Internet DRAFT - draft-ietf-sacm-information-model

draft-ietf-sacm-information-model







SACM                                                  D. Waltermire, Ed.
Internet-Draft                                                      NIST
Intended status: Standards Track                               K. Watson
Expires: October 29, 2017                                            DHS
                                                                 C. Kahn
                                                             L. Lorenzin
                                                       Pulse Secure, LLC
                                                                M. Cokus
                                                               D. Haynes
                                                   The MITRE Corporation
                                                             H. Birkholz
                                                          Fraunhofer SIT
                                                          April 27, 2017


                         SACM Information Model
                  draft-ietf-sacm-information-model-10

Abstract

   This document defines the Information Elements that are transported
   between SACM components and their interconnected relationships.  The
   primary purpose of the Secure Automation and Continuous Monitoring
   (SACM) Information Model is to ensure the interoperability of
   corresponding SACM data models and addresses the use cases defined by
   SACM.  The Information Elements and corresponding types are
   maintained as the IANA "SACM Information Elements" registry.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 29, 2017.







Waltermire, et al.      Expires October 29, 2017                [Page 1]

Internet-Draft           SACM Information Model               April 2017


Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .  12
   2.  Conventions used in this document . . . . . . . . . . . . . .  13
     2.1.  Requirements Language . . . . . . . . . . . . . . . . . .  13
     2.2.  Information Element Examples  . . . . . . . . . . . . . .  13
   3.  Information Elements  . . . . . . . . . . . . . . . . . . . .  13
     3.1.  Context of Information Elements . . . . . . . . . . . . .  14
     3.2.  Extensibility of Information Elements . . . . . . . . . .  14
   4.  Structure of Information Elements . . . . . . . . . . . . . .  14
     4.1.  Information Element Naming Convention . . . . . . . . . .  17
     4.2.  SACM Content Elements . . . . . . . . . . . . . . . . . .  18
     4.3.  SACM Statements . . . . . . . . . . . . . . . . . . . . .  18
     4.4.  Relationships . . . . . . . . . . . . . . . . . . . . . .  20
     4.5.  Event . . . . . . . . . . . . . . . . . . . . . . . . . .  22
     4.6.  Categories  . . . . . . . . . . . . . . . . . . . . . . .  23
   5.  Abstract Data Types . . . . . . . . . . . . . . . . . . . . .  23
     5.1.  Simple Datatypes  . . . . . . . . . . . . . . . . . . . .  23
       5.1.1.  IPFIX Datatypes . . . . . . . . . . . . . . . . . . .  23
     5.2.  Structured Datatypes  . . . . . . . . . . . . . . . . . .  24
       5.2.1.  List Datatypes  . . . . . . . . . . . . . . . . . . .  24
       5.2.2.  Enumeration Datatype  . . . . . . . . . . . . . . . .  25
       5.2.3.  Category Datatype . . . . . . . . . . . . . . . . . .  26
   6.  Information Model Assets  . . . . . . . . . . . . . . . . . .  26
     6.1.  Asset . . . . . . . . . . . . . . . . . . . . . . . . . .  27
     6.2.  Endpoint  . . . . . . . . . . . . . . . . . . . . . . . .  28
     6.3.  Hardware Component  . . . . . . . . . . . . . . . . . . .  28
     6.4.  Software Component  . . . . . . . . . . . . . . . . . . .  29
       6.4.1.  Software Instance . . . . . . . . . . . . . . . . . .  29
     6.5.  Identity  . . . . . . . . . . . . . . . . . . . . . . . .  29
     6.6.  Guidance  . . . . . . . . . . . . . . . . . . . . . . . .  29
       6.6.1.  Collection Guidance . . . . . . . . . . . . . . . . .  30
       6.6.2.  Evaluation Guidance . . . . . . . . . . . . . . . . .  30



Waltermire, et al.      Expires October 29, 2017                [Page 2]

