Definition of the ROLIE configuration checklist Extension
draft-mandm-sacm-rolie-configuration-checklist-02

Versions: 00 01 02                                         Informational
Network Working Group                                        S. Banghart
Internet-Draft                                                      NIST
Intended status: Informational                                 B. Munyan
Expires: January 14, 2021                                   A. Montville
                                            Center for Internet Security
                                                               G. Alford
                                                           Red Hat, Inc.
                                                           July 13, 2020


       Definition of the ROLIE configuration checklist Extension
           draft-mandm-sacm-rolie-configuration-checklist-02

Abstract

   This document extends the Resource-Oriented Lightweight Information
   Exchange (ROLIE) core to add the information type categories and
   related requirements needed to support security configuration
   checklist use cases.  Additional categories, properties, and
   requirements based on content type enables a higher level of
   interoperability between ROLIE implementations, and richer metadata
   for ROLIE consumers.  Additionally, this document discusses
   requirements and usage of other ROLIE elements in order to best
   syndicate security configuration checklists.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 14, 2021.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.





Banghart, et al.        Expires January 14, 2021                [Page 1]


Internet-Draft                rolie-cc-ext                     July 2020


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  The 'configuration-checklist' information-type  . . . . . . .   3
   4.  rolie:property Extensions . . . . . . . . . . . . . . . . . .   4
   5.  Handling Existing Checklist Formats . . . . . . . . . . . . .   7
   6.  atom:link Extensions  . . . . . . . . . . . . . . . . . . . .   8
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
     7.1.  configuration-checklist information-type  . . . . . . . .   8
     7.2.  checklist:constributor property . . . . . . . . . . . . .   9
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
   9.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .  10
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  10
     10.2.  Informative References . . . . . . . . . . . . . . . . .  10
   Appendix A.  Examples . . . . . . . . . . . . . . . . . . . . . .  10
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  11

1.  Introduction

   Default configurations for endpoints (operating systems,
   applications, etc.) are normally geared towards ease-of-use or ease-
   of-deployment, not security.  As such, many enterprises operate
   according to guidance provided to them by a control framework
   ([CIS_Critical_Controls], [PCI_DSS], [NIST_800-53] etc.), which often
   prescribe that an enterprise define a standard, security-minded
   configuration for each technology they operate.  Such standard
   configurations are often referred to as configuration checklists.
   This document defines an extension to the Resource-Oriented
   Lightweight Information Exchange (ROLIE) protocol
   [I-D.ietf-mile-rolie] to support the publication of configuration
   checklist information.  Configuration checklists contain a set of
   configuration recommendations for a given endpoint.  A configuration
   recommendation prescribes expected values pertaining to one or more
   discrete endpoint attributes.





Banghart, et al.        Expires January 14, 2021                [Page 2]


Internet-Draft                rolie-cc-ext                     July 2020


2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   The previous key words are used in this document to define the
   requirements for implementations of this specification.  As a result,
   the key words in this document are not used for recommendations or
   requirements for the use of ROLIE.

   As an extension of [RFC8322], this document refers to many terms
   defined in that document.  In particular, the use of "Entry" and
   "Feed" are aligned with the definitions presented in section TODO of
   ROLIE.

   Several places in this document refer to the "information-type" of a
   Resource (Entry or Feed).  This refers to the "term" attribute of an
   "atom:category" element whose scheme is
   "urn:ietf:params:rolie:category:information-type".  For an Entry,
   this value can be inherited from it's containing Feed as per
   [RFC8322].

   Other terminology used in this document is defined below:

   Configuration Item  Generally synonymous with endpoint attribute.

   Configuration Checklist  A configuration checklist is an organized
      collection of rules about a particular kind of system or platform.

   Configuration Recommendation  A configuration recommendation is an
      expression of the desired posture of one or more configuration
      items.  A configuration recommendation generally includes the
      description of the recommendation, a rationale statement, and the
      expected state of collected posture information.

