Internet DRAFT - draft-camwinget-sacm-information-model
draft-camwinget-sacm-information-model
SACM Working Group H. Birkholz
Internet-Draft Fraunhofer SIT
Intended status: Standards Track N. Cam-Winget
Expires: October 10, 2016 Cisco Systems
April 8, 2016
SACM Information Model
draft-camwinget-sacm-information-model-00
Abstract
***replaces abstract in WG IM*** This document defines the
information model for Security Automation and Continuous Monitoring
(SACM). This includes the definition of information elements
transported between SACM components (data in motion) and how to
express their relationships. This information model is maintained as
the IANA "SACM Information Elements" registry. The information model
captures the information needs described in the use cases defined by
SACM.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 10, 2016.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Birkholz & Cam-Winget Expires October 10, 2016 [Page 1]
Internet-Draft SACM Information Model April 2016
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements notation . . . . . . . . . . . . . . . . . . . . 3
3. Information Elements (IE) . . . . . . . . . . . . . . . . . . 3
3.1. Context of Information Elements . . . . . . . . . . . . . 4
3.2. Extensibility of Information Elements . . . . . . . . . . 4
4. Structure of Information Elements . . . . . . . . . . . . . . 4
4.1. Atomic Information Elements (AIE) . . . . . . . . . . . . 5
4.2. Composite Information Elements (CIE) . . . . . . . . . . 5
4.3. SACM Statements . . . . . . . . . . . . . . . . . . . . . 5
4.4. SACM Content Elements . . . . . . . . . . . . . . . . . . 6
4.5. Relationship Types . . . . . . . . . . . . . . . . . . . 6
4.6. Events . . . . . . . . . . . . . . . . . . . . . . . . . 7
5. Information Element Vocabulary . . . . . . . . . . . . . . . 7
5.1. Vocabulary of Categories . . . . . . . . . . . . . . . . 8
5.2. Vocabulary of Atomic Information Elements . . . . . . . . 8
5.3. Vocabulary of Composite Information Elements . . . . . . 21
6. Example composition of SACM statements . . . . . . . . . . . 30
7. IANA considerations . . . . . . . . . . . . . . . . . . . . . 32
8. Security Considerations . . . . . . . . . . . . . . . . . . . 32
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 32
10. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 32
11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 32
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 32
12.1. Normative References . . . . . . . . . . . . . . . . . . 32
12.2. Informative References . . . . . . . . . . . . . . . . . 33
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33
1. Introduction
***replaces Introduction in the WG IM*** The purpose of the SACM
Information Model (IM) is to ensure interoperability between SACM
data models that are used as transport encoding and to provide a base
set of information elements that may be exposed or shared between
SACM components in a scalable and extensible fashion. A complete set
of requirements imposed on the IM can be found in
[I-D.ietf-sacm-requirements]. The SACM IM defines information
elements that are required to carry out the tasks conducted by SACM
components. The SACM IM itself is intended to be used for data
exchange between SACM components (data in motion). Nevertheless, the
information elements defined in this document can be leveraged to
create and align corresponding data models for data at rest.
Birkholz & Cam-Winget Expires October 10, 2016 [Page 2]
Internet-Draft SACM Information Model April 2016
The information model expresses, for example, target endpoint (TE)
attributes, guidance or evaluation results. The corresponding
information elements (IE) are consumed and produced by SACM
components as they carry out tasks.
The primary tasks that this information model supports (on data,
control and management plane) are:
o TE Discovery
o TE Characterization
o TE Classification
o Collection
o Evaluation
o Information Sharing
o SACM Component Discovery
o SACM component Authentication
o SACM component Authorization
o SACM component Registration
2. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC
2119, BCP 14 [RFC2119].
3. Information Elements (IE)
**to be inserted between section 2 and section 3** Every type or
group of information, e.g. the information elements, defined in this
document represent subjects transported (data in motion) between SACM
components and are associated with a unique label in the information
model: their name. This document defines a set of information
elements standardized by SACM.
Birkholz & Cam-Winget Expires October 10, 2016 [Page 3]
Internet-Draft SACM Information Model April 2016
3.1. Context of Information Elements
The IE in this information model represent information related to the
following areas (based on the use cases described in [RFC7632]):
o Endpoint Management
o Software Inventory Management
o Hardware Inventory Management
o Configuration Management
o Vulnerability Management
3.2. Extensibility of Information Elements
A SACM data model based on this information model MAY include
additional information elements that are not defined here. The
labels of additional information elements included in different SACM
data models MUST NOT conflict with the labels of the information
elements defined by this information model, and the names of
additional information elements MUST NOT conflict with each other or
across multiple data models. In order to avoid naming conflicts, the
labels of additional IEs SHOULD be prefixed to avoid collision across
extensions. The prefix MUST include an organizational identifier and
therefore, for example, MAY be an IANA enterprise number, a (partial)
name space URI or an organization name abbreviation.
4. Structure of Information Elements
**replaces beginning text of Information Model Framework and 3.1-3.4,
will move syntax 3.1.1 and 3.2.1 to aggregated sub-section, will also
privacy sub-section 3.5 and label sub-section 3.6** The IEs defined
in this document are differentiated into two basic types of
Information Elements:
o Attributes: an attribute is the simplest IE structure comprised of
a unique attribute name and an attribute value (attributes are
listed in Section 5.2).
o Subjects: a subject is a richer structure that has a unique
subject name and one or more attributes or subjects (subjects are
listed in Section 5.3). In essence, the instance of a subject is
defined by the attribute values associated with it.