Internet-Draft           SACM Information Model               April 2017


       6.6.3.  Classification Guidance . . . . . . . . . . . . . . .  31
       6.6.4.  Storage Guidance  . . . . . . . . . . . . . . . . . .  31
       6.6.5.  Evaluation Results  . . . . . . . . . . . . . . . . .  31
   7.  Information Model Elements  . . . . . . . . . . . . . . . . .  32
     7.1.  sacmStatement . . . . . . . . . . . . . . . . . . . . . .  32
     7.2.  sacmStatementMetadata . . . . . . . . . . . . . . . . . .  32
     7.3.  sacmContentElement  . . . . . . . . . . . . . . . . . . .  32
     7.4.  sacmContentElementMetadata  . . . . . . . . . . . . . . .  33
     7.5.  targetEndpoint  . . . . . . . . . . . . . . . . . . . . .  33
     7.6.  targetEndpointIdentifier  . . . . . . . . . . . . . . . .  33
     7.7.  targetEndpointLabel . . . . . . . . . . . . . . . . . . .  33
     7.8.  anyIE . . . . . . . . . . . . . . . . . . . . . . . . . .  34
     7.9.  accessPrivilegeType . . . . . . . . . . . . . . . . . . .  34
     7.10. accountName . . . . . . . . . . . . . . . . . . . . . . .  34
     7.11. administrativeDomainType  . . . . . . . . . . . . . . . .  34
     7.12. addressAssociationType  . . . . . . . . . . . . . . . . .  34
     7.13. addressMaskValue  . . . . . . . . . . . . . . . . . . . .  35
     7.14. addressType . . . . . . . . . . . . . . . . . . . . . . .  35
     7.15. addressValue  . . . . . . . . . . . . . . . . . . . . . .  35
     7.16. applicationComponent  . . . . . . . . . . . . . . . . . .  35
     7.17. applicationLabel  . . . . . . . . . . . . . . . . . . . .  36
     7.18. applicationType . . . . . . . . . . . . . . . . . . . . .  36
     7.19. applicationManufacturer . . . . . . . . . . . . . . . . .  36
     7.20. authenticator . . . . . . . . . . . . . . . . . . . . . .  36
     7.21. authenticationType  . . . . . . . . . . . . . . . . . . .  36
     7.22. birthdate . . . . . . . . . . . . . . . . . . . . . . . .  37
     7.23. bytesReceived . . . . . . . . . . . . . . . . . . . . . .  37
     7.24. bytesReceived . . . . . . . . . . . . . . . . . . . . . .  37
     7.25. bytesSent . . . . . . . . . . . . . . . . . . . . . . . .  37
     7.26. certificate . . . . . . . . . . . . . . . . . . . . . . .  38
     7.27. collectionTaskType  . . . . . . . . . . . . . . . . . . .  38
     7.28. confidence  . . . . . . . . . . . . . . . . . . . . . . .  38
     7.29. contentAction . . . . . . . . . . . . . . . . . . . . . .  38
     7.30. countryCode . . . . . . . . . . . . . . . . . . . . . . .  38
     7.31. dataOrigin  . . . . . . . . . . . . . . . . . . . . . . .  39
     7.32. dataSource  . . . . . . . . . . . . . . . . . . . . . . .  39
     7.33. default-depth . . . . . . . . . . . . . . . . . . . . . .  39
     7.34. discoverer  . . . . . . . . . . . . . . . . . . . . . . .  39
     7.35. emailAddress  . . . . . . . . . . . . . . . . . . . . . .  40
     7.36. eventType . . . . . . . . . . . . . . . . . . . . . . . .  40
     7.37. eventThreshold  . . . . . . . . . . . . . . . . . . . . .  40
     7.38. eventThresholdName  . . . . . . . . . . . . . . . . . . .  40
     7.39. eventTrigger  . . . . . . . . . . . . . . . . . . . . . .  40
     7.40. firmwareId  . . . . . . . . . . . . . . . . . . . . . . .  41
     7.41. hostName  . . . . . . . . . . . . . . . . . . . . . . . .  41
     7.42. interfaceLabel  . . . . . . . . . . . . . . . . . . . . .  41
     7.43. ipv6AddressSubnetMask . . . . . . . . . . . . . . . . . .  41
     7.44. ipv6AddressSubnetMaskCidrNotation . . . . . . . . . . . .  41



Waltermire, et al.      Expires October 29, 2017                [Page 3]

