sacm C. Inacio Internet-Draft CMU Intended status: Standards Track July 25, 2019 Expires: January 26, 2020 SACM Information Model draft-inacio-sacm-infomodel-00 Abstract This defines the information model for the Security Automation and Continuous Monitoring (SACM) standards. The working group faces a set of complex issues when trying to define an information model that complicates this effort: o There are many standards in the SACM space which are not interoperable o There exists an extremely large and diverse set of data types which are desirable to exchange o Many data types depend on the operating systems from which they are collected; making a universal typing harder o A goal of SACM is to cover a diverse set of system types These complex needs create a information model which is difficult to unify within the environment. Instead, this information model design is focused on minimum needed functionality with the desire to include a type system design into the information model allowing for easy expandability. It is envisioned that this information model will serve the following purposes: o Enough well specified elements in order to exchange key data fields between systems o Sufficient typing system to expand key fields over time and use of a registry to standardize common expansions o Meta information such that compplete information exchange using various other formats understood by all parties can be used as needed to exchange complete records on demand o Sufficient action verbs defined to allow orchestration between various systems to allow unified control of federated components Inacio Expires January 26, 2020 [Page 1] Internet-Draft sacm-infomodel July 2019 Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 26, 2020. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3 2. Minimal Needed Information Elements . . . . . . . . . . . . . 4 3. Information Element Metadata . . . . . . . . . . . . . . . . 4 3.1. Information Elements . . . . . . . . . . . . . . . . . . 4 3.1.1. IPv4 Address . . . . . . . . . . . . . . . . . . . . 4 3.1.2. IPv6 Address . . . . . . . . . . . . . . . . . . . . 5 3.1.3. Hostname . . . . . . . . . . . . . . . . . . . . . . 5 3.1.4. AssettID . . . . . . . . . . . . . . . . . . . . . . 6 3.1.5. MACAddress . . . . . . . . . . . . . . . . . . . . . 6 3.1.6. Timestamp . . . . . . . . . . . . . . . . . . . . . . 6 3.1.7. Action . . . . . . . . . . . . . . . . . . . . . . . 7 3.1.8. Action Parameters . . . . . . . . . . . . . . . . . . 7 3.1.9. AdditionalDataType . . . . . . . . . . . . . . . . . 7 Inacio Expires January 26, 2020 [Page 2] Internet-Draft sacm-infomodel July 2019 3.1.10. AdditionalData . . . . . . . . . . . . . . . . . . . 8 3.1.11. Extra . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7. Normative References . . . . . . . . . . . . . . . . . . . . 9 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 9 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 1. Introduction The set of elements which are desired to standarize are the subset of data elements used within the SACM standards and related standards. To this end, the core capability to reasonably identify a network end point and minimally describe an event along with enough information that two parties involved in the communication may determine a way forward for further information exchange. The minimal set of activity and endpoint identifiers will allow parties participating in SACM communications to effectively search their respecitive data stores for relevent and related information and respond to queries or accept events in kind. This information model is intended to describe a minimal number of elements which enable this functionality, but also sufficiently describe the attributes which can define those elements. This combination of information intends to provide enough meta information about information elements to allow both in protocol definition of types in possible data models as well as clear construction of future standardized element definitions. Conversely, this information model is not attempting to define all possible information elements that need to be exchanged. Many information elements, especially those related to host monitoring, are heavily related to the operating system and related software for proper context - beyond the initial scope of this standard. 1.1. Conventions and Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here. Additionally, the key words "*MIGHT*", "*COULD*", "*MAY WISH TO*", "*WOULD PROBABLY*", "*SHOULD CONSIDER*", and "*MUST (BUT WE KNOW YOU WON'T)*" in this document are to interpreted as described in RFC 6919 [RFC6919]. Inacio Expires January 26, 2020 [Page 3] Internet-Draft sacm-infomodel July 2019 2. Minimal Needed Information Elements IP Address, hostname, time/date, SWID/CoSWID ID's, firmware versions, serial number, MAC address, certificate ID 3. Information Element Metadata name, basic_data_type, octet_length, data_use_type (label, counter, gauge), description, std/vendor type, structure/composite The following fields are defined in the set of metadata about each information element name: A descriptive but concise name to be used for human understanding basic data type: A fundamental data type supported by the this information model. The predefined types include unsigned integers, signed integers, octet array, string, IP addresses, MAC addresses octet length: The number of octets maximally used for this information data use type: This refines the basic data type expressing the usage of the value. For example, some integers represent mathematical values and may be added together (counts for example) while some things may be expressed as an integer, but are really a type of label (e.g. IP address) description: A longer textual description of this data type registration domain: The domain in which this information element is defined. composite structure: The definition of the composite structure of following elements, e.g. list, set, map 3.1. Information Elements 3.1.1. IPv4 Address Inacio Expires January 26, 2020 [Page 4] Internet-Draft sacm-infomodel July 2019 +---------------------+----------------------------------------+ | Field | Value | +---------------------+----------------------------------------+ | Name | IPv4 | | Basic data type | 32-bit unsigned