Metadata is constructed as a subject and is associated with
attributes or subjects to provide additional information about them.
Birkholz & Cam-Winget Expires October 10, 2016 [Page 4]
Internet-Draft SACM Information Model April 2016
The IM explicitly defines two specific kinds of metadata: metadata
about the data origin and metadata about the data source. Metadata
can include relationships that refer to other attributes or subjects
by referencing labels included in their corresponding metadata.
4.1. Atomic Information Elements (AIE)
**to be salvaged an then removed** Atomic IEs represent the smallest
building blocks for SACM content, including, for example, a SACM
endpoint attribute, a policy entry, a configuration item, an expected
states, or a threshold value. AIE can be bundled into composite IE.
The set of AIEs defined by the SACM IM is described in section
Section 5.2.
In essence, AIEs are attribute value pairs that constitute the
"leaves" in a SACM semantic structure. While the SACM IM sometimes
does elaborate on the structure of values (e.g. an IPv6 address is an
octet string with a maximum length of 16 that my be collapsed in
certain conditions), it does not prescribe specific types used in the
data model representation (e.g. an unbounded character string).
Every AIE is registered as an corresponding entry at the IANA
registry. The Integer Index of the IANA SMI number tables can be
used by SACM data models.
4.2. Composite Information Elements (CIE)
**to be salvaged an then removed** Composite IEs constitute bundles
of atomic AIEs and/or composite IEs. A CIE represents a specific set
of related information that share a semantic relationship, e.g. a
SACM statement metadata or state information about a network
interface. The set of CIEs defined by the SACM IM is described in
section Section 5.3. In essence, CIEs are a "named container"
construct that can be used to compose additional CIEs that go beyond
the ones standardized by the SACM information model.
The SACM IM allows for recursive or circular nesting of composite
IEs. A SACM data Model (DM) MUST include the "default-depth" base
AIE that is part of the SACM content metadata.
4.3. SACM Statements
**to be salvaged an then removed** The data exchanged between SACM
components is always embedded in a SACM statement. SACM Statements
contain one or more CIEs and/or AIEs. A SACM statement functions as
an "envelope" type that is associated with metadata about the
providing SACM component. The SACM statement metadata can be used to
Birkholz & Cam-Winget Expires October 10, 2016 [Page 5]
Internet-Draft SACM Information Model April 2016
resolve conflicting information, retrace the provenance of
information or to locate archived information in data repositories.
Examples of SACM statement metadata information elements:
o SACM Domain Identifier: a globally unique identifier that enables
the differentiation of SACM statements across SACM domains.
o Data Origin: the SACM domain unique identifier associated with a
SACM component.
o Statement Identifier: an identifier that enables to uniquely
reference this specific statement.
SACM statements are comprised of one or more CIEs; Section 6 provides
examples for constructing SACM statements.
4.4. SACM Content Elements
**to be salvaged an then removed** SACM Content Elements are
categorized CIEs. The content elements can be composed of one or
more AIEs and/or CIEs or it can be another representation that is
embedded in the statement, for example, an IPFIX Template Record.
Each SACM content element has its own Content Metadata associated
with it (analogously to the way that each SACM statement has metadata
associated to it). Content element metadata include information
about its type, data source (the result produced by a collector) or
data origin (the result produced by most other SACM components).
Examples of SACM content element metadata information elements:
o Target Endpoint Label: an identifier that enables to distinctly
identify a target endpoint as a SACM content element.
o Relationship Identifier(s): a set of semantic relationships that
associate this SACM content element with other SACM content
elements via their content element identifier.
o Content Element Identifier: an identifier that enables to uniquely
reference this specific content element.
SACM content elements are described in section FIXME.
4.5. Relationship Types
**to be salvaged an then removed** Relationships are expressed via
AIE contained within a CIE. There are two ways SACM content elements
are associated with each other. "A Flow" associated with "A User",
Birkholz & Cam-Winget Expires October 10, 2016 [Page 6]
Internet-Draft SACM Information Model April 2016
for example, would be a typical case, in which two separate SACM
content elements could be associated with each other.
One way is to include the Relationships AIE in the content element
metadata that preludes the actual content (in this example, the
content element metadata of the flow record). Relationship Types are
uni-directional. For example, the "is-associated-with-user"
Relationship AIE included in the content element metadata points to a
specific user via a corresponding content element identifier.
The alternative way is to include the reference of associated
information directly into the content of the content element. A
session CIE, for instance, could refer to a specific user by
including identifying attributes about that user. While this is a
valid way of creating a relationship between different kinds of
content, it requires careful matching or the introduction of another
appropriate identifier mechanism (that does not conflict with other
SACM statements and SACM content element identifiers). If a SACM
data model allows for transport of other representations as payload
of a content element (e.g. a pcap fragment containing suspicious
packets, for example), there might be no alternative as to use the
content element metadata to include relationships to other content
elements.
4.6. Events
**to be salvaged an then removed** Events are a specific type of CIE
that are always associated with a time stamp and represent a change
of state or configuration that can be expressed as a SACM content.
The time an event was published by a SACM component is recorded in
its corresponding SACM statement metadata, the time it was created
(or initially observed) is recorded in its content element metadata.
