| Network Working Group | B. Munyan |
| Internet-Draft | A. Montville |
| Intended status: Informational | Center for Internet Security |
| Expires: January 16, 2019 | S. Banghart |
| NIST | |
| July 15, 2018 |
Definition of the ROLIE configuration checklist Extension
draft-mandm-sacm-rolie-configuration-checklist-01
This document extends the Resource-Oriented Lightweight Information Exchange (ROLIE) core by defining a new information-type to ROLIE’s atom:category pertaining to security configuration checklists. Additional supporting requirements are also defined which describe the use of specific formats and link relations pertaining to the new information-type.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 16, 2019.
Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document defines an extension to the Resource-Oriented Lightweight Information Exchange (ROLIE) [RFC8322] protocol [RFC8322] to support the publication of configuration checklist information. Many enterprises operate according to guidance provided to them by a control framework ( [CIS_Critical_Controls] , [PCI_DSS] , [NIST_800-53] etc.), which often prescribe that an enterprise define a standard, secure configuration for each technology they operate. Such standard secure configurations are often referred to as configuration checklists. These configuration checklists contain a set of configuration recommendations for a given endpoint. A configuration recommendation prescribes expected values pertaining to one or more discrete endpoint attributes.
Configuration Checklist A configuration checklist is an organized collection of rules about a particular kind of system or platform.
Configuration Recommendation A configuration recommendation is an expression of the desired posture of one or more configuration items. A configuration recommendation generally includes the description of the recommendation, a rationale statement, and the expected state of collected posture information.
TODO: There needs to be a “normative” reference to the SCAP 1.2/3 specifications and schema definitions
This document defines and registers a new information-type: “configuration-checklist”.
The “configuration-checklist” information type represents a body of information describing a set of configuration recommendations. A configuration recommendation is, minimally, a configurable item paired with a recommended value or range of value. Depending on the source, a configuration recommendation may carry with it additional information (i.e. description, references, rationale, etc.). Provided below is a non-exhaustive list of information that may be considered as components of a configuration checklist.
This section defines usage guidance and additional requirements related to data formats above and beyond those specified in [RFC8322] . The following formats are expected to be commonly used to express software descriptor information. For this reason, this document specifies additional requirements to ensure interoperability.
TODO, integrate this information:
This is data section 1 TODO
This is requirement 1 TODO
This document provides new registrations for valid rolie:property names. These properties provide optional exposure point for valuable information in the linked content document. Exposing this information in a rolie:property element means that clients do not need to download the linked document to determine if it contains information they are interested in.
A breadth of metadata may be included with a configuration checklist as identifying information. A publishing organization may wish to recognize or attribute checklist authors or contributors, or maintain a revision/version history over time. Other metadata that may be included could indicate the various categories of products to which the checklist applies, such as Operating System, Network Device, or Application Server.
The following list describes various ‘rolie:property’ constructs.
The following link relations are defined in the following table. These relations are not registered in the Link Relation IANA table due to their niche usage. These link relations are valid for any link element in a checklist Entry.
| Name | Description |
|---|---|
| ancestor | Links to a configuration checklist supersceded by that described in this entry |
| target-platform | Links to a software descriptor resource defining the software subject to this configuration checklist entry |
| version | Links to a text resource indicating the version of the configuration checklist |
This document registers an additional atom:category name: 'urn:ietf:params:rolie:category:checklist:nistncpproductcategory'
When the name attribute of a category element is this names, the value attribute SHOULD be one of the valid product categories from the NIST NCP Product Category List, such as:
Per this document, IANA has added an entry to the “ROLIE Security Resource Information Type Sub-Registry” registry located at https://www.iana.org/assignments/rolie/category/information-type.
TODO add Propertyies and Categories
Any user of this extension should be familiar with the security considerations of ROLIE [RFC8322].
Any user of this extension should be familiar with the privacy considerations of ROLIE [RFC8322].
| [RFC8322] | Field, J., Banghart, S. and D. Waltermire, "Resource-Oriented Lightweight Information Exchange (ROLIE)", RFC 8322, DOI 10.17487/RFC8322, February 2018. |
| [CIS_Critical_Controls] | "CIS Critical Security Controls", August 2016. |
| [NIST_800-53] | Hanson, R., "NIST 800-53", September 2007. |
| [PCI_DSS] | "PCI Data Security Standard", April 2016. |