   TODO: There needs to be a "normative" reference to the SCAP 1.2/3
   specifications and schema definitions

3.  The 'configuration-checklist' information-type

   This document registers a new information type for use in ROLIE
   repositories.  The "configuration-checklist" information type
   represents a body of information describing a set of configuration
   recommendations.  A configuration recommendation is, minimally, a
   single configuration item paired with a recommended value or range of



Banghart, et al.        Expires January 14, 2021                [Page 3]


Internet-Draft                rolie-cc-ext                     July 2020


   values.  Depending on the source, a configuration recommendation may
   carry with it additional information (i.e.  description, references,
   rationale, etc.).  Provided below is a non-exhaustive list of
   information that may be considered as components of a configuration
   checklist.

   o  A "Data Stream"

   o  A "Benchmark"

   o  A "Profile"

   o  A "Value"

   o  A "Rule" or "Group" of Rules

      *  Description

      *  Rationale

      *  Remediation Instructions

      *  Information, described in the dialect of a supported "check
         system", indicating the method(s) used to audit the checklist
         configuration item.

   o  Applicable Platform Information

   o  Information regarding a set of patches to be evaluated

4.  rolie:property Extensions

   A breadth of metadata may be included with a configuration checklist
   as identifying information.  A publishing organization may wish to
   recognize or attribute checklist authors or contributors, or maintain
   a revision/version history over time.  Other metadata that may be
   included could indicate the various categories of products to which
   the checklist applies, such as Operating System, Network Device, or
   Application Server.

   This document registers several new rolie:property elements to
   express this metadata in a more efficient and automatable form.

   o  contributor (0..n)

      *  name: urn:ietf:params:rolie:property:checklist:contributor





Banghart, et al.        Expires January 14, 2021                [Page 4]


Internet-Draft                rolie-cc-ext                     July 2020


      *  value: Indicates those individuals noted as recognized
         contributors to the configuration checklist and/or the
         recommendations contained within.  The value MUST be either a
         plaintext name of a entity, or a link to an <author> element
         that describes an entity.

   o  checklist version

      *  name: urn:ietf:params:rolie:property:checklist:version

      *  value: Indicates the version/revision number of the
         configuration checklist.  Implementations MAY choose to
         incorporate a semantic versioning scheme illustrating
         "major.minor.point" releases, such as "3.1.1".

   o  title

      *  name: urn:ietf:params:rolie:property:checklist:title

      *  value: Indicates the document title of the configuration
         checklist, such as "CIS Benchmark for Microsoft Windows Server
         2019".

   o  overview

      *  name: urn:ietf:params:rolie:property:checklist:overview

      *  value: This property allows for a textual overview and/or
         introduction to the configuration checklist including, but not
         limited to, overview of the technology under assessment,
         limitations or caveats, or assumptions to be made when
         evaluating the checklist.

   o  product name (0..n)

      *  name: urn:ietf:params:rolie:property:checklist:product-name

      *  value: This property allows for further refinement and
         identification of the configuration checklist using the name of
         the product or products to which the checklist applies, such as
         Microsoft Windows Server 2019, Red Hat Enterprise Linux, IBM
         WebSphere Application Server, Google Chrome, etc.

   o  product category (0..n)

      *  name: urn:ietf:params:rolie:property:checklist:product-category





Banghart, et al.        Expires January 14, 2021                [Page 5]


Internet-Draft                rolie-cc-ext                     July 2020


      *  value: This property allows for further refinement and
         identification of the configuration checklist using the
         technology category.  Examples of product category values may
         be (but aren't limited to):

         +  Antivirus Software

         +  Application Server

         +  Auditing

         +  Authentication

         +  Automation/Productivity Application Suite

         +  Client and Server Encryption

         +  Configuration Management Software

         +  Database Management System

         +  Desktop Application

         +  Desktop Client

         +  DHCP Server

         +  Directory Service

         +  DNS Server

         +  Email Server

         +  Encryption Software

         +  Enterprise Application

         +  File Encryption

         +  Firewall

         +  Firmware

         +  Handheld Device

         +  Identity Management

         +  Intrusion Detection System



Banghart, et al.        Expires January 14, 2021                [Page 6]


Internet-Draft                rolie-cc-ext                     July 2020


         +  KVM

         +  Mail Server

         +  Malware

         +  Mobile Solution

         +  Monitoring

         +  Multi-Functional Peripheral

         +  Network Router

         +  Network Switch

         +  Office Suite

         +  Operating System

         +  Peripheral Device

         +  Security Server

         +  Server

         +  Virtual Machine

         +  Virtualization Software

         +  Web Browser

         +  Web Server

         +  Wireless Email

         +  Wireless Network

5.  Handling Existing Checklist Formats

   Today, checklists are distributed in a myriad of different formats,
   using a variety of organization schemes.  This standard attempts to
   be as flexible as possible in its approach, in order to be usable by
   as many checklist distributors as possible.