It is also recorded in the CIE itself, which is somewhat redundant
but can improve performance in some scenarios. Event CIE can also
include the past state or configuration before the change occurred,
or - if applicable - a threshold or trigger condition that lead to
the creation of the event.
5. Information Element Vocabulary
**to be inserted in section 5 as candidates** The vocabulary of
Information Element names standardized by the SACM IM does not
prescribe the use of these exact same names in every SACM data model.
If terms diverge, a mapping has to be provided in the corresponding
SACM data model document.
A subset of the names of the information elements defined in this
document are appended with "-type". This indicates that the IM
Birkholz & Cam-Winget Expires October 10, 2016 [Page 7]
Internet-Draft SACM Information Model April 2016
defines a set of values for these information elements (e.g. the
interface types defined by the IANA registry or the relationship
types).
5.1. Vocabulary of Categories
Categories are special Information Elements that enable to refer to
multiple types of IEs via just one name. Therefore, they are similar
to a type-choice. A prominent example of a category is network-
address. Network-address is a category that every kind of network
address is associated with, e.g. mac-address, ipv4-address,
ipv6-address, or typed-network-address. If a CIE includes network-
address as one of its components, any of that categories members is
valid to be used in its stead.
Another prominent example is EndpointIdentifier. Some IEs can be
used to identify (and over time re-recognize) target endpoints -
those are associated with the category endpoint-identifier.
content: this is a very broad category. Content is the payload of a
content element in a SACM statement. Formally, metadata is the
complement to content and everything that is not part of SACM
statement metadata or content element metadata is therefore
considered to be content. Every IE can be content (although the
same type of IE can be used in the metadata at the same time - and
those would not be content as described before). Annotating every
IE with this category would be highly redundant and is therefore
omitted for brevity.
network-address: (work-in-progress)
ipv4-address
ipv6-address
mac-address
endpoint-identifier: (work-in-progress)
software-component: (work-in-progress)
software-label: (work-in-progress)
5.2. Vocabulary of Atomic Information Elements
**to be inserted in section 5 as candidates** The content of every
Atomic Information Element is expressed in a single value. Note that
Birkholz & Cam-Winget Expires October 10, 2016 [Page 8]
Internet-Draft SACM Information Model April 2016
while this section lists AIEs, some of them may also be represented
as a CIE (especially if metadata is used).
access-privilege-type: a set of types that represents access
privileges (e.g. read, write, none)
References: none
account-name: a label that uniquely identifies an account that can
require some form of (user) authentication to access
References: none
administrative-domain: a label the is supposed to uniquely identify
an administrative domain
References [IFMAP]
address-association-type: a set of types that defines the type of
address associations (e.g. broadcast-domain-member-list, ip-
subnet-member-list, ip-mac, shared-backhaul-interface, etc.)
References: none
address-mask-value: a value that expresses a generic address
subnetting bitmask
address-type: a set of types that specifies the type of address that
is expressed in an address CIE (e.g. ethernet, modbus, zigbee)
References: none
address-value: a value that expresses a generic network address
References: none
Category: network-address
application-component: a label that references a "sub"-application
that is part of the application (e.g. an add-on, a cipher-suite, a
library)
References: [SWID]
Category: software-component
application-label: a label that is supposed to uniquely reference an
application
Birkholz & Cam-Winget Expires October 10, 2016 [Page 9]
Internet-Draft SACM Information Model April 2016
References: [SWID]
Category: software-label
application-type: a set of types (FIXME maybe a finite set is not
realistic here - value not enumerator?) that identifies the type
of (user-space) application (e.g. text-editor, policy-editor,
service-client, service-server, calendar, rouge-like RPG)
References: [SWID]
Category: software-type
application-manufacturer: the name of the vendor that created the
application
References: [SWID]
Category: software-manufacturer
application-name: a value that represents the name of an application
given by the manufacturer
References: [SWID]
application-version: a version string that identifies a specific
version of an application
References: [SWID]
Category: software-version
authenticator: a label that references a SACM component that can
authenticate target endpoints (can be used in a target-endpoint
CIE to express that the target endpoint was authenticated by that
SACM component)
References: none
attribute-name: a value that can express the attribute name of
generic Attribute-Value-Pair CIE
References: none
attribute-value: a value that can express the attribute value of
generic Attribute-Value-Pair CIE
References: none
Birkholz & Cam-Winget Expires October 10, 2016 [Page 10]
Internet-Draft SACM Information Model April 2016
authentication-type: a set of types that expresses which type of
authentication was used to enable a network interaction/connection
References: [PXGRID]
birthdate: a label for the registered day of birth of a natural
person (e.g. the date of birth of a person as an ISO date string
http://rs.tdwg.org/ontology/voc/Person#birthdate)
References: [SCAP-AI]
bytes-received: a value that represents a number of octets received
on a network interface
Reference : [PXGRID]
bytes-sent: a value that represents a number of octets sent on a
network interface
Reference : [PXGRID]
certificate: a value that expresses a certificate that can be
collected from a target endpoint
References: none
Category: endpoint-identifier
collection-task-type: a set of types that defines how collected SACM
content was acquired (e.g. network-observation, remote-
acquisition, self-reported)
Reference: none
confidence: a representation of the subjective probability that the
assessed value is correct. If no confidence value is given it is
assumed that the confidence is 1 (limits confidence values to the
range between zero and one)
References: [ARF]
content-action: a set of types that expresses a type of action (e.g.