integer | | Octet length | 4 | | Data use type | Label | | Description | An Internet Protocol version 4 address | | Registration domain | standard | | Composite structure | N/A | | Comments | | +---------------------+----------------------------------------+ 3.1.2. IPv6 Address +---------------------+----------------------------------------+ | Field | Value | +---------------------+----------------------------------------+ | Name | IPv6 | | Basic data type | octet array | | Octet length | 16 | | Data use type | Label | | Description | An Internet Protocol version 6 address | | Registration domain | standard | | Composite structure | N/A | | Comments | | +---------------------+----------------------------------------+ 3.1.3. Hostname +---------------------+---------------------------------------------+ | Field | Value | +---------------------+---------------------------------------------+ | Name | Hostname | | Basic data type | string | | Octet length | up to 256 | | Data use type | Label | | Description | Fully qualified domain name of endpoint | | | system | | Registration domain | standard | | Composite structure | N/A | | Comments | | +---------------------+---------------------------------------------+ Inacio Expires January 26, 2020 [Page 5] Internet-Draft sacm-infomodel July 2019 3.1.4. AssettID +---------------------+--------------------------+ | Field | Value | +---------------------+--------------------------+ | Name | AssettID | | Basic data type | string | | Octet length | up to 256 | | Data use type | Label | | Description | AssettID of topic assett | | Registration domain | standard | | Composite structure | N/A | | Comments | | +---------------------+--------------------------+ 3.1.5. MACAddress +---------------------+---------------------------+ | Field | Value | +---------------------+---------------------------+ | Name | MACAddress | | Basic data type | string | | Octet length | 6 | | Data use type | Label | | Description | IEEE 802 Hardware Address | | Registration domain | standard | | Composite structure | N/A | | Comments | | +---------------------+---------------------------+ 3.1.6. Timestamp +---------------------+---------------------------+ | Field | Value | +---------------------+---------------------------+ | Name | timestamp | | Basic data type | ISO time formatted string | | Octet length | variable | | Data use type | time/date | | Description | time date string | | Registration domain | standard | | Composite structure | N/A | | Comments | | +---------------------+---------------------------+ Inacio Expires January 26, 2020 [Page 6] Internet-Draft sacm-infomodel July 2019 3.1.7. Action +-------------------+-----------------------------------------------+ | Field | Value | +-------------------+-----------------------------------------------+ | Name | Action | | Basic data type | enumeration | | Octet length | 2 | | Data use type | label | | Description | | | Registration | standard | | domain | | | Composite | | | structure | | | Comments | RunAssessment, AssessmentResult, Subscribe, | | | PubEvent, | +-------------------+-----------------------------------------------+ 3.1.8. Action Parameters +-----------------+-------------------------------------------------+ | Field | Value | +-----------------+-------------------------------------------------+ | Name | Action Parameters | | Basic data type | list | | Octet length | variable | | Data use type | variable | | Description | parameters for the action command, defined per | | | action command | | Registration | standard | | domain | | | Composite | list | | structure | | | Comments | | +-----------------+-------------------------------------------------+ 3.1.9. AdditionalDataType Inacio Expires January 26, 2020 [Page 7] Internet-Draft sacm-infomodel July 2019 +--------------+----------------------------------------------------+ | Field | Value | +--------------+----------------------------------------------------+ | Name | AdditionalDataType | | Basic data | 16-bit integer | | type | | | Octet length | 2 | | Data use | label | | type | | | Description | An enumeration of registered additional data types | | | that can be contained in the AdditionalData field | | Registration | standard | | domain | | | Composite | N/A | | structure | | | Comments | | +--------------+----------------------------------------------------+ 3.1.10. AdditionalData +----------------+--------------------------------------------------+ | Field | Value | +----------------+--------------------------------------------------+ | Name | AdditionalData | | Basic data | octet-array | | type | | | Octet length | variable | | Data use type | opaque | | Description | This is an envelope to contain other | | | standardized data exchange formats | | Registration | standard | | domain | | | Composite | N/A | | structure | | | Comments | formats like OVAL or IF-MAP may be contained in | | | here | +----------------+--------------------------------------------------+ 3.1.11. Extra [ed: remove before publication] Inacio Expires January 26, 2020 [Page 8] Internet-Draft sacm-infomodel July 2019 +---------------------+----------+ | Field | Value | +---------------------+----------+ | Name | | | Basic data type | | | Octet length | | | Data use type | | | Description | | | Registration domain | standard | | Composite structure | | | Comments | | +---------------------+----------+ 4. Updates o 25-July-2019 - initial document 5. IANA Considerations This will create a IANA registery of elements, eventually. IANA language to be added 6. Security Considerations To be completed. 7. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC6919] Barnes, R., Kent, S., and E. Rescorla, "Further Key Words for Use in RFCs to Indicate Requirement Levels", RFC 6919, DOI 10.17487/RFC6919, April 2013, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . Appendix A. Acknowledgements The contributions of the SACM working group have greatly impacted the thinking presented here. In particular, we wish to thank Bill Munyan, Adam Monteville, and Henk Birkholz. Inacio Expires January 26, 2020 [Page 9] Internet-Draft sacm-infomodel July 2019 Author's Address Christopher Inacio Carnegie Mellon University 4500 5th Ave. Pittsburgh PA 15213 United States Email: inacio@cert.org Inacio Expires January 26, 2020 [Page 10]