   Using the NIST National Checklist Program as a foundation, checklists
   consist of a primary set of content and a list of supporting content.
   These pieces of content come in a number of machine readable and



Banghart, et al.        Expires January 14, 2021                [Page 7]


Internet-Draft                rolie-cc-ext                     July 2020


   human readable formats, and it is out of scope of this standard to
   describe guidance for all them.  Instead, a best effort should be
   made to use the available properties, elements, and attributes to
   describe the content.  Moreover, the content is often a compressed
   file that consists of a package of other content.  Likewise,
   describing this nested structure is out of scope for this standard.
   Each organization should use a description scheme that best matches
   their use and business cases, and this description scheme should be
   documented as thoroughly as possible for all users.

   When existing identifiers, titles, authors, and dates are provided in
   machine-readable forms inside a ROLIE Entry, automated processes can
   find and acquire checklist content with more ease than the current
   state-of-the-art methodology.  Fully solving the checklist automation
   problem will require a more significant effort touching on all parts
   of the checklist ecosystem.

6.  atom:link Extensions

   +-----------------+-------------------------------------------------+
   | Name            | Description                                     |
   +-----------------+-------------------------------------------------+
   | ancestor        | Links to a configuration checklist supersceded  |
   |                 | by that described in this entry                 |
   |                 |                                                 |
   | target-platform | Links to a software descriptor resource         |
   |                 | defining the software subject to this           |
   |                 | configuration checklist entry                   |
   |                 |                                                 |
   | supporting      | Links to a supporting document for the main     |
   |                 | content.            The "title" attribute       |
   |                 | SHOULD be used to provide a human readable      |
   |                 | title for this document.            Where       |
   |                 | possible, the "type" attribute MAY be used to   |
   |                 | describe the type of the supporting document.   |
   |                 | If the type is a simple IANA Media Type, the    |
   |                 | media type text should be used, otherwise,      |
   |                 | a short human readable description should be    |
   |                 | used.                                           |
   +-----------------+-------------------------------------------------+

7.  IANA Considerations

7.1.  configuration-checklist information-type

   IANA has added an entry to the "ROLIE Security Resource Information
   Type Sub-Registry" registry located at
   <https://www.iana.org/assignments/rolie/category/information-type> .



Banghart, et al.        Expires January 14, 2021                [Page 8]


Internet-Draft                rolie-cc-ext                     July 2020


   The entry is as follows:

      name: configuration-checklist

      index: TBD

      reference: This document, Section 3

7.2.  checklist:constributor property

   IANA has added an entry to the "ROLIE URN Parameters" registry
   located in <https://www.iana.org/assignments/rolie/>.

   The entry is as follows:

      name: property:checklist:contributor

      Extension IRI:
      urn:ietf:params:rolie:property:checklist:contributor

      Reference: This document, Section 4

      Subregistry: None

8.  Security Considerations

   Use of this extension requires understanding and managing the
   security considerations of the core ROLIE specification.  Beyond
   that, there must be considerations made for the common use cases and
   data types that would be shared with this extension in particular.

   Checklist information, while typically shared publicly, can have
   potential security impact if compromised.  In these cases, the utmost
   care should be taken to secure the REST endpoint.  Ensure that only
   authenticated users are allowed request access to any part of the
   ROLIE repository.  Authentication schemes such as OAUTH or basic HTTP
   Auth provides a significant barrier to compromise.  When providing
   checklist information as a paid service, security is valuable as a
   means to protect valuable data from being stolen or taken for free.
   In these cases, the above strategies still apply, but providers may
   want to make the Feed visible to non-authenticated users, with
   meaningful error messages sent to users that have not yet paid for
   the service.

   Typical RESTful security measures applied commonly on the web would
   be effective to secure this ROLIE extension.  As a flexible and
   relatively simple RESTful service, ROLIE server implementations have
   great flexibility and freedom in securing their repository.



Banghart, et al.        Expires January 14, 2021                [Page 9]


Internet-Draft                rolie-cc-ext                     July 2020


9.  Privacy Considerations

   This extension poses no additional privacy considerations above and
   beyond those stated in the core ROLIE specification.