add, delete, update). Can be associated, for instance, with an
event CIE or with an network observation
References: [ARF]
Birkholz & Cam-Winget Expires October 10, 2016 [Page 11]
Internet-Draft SACM Information Model April 2016
content-elements: a value that represents the number of content-
elements included in a SACM statement
References: none
content-topic: a set of types that defines what kind of concept the
information is included in a content element (e.g. Session, User,
Interface, PostureProfile, Flow, PostureAssessment,
TargetEndpoint)
References: none
content-type: a set of types that defines what kind of information
is included in a content element (e.g. EndpointConfiguration,
EndpointState, DirectoryEntry, Event, Incident)
References: none
country-code: a set of types according to ISO 3166-1 trigraphic
codes of countries
References: FIXME
data-origin: a label that uniquely identifies a SACM component in
and across SACM domains
References: none
Aliases: sacm-component-id
data-source: a label that is supposed to uniquely identify the data
source (e.g. a target endpoint or sensor) that provided an initial
endpoint attribute record
References: [ARF]
Aliases: te-id (work-in-progress)
decimal-fraction-denominator: a denominator value to express a
decimal fraction time stamp (e.g. in timestamp)
References: none
decimal-fraction-numerator: a numerator value to express a decimal
fraction time stamp (e.g. in timestamp)
Birkholz & Cam-Winget Expires October 10, 2016 [Page 12]
Internet-Draft SACM Information Model April 2016
default-depth: a value that expresses how often a circular reference
of CIE is allowed to repeat, or how deep a recursive nesting may
occur, respectively.
References: none
discoverer: a label that refers to the SACM component that
discovered a target endpoint (can be used in a target-endpoint CIE
to express, for example, that the target endpoint was
authenticated by that SACM component)
References: none
email-address: a value that expresses an email-address
References: none
event-type: a set of types that define the categories of an event
(e.g. access-level-change, change-of-privilege, change-of-
authorization, environmental-event, or provisioning-event)
Reference: none
event-threshold: if applicable, a value that can be included in an
event CIE to indicate what numeric threshold value was crossed to
trigger that event
Reference: none
event-threshold-name: if an event is created due to a crossed
threshold, the threshold might have a name associated with it that
can be expressed via this value
References: none
event-trigger: this value is used to express more complex trigger
conditions that may cause the creation of an event.
firmware-id: a label that represents the BIOS or firmware ID of a
specific target endpoint
Reference: none
Category: endpoint-identifier
hardware-serial-number: a value that identifies a piece of hardware
that is a component of a composite target endpoint (in essence,
Birkholz & Cam-Winget Expires October 10, 2016 [Page 13]
Internet-Draft SACM Information Model April 2016
every target endpoint is a composite) and can be acquired from a
target endpoint by a collection task
Reference: none
Category: endpoint-identifier
host-name: a label typically associated with an endpoint but not
always intended to be unique in a given scope
References [ARF], [SCAP-AI]
Category: endpoint-identifier
interface-label: a unique label a network interface can be
referenced with
Reference: none
ipv6-address-subnet-mask-cidrnot: an IPv6 subnet bit mask in CIDR
notation
References: TBD
ipv6-address-value: an IPv4 address value
References: TBD
Category: endpoint-identifier, network-address
ipv4-address-subnet-mask-cidrnot: an IPv4 subnet bit mask in CIDR
notation
References: TBD
ipv4-address-subnet-mask: an IPv4 subnet mask
References: TBD
ipv4-address-value: an IPv4 address value
References: TBD
Category: endpoint-identifier, network-address
layer2-interface-type: a set of types referenced by IANA ifType
References: [RFC3635], [RFC2863]
Birkholz & Cam-Winget Expires October 10, 2016 [Page 14]
Internet-Draft SACM Information Model April 2016
layer4-port-address: a layer 4 port address (typically used, for
example, with TCP and UDP)
References: none
Category: network-address
layer4-protocol: a set of types that express a layer 4 protocol
(e.g. UDP or TCP)
location-name: a value that represents a named region of space FIXME
References: [IFMAP], [ARF], [SCAP-AI]
mac-address: a value that expresses an Ethernet address
References: [IFMAP], [ARF], [SCAP-AI]
Category: endpoint-identifier, network-address
method-label: a label that references a specific method registered
and used in a SACM domain (e.g. method to match and re-identify
target endpoints via identifying attributes)
References: none
method-repository: a label that references a SACM component methods
can be registered at and that can provide guidance in the form of
registered methods to other SACM components
References: none
network-access-level-type: a set of types that expresses categories
of network access-levels (e.g. block, quarantine, etc.)