Internet-Draft           SACM Information Model               April 2017


     7.45. ipv6AddressValue  . . . . . . . . . . . . . . . . . . . .  42
     7.46. ipv4AddressSubnetMask . . . . . . . . . . . . . . . . . .  42
     7.47. ipv4AddressSubnetMaskCidrNotation . . . . . . . . . . . .  42
     7.48. ipv4AddressValue  . . . . . . . . . . . . . . . . . . . .  42
     7.49. layer2InterfaceType . . . . . . . . . . . . . . . . . . .  42
     7.50. layer4PortAddress . . . . . . . . . . . . . . . . . . . .  42
     7.51. layer4Protocol  . . . . . . . . . . . . . . . . . . . . .  43
     7.52. locationName  . . . . . . . . . . . . . . . . . . . . . .  43
     7.53. networkZoneLocation . . . . . . . . . . . . . . . . . . .  43
     7.54. layer2NetworkLocation . . . . . . . . . . . . . . . . . .  43
     7.55. layer3NetworkLocation . . . . . . . . . . . . . . . . . .  44
     7.56. macAddressValue . . . . . . . . . . . . . . . . . . . . .  44
     7.57. methodLabel . . . . . . . . . . . . . . . . . . . . . . .  44
     7.58. methodRepository  . . . . . . . . . . . . . . . . . . . .  44
     7.59. networkAccessLevelType  . . . . . . . . . . . . . . . . .  44
     7.60. networkId . . . . . . . . . . . . . . . . . . . . . . . .  45
     7.61. networkInterfaceName  . . . . . . . . . . . . . . . . . .  45
     7.62. networkLayer  . . . . . . . . . . . . . . . . . . . . . .  45
     7.63. networkName . . . . . . . . . . . . . . . . . . . . . . .  45
     7.64. organizationId  . . . . . . . . . . . . . . . . . . . . .  45
     7.65. patchId . . . . . . . . . . . . . . . . . . . . . . . . .  46
     7.66. patchName . . . . . . . . . . . . . . . . . . . . . . . .  46
     7.67. personFirstName . . . . . . . . . . . . . . . . . . . . .  46
     7.68. personLastName  . . . . . . . . . . . . . . . . . . . . .  46
     7.69. personMiddleName  . . . . . . . . . . . . . . . . . . . .  46
     7.70. phoneNumber . . . . . . . . . . . . . . . . . . . . . . .  46
     7.71. phoneNumberType . . . . . . . . . . . . . . . . . . . . .  47
     7.72. privilegeName . . . . . . . . . . . . . . . . . . . . . .  47
     7.73. privilegeValue  . . . . . . . . . . . . . . . . . . . . .  47
     7.74. protocol  . . . . . . . . . . . . . . . . . . . . . . . .  47
     7.75. publicKey . . . . . . . . . . . . . . . . . . . . . . . .  48
     7.76. relationshipContentElementGuid  . . . . . . . . . . . . .  48
     7.77. relationshipStatementElementGuid  . . . . . . . . . . . .  48
     7.78. relationshipObjectLabel . . . . . . . . . . . . . . . . .  48
     7.79. relationshipType  . . . . . . . . . . . . . . . . . . . .  48
     7.80. roleName  . . . . . . . . . . . . . . . . . . . . . . . .  49
     7.81. sessionStateType  . . . . . . . . . . . . . . . . . . . .  49
     7.82. statementGuid . . . . . . . . . . . . . . . . . . . . . .  49
     7.83. statementType . . . . . . . . . . . . . . . . . . . . . .  49
     7.84. status  . . . . . . . . . . . . . . . . . . . . . . . . .  50
     7.85. subAdministrativeDomain . . . . . . . . . . . . . . . . .  50
     7.86. subInterfaceLabel . . . . . . . . . . . . . . . . . . . .  50
     7.87. superAdministrativeDomain . . . . . . . . . . . . . . . .  50
     7.88. superInterfaceLabel . . . . . . . . . . . . . . . . . . .  51
     7.89. teAssessmentState . . . . . . . . . . . . . . . . . . . .  51
     7.90. teLabel . . . . . . . . . . . . . . . . . . . . . . . . .  51
     7.91. teId  . . . . . . . . . . . . . . . . . . . . . . . . . .  51
     7.92. timestampType . . . . . . . . . . . . . . . . . . . . . .  51



Waltermire, et al.      Expires October 29, 2017                [Page 4]

