor" may be included to indicate those
individuals noted as recognized contributors to the
configuration checklist and/or the recommendations contained
within.
o checklist version: The "value" of the "checklist version" property
indicates the version number of the configuration checklist, such
as "3.1.1"
o title: The "value" of the "title" property indicates the document
title of the configuration checklist, such as "CIS Benchmark for
Microsoft Windows Server 2012 R2"
o overview
6. Use of the atom:link element
The following link relations are defined in the following table.
These relations are not registered in the Link Relation IANA table
due to their niche usage. These link relations are valid for any
link element in a checklist Entry.
Munyan, et al. Expires January 16, 2019 [Page 5]
Internet-Draft rolie-cc-ext July 2018
+-----------------+-------------------------------------------------+
| Name | Description |
+-----------------+-------------------------------------------------+
| ancestor | Links to a configuration checklist supersceded |
| | by that described in this entry |
| | |
| target-platform | Links to a software descriptor resource |
| | defining the software subject to this |
| | configuration checklist entry |
| | |
| version | Links to a text resource indicating the version |
| | of the configuration checklist |
+-----------------+-------------------------------------------------+
7. Use of atom:category
This document registers an additional atom:category name:
'urn:ietf:params:rolie:category:checklist:nistncpproductcategory'
When the name attribute of a category element is this names, the
value attribute SHOULD be one of the valid product categories from
the NIST NCP Product Category List, such as:
o Antivirus Software
o Application Server
o Auditing
o Authentication
o Automation/Productivity Application Suite
o Client and Server Encryption
o Configuration Management Software
o Database Management System
o Desktop Application
o Desktop Client
o DHCP Server
o Directory Service
o DNS Server
Munyan, et al. Expires January 16, 2019 [Page 6]
Internet-Draft rolie-cc-ext July 2018
o Email Server
o Encryption Software
o Enterprise Application
o File Encryption
o Firewall
o Firmware
o Handheld Device
o Identity Management
o Intrusion Detection System
o KVM
o Mail Server
o Malware
o Mobile Solution
o Monitoring
o Multi-Functional Peripheral
o Network Router
o Network Switch
o Office Suite
o Operating System
o Peripheral Device
o Security Server
o Server
o Virtual Machine
o Virtualization Software
Munyan, et al. Expires January 16, 2019 [Page 7]
Internet-Draft rolie-cc-ext July 2018
o Web Browser
o Web Server
o Wireless Email
o Wireless Network
8. IANA Considerations
Per this document, IANA has added an entry to the "ROLIE Security
Resource Information Type Sub-Registry" registry located at
https://www.iana.org/assignments/rolie/category/information-type [1].
name: configuration-checklist
index: TBD
reference: This document, Section TODO
TODO add Propertyies and Categories
9. Security Considerations
Any user of this extension should be familiar with the security
considerations of ROLIE [RFC8322].
10. Privacy Considerations
Any user of this extension should be familiar with the privacy
considerations of ROLIE [RFC8322].
11. References
11.1. Normative References
[RFC8322] Field, J., Banghart, S., and D. Waltermire, "Resource-
Oriented Lightweight Information Exchange (ROLIE)",
RFC 8322, DOI 10.17487/RFC8322, February 2018,
<https://www.rfc-editor.org/info/rfc8322>.
11.2. Informative References
[CIS_Critical_Controls]
"CIS Critical Security Controls", August 2016,
<https://www.cisecurity.org/critical-controls/>.
Munyan, et al. Expires January 16, 2019 [Page 8]
Internet-Draft rolie-cc-ext July 2018
[NIST_800-53]
Hanson, R., "NIST 800-53", September 2007,
<http://deusty.blogspot.com/2007/09/
stunt-out-of-band-channels.html>.
[PCI_DSS] "PCI Data Security Standard", April 2016,
<https://www.pcisecuritystandards.org/
document_library?category=pcidss&document=pci_dss>.
11.3. URIs
[1] https://www.iana.org/assignments/rolie/category/information-type
Authors' Addresses
Bill Munyan
Center for Internet Security
31 Tech Valley Drive
East Greenbush, NY 12061
USA
Email: bill.munyan.ietf@gmail.com
Adam Montville
Center for Internet Security
31 Tech Valley Drive
East Greenbush, NY 12061
USA
Email: adam.w.montville@gmail.com
Stephen A. Banghart
National Institute of Standards and Technology
100 Bureau Drive
Gaithersburg, Maryland
USA
Phone: (301)975-4288
Email: sab3@nist.gov
Munyan, et al. Expires January 16, 2019 [Page 9]