References: [IFMAP]
network-id: most networks, such as AS, an OSBF domains, or vlans,
can have an ID that is represented via this AIE
References: none
network-interface-name: a label that uniquely identifies an
interface associated with a distinguishable endpoint
References: FIXME
Birkholz & Cam-Winget Expires October 10, 2016 [Page 15]
Internet-Draft SACM Information Model April 2016
network-layer: a set of layers that express the specific network
layer an interface operate on (typically layer 2-4)
References: FIXME
network-name: a label that is associated with a network. Some
networks, for example effective layer2-broadcast-domains, are
difficult to "grasp" and therefore quite complicated to name
References: none
organization-id: a label that is supposed to uniquely identify an
organization
References: [ARF]
organization-name: a value that represents the name of an
organization
References: [ARF]
os-component: a label that references a "sub-component" that is part
of the operating system (e.g. a kernel module, microcode, or ACPI
table)
References: [SWID]
Category: software-component
os-label: a label that references a specific version of an operating
system, including patches and hotfixes
References: [SWID]
Category: software-label
os-manufacturer: the name of the manufacturer of an operating system
References: [IFMAP]
Category: software-manufacturer
os-name: the name of an operating system
References: [IFMAP]
Category: software-name
Birkholz & Cam-Winget Expires October 10, 2016 [Page 16]
Internet-Draft SACM Information Model April 2016
os-type: a set of types that identifies the type of an operating
system (e.g. real-time, security-enhanced, consumer, server)
References: none
Category: software-type
os-version: a value that represents the version of an operating-
system
Category: software-version
patch-id: a label the uniquely identifies a specific software patch
References: [ARF]
patch-name: the vendor's name of a software patch
References: [ARF], [SWID]
person-first-name: the first name of a natural person
References: [ARF], [SCAP-AI]
person-last-name: the last name of a natural person
References: [ARF], [SCAP-AI]
person-middle-name: the first name of a natural person
References: [ARF], [SCAP-AI]
phone-number: a label that expresses the u.s. national phone number
(e.g. pattern value="((\d{3}) )?\d{3}-\d{4}")
References: [ARF], [SCAP-AI]
phone-number-type: a set of types that express the type of a phone
number (e.g. DSN, Fax, Home, Mobile, Pager, Secure, Unsecure,
Work, Other)
References: [ARF]
privilege-name: the attribute-name of the privilege represented as
an AVP
References: none
Birkholz & Cam-Winget Expires October 10, 2016 [Page 17]
Internet-Draft SACM Information Model April 2016
privilege-value: the value-content of the privilege represented as
an AVP
References: none
protocol: a set of types that defines specific protocols above layer
4 (e.g. http, https, dns, ipp, or unknown)
References: none
public-key: the value of a public key (regardless of its method of
creation, crypto-system, or signature scheme) that can be
collected from a target endpoint
Reference: none
Category: endpoint-identifier
relationship-content-element-guid: a reference to a specific content
element used in a relationship CIE
References: none
relationship-statement-guid: a reference to a specific SACM
statement used in a relationship CIE
References: none
relationship-object-label: a reference to a specific label used in
content (e.g. a te-label or a user-id). This reference is
typically used if matching content AIE can be done efficiently and
can also be included in addition to a relationship-content-
element-guid reference.
References: none
relationship-type: a set of types that is in every instance of a
relationship CIE to highlight what kind of relationship exists
between the CIE the relationship is included in (e.g.
associated_with_user, applies_to_session, seen_on_interface,
associated_with_flow, contains_virtual_device)
References: none
role-name: a label that references a collection of privileges
assigned to a specific entity (identity? FIXME)
References: FIXME
Birkholz & Cam-Winget Expires October 10, 2016 [Page 18]
Internet-Draft SACM Information Model April 2016
session-state-type: a set of types a discernible session (an ongoing
network interaction) can be in (e.g. Authenticating,
Authenticated, Postured, Started, Disconnected)
References: [PXGRID]
statement-guid: a label that expresses a global unique ID
referencing a specific SACM statement that was produced by a SACM
component
References: none
statement-type: a set of types that define the type of content that
is included in a SACM statement (e.g. Observation,
DirectoryContent, Correlation, Assessment, Guidance)
References: none
status: a set of types that defines possible result values for a
finding in general (e.g. true, false, error, unknown, not
applicable, not evaluated)
References: [ARF]
sub-administrative-domain: a label for related child domains an
administrative domain can be composed of (used in the CIE
administrative-domain)
References: none
sub-interface-label: a unique label a sub network interface (e.g. a
tagged vlan on a trunk) can be referenced with
References: none
super-administrative-domain: a label for related parent domains an
administrative domain is part of (used in the CIE administrative-
domain)
References: none
super-interface-label: a unique label a super network interface
(e.g. a physical interface a tunnel interface terminates on) can
be referenced with
References: none
Birkholz & Cam-Winget Expires October 10, 2016 [Page 19]
Internet-Draft SACM Information Model April 2016
te-assessment-state: a set of types that defines the state of
assessment of a target-endpoint (e.g. in-discovery, discovered,
in-classification, classified, in-assessment, assessed)
References: [ARF]
te-label: an identifying label created from a set of identifying
attributes used to reference a specific target endpoint
References: none
te-id: an identifying label that is created randomly, is supposed to
be unique, and used to reference a specific target endpoint
References: [ARF], [SWID]
Aliases: data-source
timestamp: a timestamp the expresses a specific point in time
References: [IFMAP], [ARF]
timestamp-type: a set of types that express what type of action or
event happened at that point of time (e.g. discovered, classified,
collected, published). Can be included in a generic timestamp CIE
References: none
units-received: a value that represents a number of units (e.g.