Internet-Draft           SACM Information Model               April 2017


     7.93. unitsReceived . . . . . . . . . . . . . . . . . . . . . .  52
     7.94. unitsSent . . . . . . . . . . . . . . . . . . . . . . . .  52
     7.95. userDirectory . . . . . . . . . . . . . . . . . . . . . .  52
     7.96. sacmUserId  . . . . . . . . . . . . . . . . . . . . . . .  52
     7.97. webSite . . . . . . . . . . . . . . . . . . . . . . . . .  53
     7.98. WGS84Longitude  . . . . . . . . . . . . . . . . . . . . .  53
     7.99. WGS84Latitude . . . . . . . . . . . . . . . . . . . . . .  53
     7.100. WGS84Altitude  . . . . . . . . . . . . . . . . . . . . .  53
     7.101. hardwareSerialNumber . . . . . . . . . . . . . . . . . .  53
     7.102. interfaceName  . . . . . . . . . . . . . . . . . . . . .  54
     7.103. interfaceIndex . . . . . . . . . . . . . . . . . . . . .  54
     7.104. interfaceMacAddress  . . . . . . . . . . . . . . . . . .  54
     7.105. interfaceType  . . . . . . . . . . . . . . . . . . . . .  54
     7.106. interfaceFlags . . . . . . . . . . . . . . . . . . . . .  54
     7.107. networkInterface . . . . . . . . . . . . . . . . . . . .  55
     7.108. softwareIdentifier . . . . . . . . . . . . . . . . . . .  55
     7.109. softwareTitle  . . . . . . . . . . . . . . . . . . . . .  55
     7.110. softwareCreator  . . . . . . . . . . . . . . . . . . . .  56
     7.111. simpleSoftwareVersion  . . . . . . . . . . . . . . . . .  56
     7.112. rpmSoftwareVersion . . . . . . . . . . . . . . . . . . .  56
     7.113. ciscoTrainSoftwareVersion  . . . . . . . . . . . . . . .  56
     7.114. softwareVersion  . . . . . . . . . . . . . . . . . . . .  56
     7.115. softwareLastUpdated  . . . . . . . . . . . . . . . . . .  57
     7.116. softwareClass  . . . . . . . . . . . . . . . . . . . . .  57
     7.117. softwareInstance . . . . . . . . . . . . . . . . . . . .  58
     7.118. globallyUniqueIdentifier . . . . . . . . . . . . . . . .  59
     7.119. creationTimestamp  . . . . . . . . . . . . . . . . . . .  59
     7.120. collectionTimestamp  . . . . . . . . . . . . . . . . . .  59
     7.121. publicationTimestamp . . . . . . . . . . . . . . . . . .  59
     7.122. relayTimestamp . . . . . . . . . . . . . . . . . . . . .  59
     7.123. storageTimestamp . . . . . . . . . . . . . . . . . . . .  60
     7.124. type . . . . . . . . . . . . . . . . . . . . . . . . . .  60
     7.125. protocolIdentifier . . . . . . . . . . . . . . . . . . .  60
     7.126. sourceTransportPort  . . . . . . . . . . . . . . . . . .  60
     7.127. sourceIPv4PrefixLength . . . . . . . . . . . . . . . . .  61
     7.128. ingressInterface . . . . . . . . . . . . . . . . . . . .  61
     7.129. destinationTransportPort . . . . . . . . . . . . . . . .  61
     7.130. sourceIPv6PrefixLength . . . . . . . . . . . . . . . . .  61
     7.131. sourceIPv4Prefix . . . . . . . . . . . . . . . . . . . .  62
     7.132. destinationIPv4Prefix  . . . . . . . . . . . . . . . . .  62
     7.133. sourceMacAddress . . . . . . . . . . . . . . . . . . . .  62
     7.134. ipVersion  . . . . . . . . . . . . . . . . . . . . . . .  62
     7.135. interfaceDescription . . . . . . . . . . . . . . . . . .  62
     7.136. applicationDescription . . . . . . . . . . . . . . . . .  62
     7.137. applicationId  . . . . . . . . . . . . . . . . . . . . .  63
     7.138. applicationName  . . . . . . . . . . . . . . . . . . . .  63
     7.139. exporterIPv4Address  . . . . . . . . . . . . . . . . . .  63
     7.140. exporterIPv6Address  . . . . . . . . . . . . . . . . . .  63



Waltermire, et al.      Expires October 29, 2017                [Page 5]