10.  References

10.1.  Normative References

   [I-D.ietf-mile-rolie]
              Field, J., Banghart, S., and D. Waltermire, "Resource-
              Oriented Lightweight Information Exchange", draft-ietf-
              mile-rolie-07 (work in progress), May 2017.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8322]  Field, J., Banghart, S., and D. Waltermire, "Resource-
              Oriented Lightweight Information Exchange (ROLIE)",
              RFC 8322, DOI 10.17487/RFC8322, February 2018,
              <https://www.rfc-editor.org/info/rfc8322>.

10.2.  Informative References

   [CIS_Critical_Controls]
              "CIS Critical Security Controls", August 2016,
              <https://www.cisecurity.org/critical-controls/>.

   [NIST_800-53]
              Hanson, R., "NIST 800-53", September 2007,
              <http://deusty.blogspot.com/2007/09/stunt-out-of-band-
              channels.html>.

   [PCI_DSS]  "PCI Data Security Standard", April 2016,
              <https://www.pcisecuritystandards.org/
              document_library?category=pcidss&document=pci_dss>.

Appendix A.  Examples

   This section provides some brief examples of a Checklist Information
   Type ROLIE Entry.




Banghart, et al.        Expires January 14, 2021               [Page 10]


Internet-Draft                rolie-cc-ext                     July 2020


<?xml version="1.0" encoding="UTF-8"?>
<entry xmlns="https://www.w3.org/2005/Atom"
    xmlns:rolie="urn:ietf:params:xml:ns:rolie-1.0" xml:lang="en-US">
    <id>c8db0a93-4dcb-426e-997f-ba43c100b863</id>
    <title>NIST National Checklist for Red Hat Virtualization Host 4.x</title>
    <published>2020-06-29T18:13:51.0Z</published>
    <updated>2020-06-29T18:13:51.0Z</updated>
    <category scheme="urn:ietf:params:rolie:category:information-type" term="checklist"/>
    <summary>SCAP content for evaluation of Red Hat Virtualization Host 4.x systems. The Red Hat content embeds multiple pre-established compliance profiles.</summary>
    <rolie:format ns="scap13namespace"/>
    <content type="application/zip" src="https://nvd.nist.gov/ncp/checklist/908/download/5615"/>
    <link rel="supporting" title="OpenControl-formatted NIST 800-53 responses for Red Hat Virtualization Host 4.x" href="https://github.com/ComplianceAsCode/redhat/tree/master/virtualization-host" type="Machine-Readable Format"/>
    <link rel="supporting" title="[DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)" href="https://galaxy.ansible.com/RedHatOfficial/rhv4_rhvh_stig" type="Ansible Playbook"/>
    <link rel="supporting" title="VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization Hypervisor (RHVH)" href="https://galaxy.ansible.com/RedHatOfficial/rhv4_rhvh_vpp" type="Ansible Playbook"/>
    <rolie:property name="urn:ietf:params:rolie:property:content-id" value="908"/>
    <rolie:property name="urn:ietf:params:rolie:property:checklist:checklist-version" value="content v0.1.48"/>
    <rolie:property name="urn:ietf:params:rolie:property:content-published-date" value="2020-01-14T00:00:00+00:00"/>
    <rolie:property name="urn:ietf:params:rolie:property:content-updated-date" value="2019-06-14T00:00:00+00:00"/>
    <rolie:property name="urn:ietf:params:rolie:property:checklist:product-category" value="Virtual Machine"/>
</entry>

Authors' Addresses

   Stephen Banghart
   NIST
   100 Bureau Drive
   Gaithersburg, Maryland  20877
   USA

   Email: stephen.banghart@nist.gov


   Bill Munyan
   Center for Internet Security
   31 Tech Valley Drive
   East Greenbush, NY  12061
   USA

   Email: bill.munyan.ietf@gmail.com


   Adam Montville
   Center for Internet Security
   31 Tech Valley Drive
   East Greenbush, NY  12061
   USA

   Email: adam.w.montville@gmail.com



Banghart, et al.        Expires January 14, 2021               [Page 11]


Internet-Draft                rolie-cc-ext                     July 2020


   Gabriel Alford
   Red Hat, Inc.
   100 East Davie Street
   Raleigh, North Carolina  27601
   USA

   Email: galford@redhat.com












































Banghart, et al.        Expires January 14, 2021               [Page 12]