frames, packets, cells or segments) received on a network
interface
Reference : [PXGRID]
units-sent: a value that represents a number of units (e.g. frames,
packets, cells or segments) sent on a network interface
Reference : [PXGRID]
username: a part of the credentials required to access an account
that can be collected from a target endpoint
References: none
Category: endpoint-identifier
user-directory: a label that identifies a specific type of user-
directory (e.g. ldap, active-directory, local-user)
Birkholz & Cam-Winget Expires October 10, 2016 [Page 20]
Internet-Draft SACM Information Model April 2016
Reference: [PXGRID]
user-id: a label that references a specific user known in a SACM
domain
References: [PXGRID]
web-site: a URI that references a web-site
References: [ARF]
WGS84-longitude: a label that represents WGS 84 rev 2004 longitude
References: [SCAP-AI]
WGS84-latitude: a label that represents WGS 84 rev 2004 latitude
References: [SCAP-AI]
WGS84-altitude: a label that represents WGS 84 rev 2004 altitude
References: [SCAP-AI]
5.3. Vocabulary of Composite Information Elements
**to be inserted in section 5 as candidates** The content of every
Composite Information Element is expressed by the mandatory and
optional IE it can be composed of. The components of an CIE can have
a cardinality associated with them:
o (*): zero to unbounded occurrences
o (+): one to unbounded occurrences
o (?): zero or one occurrence
o (n*m): between n and m occurrences
o no cardinality: one occurrence
If there is no cardinality highlighted or the cardinality (+) or
(n*m) is used, including this IE in the CIE is mandatory. In
contrast, optional IE are expressed via the cardinality (?) or (*).
An CIE can prescribe a strict sequence to the component IE it
contains. This in indicated by an (s).
address-association (s): some addresses are associated with each
other, e.g. a mac-address can be associated with a number of IP
Birkholz & Cam-Winget Expires October 10, 2016 [Page 21]
Internet-Draft SACM Information Model April 2016
addresses or a sensor address can be associated with the external
address of its two redundant IP gateways. The first address is
the address a number of addresses with the same type is associated
with. An address type SHOULD be included and the addresses
associated with the first address entry MUST be of the same type.
NANCY FIXME
address
address-type (?)
address (+)
address-type (?)
administrative-domain: this CIE is intended to express more complex
setups of interconnected administrative domains
administrative-domain
sub-administrative-domain (*)
super-administrative-domain (?)
location (?)
application: an application is software that is not part of the
kernel space (therefore typically runs in the user space. An
application can depend on specific running party of an operating
system.
application-label (?)
application-name
application-type (*)
application-component (*)
application-manufacturer (?)
application-version (?)
application-instance: a specific instance of an application that is
installed on an endpoint. The application-label is used to refer
to corresponding information stored in an application CIE
application-label
Birkholz & Cam-Winget Expires October 10, 2016 [Page 22]
Internet-Draft SACM Information Model April 2016
target-endpoint
attribute-value-pair: a generic CIE that is used to express various
AVP (e.g. Radius Attributes)
attribute-name
attribute-value
content-creation-timestamp: a decimal fraction timestamp that
specifies the point in time the content element was created by a
SACM component
decimal-fraction-denominator
decimal-fraction-numerator
content-element: content produced by a SACM component is
encapsulated in content-elements that also include content-
metadata regarding that content
content-metadata (+)
content (+)
content-metadata: metadata regarding the content included in a
specific content-element. The content the metadata annotates can
be initially collected content - in this case a data-source has to
be included in the metadata. Content can also be the product of a
SACM component (e.g. an evaluator), which requires a data-origin
IE instead that references the producer of information.
content-element-guid
content-creation-timestamp
content-topic
content-type
data-source (?)
data-origin (?)
relationship (*)
data-source: a CIE that refers to a target endpoint that is the
source of SACM content - either via a label (data-source, which
Birkholz & Cam-Winget Expires October 10, 2016 [Page 23]
Internet-Draft SACM Information Model April 2016
could also be used without this CIE), or via a list of endpoint-
identifiers (category). Both can be included at the same time but
MUST NOT conflict.
data-source (?)
endpoint-identifier (*)
dst-flow-element: identifies the destination of a flow. The port
number SHOULD be included if the network-address is an IP-address.
network-address
layer4-port-address (?)
ethernet-interface: the only two mandatory component of this CIE is
the mac-address and the generated label (to distinguish non-unique
addresses). This acknowledges the fact that in many cases this is
the only information available about an Ethernet interface. If
there is more detail information available it MUST be included to
avoid ambiguity and to increase the usefulness for consumer of
information. The exception are sub-interface-labels and super-
interface-labels, which SHOULD be included.
interface-label
network-interface-name (?)
mac-address
network-name (?)
network-id (?)
layer2-interface-type (?)
sub-interface-label (*)
super-interface-label (*)
event (s): this a special purpose CIE that represents the change of
content. As with content-elements basically every content can be
included in the two content entries. The mandatory content entry
represents the "after" state of the content and the optional
content entry can represent the "before" state if available or
required.
event-type (?)
Birkholz & Cam-Winget Expires October 10, 2016 [Page 24]
Internet-Draft SACM Information Model April 2016
event-threshold (?)
event-threshold-name (?)
event-trigger (?)
typed-timestamp
content
content (?)
flow-record: a composite that expresses a single flow and its
statistics. If applicable, protocol and layer4-protocol SHOULD be
included
src-flow-element
dst-flow-element
protocol (?)
layer4-protocol (?)
flow-statistics
flow-statistics: this CIE aggregates bytes and units send and
received
bytes-received
bytes-sent
units-received
units-sent
group: insert text here (work in progress)
ipv4-address: an IPv4 address is always associated with a subnet.
This CIE combines these both tightly nit values. Either a subnet
mask or a CIDR notation bitmask SHOULD be included.
ipv4-address-value
ipv4-address-subnet-mask-cidrnot (?)
ipv4-address-subnet-mask (?)
Birkholz & Cam-Winget Expires October 10, 2016 [Page 25]
Internet-Draft SACM Information Model April 2016
ipv6-address: an IPv6 address is always associated with a subnet.
This CIE combines these both tightly nit values. A CIDR notation
bitmask SHOULD be included.
ipv6-address-value
ipv6-address-subnet-mask-cidrnot (?)
location: a CIE that aggregates potential details about a location
location-name
WGS84-longitude
WGS84-latitude
WGS84-altitude
operation-system: an operation-system is software that is directly
interacting with the hardware, provides the runtime environment
for the user-space and corresponding interfaces to hardware
functions.
os-label (?)
os-name
os-type (*)
os-component (*)
os-manufacturer (?)
os-version (?)
organization: this CIE aggregates information about an organization
and can be references via its id
organization-id
organization-name
location (?)
person: a CIE that aggregates the details about a person and
combines it with a identifier unique to SACM domains
person-first-name
Birkholz & Cam-Winget Expires October 10, 2016 [Page 26]
Internet-Draft SACM Information Model April 2016
person-last-name
person-middle-name (*)
phone-contact (*)
email-address (*)
phone-contact: this CIE can be used to reference a phone number and
how it functions as a contact
phone-number
phone-number-type (?)
privilege: a CIE to express privileges via a specific name/value
pair
privilege-name
privilege-value
relationship: the relationship CIE enables to associate the CIE it
is included in with other CIE if they contain a unique identifier
or label - providing an alternative to including attributes of
other content CIE as a means to map them (which remains a valid
alternative, though). The relationship CIE MUST at least
reference one relationship object (either a SACM statement iden
relationship-type
relationship-content-element-guid (*)
relationship-statement-guid (*)
relationship-object-label (*)
sacm-statement: every SACM components produces information in this
format. This CIE can be considered the root IE for every SACM
message generated. There MUST be at least one content element
included in a SACM statement and if there are more than one, they
are ordered in a sequence.
statement-metadata
content-element (+)(s)
Birkholz & Cam-Winget Expires October 10, 2016 [Page 27]
Internet-Draft SACM Information Model April 2016
session: represents an ongoing network interaction that can be in
various states of authentication or assessement
session-state-type
(work-in-progress)
src-flow-element: identifies the source of a flow. The port number
SHOULD be included if the network-address is an IP-address.
network-address
layer4-port-address (?)
statement-creation-timestamp: a decimal fraction timestamp that
specifies the point in time the SACM statement was created by a
SACM component
decimal-fraction-denominator
decimal-fraction-numerator
statement-publish-timestamp: a decimal fraction timestamp that
specifies the point in time the SACM component attempted to
publish the SACM statement (if successful, this will result in the
publish-timestamp send with the SACM statement).
decimal-fraction-denominator
decimal-fraction-numerator
statement-metadata: every SACM statement includes statement metadata
about the SACM component it was produced by and a general category
that indicates what this statement is about
statement-guid
data-origin
statement-creation-timestamp (?)
statement-publish-timestamp
statement-type
content-elements
Birkholz & Cam-Winget Expires October 10, 2016 [Page 28]
Internet-Draft SACM Information Model April 2016
target-endpoint: this is a central CIE used in the process chains a
SACM domain can compose. Theoretically every kind of information
can be associated with a target endpoint CIE via its corresponding
content element. A few select IE can be stored in the CIE itself
to reduce the overhead of following references that would occur in
most scenarios. If the hostname is unknown the value has to be
set as an equivalent to "not available" (e.g. NULL). Comment
from the authors: This is "work in progress" an a good basis for
discussion
host-name
te-label
administrative-domain (?)
application-instance (*)
ethernet-interface (*)
address-association (*)
data-source (?)
operation-system (?)
te-profile: a set of expected states, policies and pieces of
guidance that can be matched to a target endpoint (or a class of
target endpoints "work in progress")
typed-timestamp: a flexible timestamp CIE that can express the
specific type of timestamp via its content. This is an
alternative to the "named" timestamps that do not include a
timestamp-type
decimal-fraction-denominator
decimal-fraction-numerator
timestamp-type
user: a CIE that references details of a specific user known in a
SACM domain active on a specific target endpoint
user-id
username (?)
Birkholz & Cam-Winget Expires October 10, 2016 [Page 29]
Internet-Draft SACM Information Model April 2016
data-source (?)
user-directory (?)
6. Example composition of SACM statements
This section illustrates how SACM statements can be composed of
content information elements, how relationship CIEs can be used in
content metadata, and how the categories statement-type, content-
topic and content-type are intended to be used.
The SACM statements instances are written in pseudo code. AIE end
with a colon. Some AIE include exemplary values to, for example,
present how references to guid and labels can be used. For the sake
of brevity, not all mandatory IE that are part of a CIE are always
included (e.g. as it is the case with target-endpoint).
The example shows three SACM statements that were produced by three
different SACM components that overall include four related content
elements.
This is (work in progress).
sacm statement
statement-metadata
statement-guid: example-sguid-one
data-origin: SACM-component-label-one
statement-publish-timestamp: exmample-TS-one
statement-type: Observation
content-element
content-metadata
content-element-guid: example-cguid-one
content-creation-timestamp:
content-topic: Flow
content-type: EndpointState
relationship
relationship-type: is-associated-with-user
relationship-content-object: example-cguid-three
relationship
relationship-type: is-associated-with-te
relationship-content-object: example-cguid-two
relationship
relationship-type: is-associated-with-te
relationship-content-object: example-te-label
flow-record
src-flow-element
network-address (ipv4-address)
ipv4-address-value:
Birkholz & Cam-Winget Expires October 10, 2016 [Page 30]
Internet-Draft SACM Information Model April 2016
ipv4-address-subnet-mask-cidrnot:
layer4-port-address: 23111
dst-flow-element
network-address (IPv4-address)
ipv4-address-value:
ipv4-address-subnet-mask-cidrnot:
layer4-port-address: 22
protocol: ssh
layer4-protocol: tcp
flow-statistics
bytes-received:
bytes-sent:
units-received:
units-sent:
content-element
content-metadata
content-element-guid: example-cguid-two
content-creation-timestamp:
content-topic: TargetEndpoint
content-type: EndpointConfiguration
target-endpoint
te-label: example-te-label
host-name: example-host-name
ethernet-interface: example-interface
sacm statement
statement-metadata
statement-guid: example-sguid-two
data-origin: SACM-component-label-two
statement-publish-timestamp: exmample-TS-two
statement-type: DirectoryContent
content-element
content-metadata
content-element-guid: example-cguid-three
content-creation-timestamp:
content-topic: User
content-type: DirectoryEntry
user
user-name: example-username
user-directory: component-id
sacm statement
statement-metadata
statement-guid: example-sguid-three
data-origin: SACM-component-label-three
statement-publish-timestamp: exmample-TS-three
statement-type: Observation
content-element
Birkholz & Cam-Winget Expires October 10, 2016 [Page 31]
Internet-Draft SACM Information Model April 2016
content-metadata
content-element-guid: example-cguid-four
content-creation-timestamp:
content-topic: Privileges
content-type: Event
relationship
relationship-type: is-associated-with-user
relationship-content-object: example-cguid-three
event
event-type: change-of-privilege
typed-timestamp
decimal-fraction-denominator:
decimal-fraction-numerator:
timestamp-type: time-of-observation
privilege
privilege-name: super-user-escalation
privilege-value: true
privilege
privilege-name: super-user-escalation
privilege-value: false
7. IANA considerations
This document includes requests to IANA.
8. Security Considerations
9. Acknowledgements
10. Change Log
First revision -00
Second revision -00. Rename to Camwinget (removed -) to make
submissions happier. Demonstrate how to integrate with WG draft.
11. Contributors
12. References
12.1. Normative References
[ARF] Corporation., T., "Assessment Results Format", 2010.
[IFMAP] "TCG Trusted Network Communications - TNC IF-MAP Metadata
for Network Security Specification Version 1.1r9", May
2012.
Birkholz & Cam-Winget Expires October 10, 2016 [Page 32]
Internet-Draft SACM Information Model April 2016
[PXGRID] Appala, S., Cam-Winget, N., McGrew, D., and J. Verma, "An
Actionable Threat Intelligence system using a Publish-
Subscribe communications model", ACM Proceedings of the
2nd ACM Workshop on Information Sharing and Collaborative
Security, page 61-70, DOI 10.1145/2808128.2808131,
ISBN 978-1-4503-3822-6.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group
MIB", RFC 2863, DOI 10.17487/RFC2863, June 2000,
<http://www.rfc-editor.org/info/rfc2863>.
[RFC3635] Flick, J., "Definitions of Managed Objects for the
Ethernet-like Interface Types", RFC 3635,
DOI 10.17487/RFC3635, September 2003,
<http://www.rfc-editor.org/info/rfc3635>.
[SCAP-AI] Wunder, J., Halbardier, A., and D. Waltermire,
"Specification for Asset Identification 1.1", NIST
Interagency Report 7693 , 2011.
[SWID] "Information technology - Software asset management - Part
2: Software identification tag'", ISO/IEC 19770-2:2015,
October 2015.
12.2. Informative References
[I-D.ietf-sacm-requirements]
Cam-Winget, N. and L. Lorenzin, "Security Automation and
Continuous Monitoring (SACM) Requirements", draft-ietf-
sacm-requirements-13 (work in progress), March 2016.
[RFC7632] Waltermire, D. and D. Harrington, "Endpoint Security
Posture Assessment: Enterprise Use Cases", RFC 7632,
DOI 10.17487/RFC7632, September 2015,
<http://www.rfc-editor.org/info/rfc7632>.
Authors' Addresses
Birkholz & Cam-Winget Expires October 10, 2016 [Page 33]
Internet-Draft SACM Information Model April 2016
Henk Birkholz
Fraunhofer SIT
Rheinstrasse 75
Darmstadt 64295
Germany
Email: henk.birkholz@sit.fraunhofer.de
Nancy Cam-Winget
Cisco Systems
3550 Cisco Way
San Jose, CA 95134
USA
Email: ncamwing@cisco.com
Birkholz & Cam-Winget Expires October 10, 2016 [Page 34]