Internet-Draft           SACM Information Model               April 2017


     7.141. portId . . . . . . . . . . . . . . . . . . . . . . . . .  63
     7.142. templateId . . . . . . . . . . . . . . . . . . . . . . .  64
     7.143. collectorIPv4Address . . . . . . . . . . . . . . . . . .  64
     7.144. collectorIPv6Address . . . . . . . . . . . . . . . . . .  64
     7.145. informationElementIndex  . . . . . . . . . . . . . . . .  65
     7.146. informationElementId . . . . . . . . . . . . . . . . . .  65
     7.147. informationElementDataType . . . . . . . . . . . . . . .  65
     7.148. informationElementDescription  . . . . . . . . . . . . .  65
     7.149. informationElementName . . . . . . . . . . . . . . . . .  66
     7.150. informationElementRangeBegin . . . . . . . . . . . . . .  66
     7.151. informationElementRangeEnd . . . . . . . . . . . . . . .  66
     7.152. informationElementSemantics  . . . . . . . . . . . . . .  67
     7.153. informationElementUnits  . . . . . . . . . . . . . . . .  67
     7.154. applicationCategoryName  . . . . . . . . . . . . . . . .  68
     7.155. mibObjectValueInteger  . . . . . . . . . . . . . . . . .  68
     7.156. mibObjectValueOctetString  . . . . . . . . . . . . . . .  69
     7.157. mibObjectValueOID  . . . . . . . . . . . . . . . . . . .  69
     7.158. mibObjectValueBits . . . . . . . . . . . . . . . . . . .  69
     7.159. mibObjectValueIPAddress  . . . . . . . . . . . . . . . .  70
     7.160. mibObjectValueCounter  . . . . . . . . . . . . . . . . .  70
     7.161. mibObjectValueGauge  . . . . . . . . . . . . . . . . . .  71
     7.162. mibObjectValueTimeTicks  . . . . . . . . . . . . . . . .  71
     7.163. mibObjectValueUnsigned . . . . . . . . . . . . . . . . .  72
     7.164. mibObjectValueTable  . . . . . . . . . . . . . . . . . .  72
     7.165. mibObjectValueRow  . . . . . . . . . . . . . . . . . . .  72
     7.166. mibObjectIdentifier  . . . . . . . . . . . . . . . . . .  73
     7.167. mibSubIdentifier . . . . . . . . . . . . . . . . . . . .  73
     7.168. mibIndexIndicator  . . . . . . . . . . . . . . . . . . .  73
     7.169. mibCaptureTimeSemantics  . . . . . . . . . . . . . . . .  74
     7.170. mibContextEngineID . . . . . . . . . . . . . . . . . . .  75
     7.171. mibContextName . . . . . . . . . . . . . . . . . . . . .  76
     7.172. mibObjectName  . . . . . . . . . . . . . . . . . . . . .  76
     7.173. mibObjectDescription . . . . . . . . . . . . . . . . . .  76
     7.174. mibObjectSyntax  . . . . . . . . . . . . . . . . . . . .  76
     7.175. mibModuleName  . . . . . . . . . . . . . . . . . . . . .  76
     7.176. interface  . . . . . . . . . . . . . . . . . . . . . . .  77
     7.177. iflisteners  . . . . . . . . . . . . . . . . . . . . . .  77
     7.178. physicalProtocol . . . . . . . . . . . . . . . . . . . .  77
     7.179. hwAddress  . . . . . . . . . . . . . . . . . . . . . . .  78
     7.180. programName  . . . . . . . . . . . . . . . . . . . . . .  79
     7.181. userId . . . . . . . . . . . . . . . . . . . . . . . . .  79
     7.182. inetlisteningserver  . . . . . . . . . . . . . . . . . .  79
     7.183. transportProtocol  . . . . . . . . . . . . . . . . . . .  79
     7.184. localAddress . . . . . . . . . . . . . . . . . . . . . .  79
     7.185. localPort  . . . . . . . . . . . . . . . . . . . . . . .  80
     7.186. localFullAddress . . . . . . . . . . . . . . . . . . . .  80
     7.187. foreignAddress . . . . . . . . . . . . . . . . . . . . .  80
     7.188. foreignFullAddress . . . . . . . . . . . . . . . . . . .  80



Waltermire, et al.      Expires October 29, 2017                [Page 6]

Internet-Draft           SACM Information Model               April 2017


     7.189. selinuxboolean . . . . . . . . . . . . . . . . . . . . .  80
     7.190. selinuxName  . . . . . . . . . . . . . . . . . . . . . .  81
     7.191. currentStatus  . . . . . . . . . . . . . . . . . . . . .  81
     7.192. pendingStatus  . . . . . . . . . . . . . . . . . . . . .  81
     7.193. selinuxsecuritycontext . . . . . . . . . . . . . . . . .  81
     7.194. filepath . . . . . . . . . . . . . . . . . . . . . . . .  82
     7.195. path . . . . . . . . . . . . . . . . . . . . . . . . . .  82
     7.196. filename . . . . . . . . . . . . . . . . . . . . . . . .  82
     7.197. pid  . . . . . . . . . . . . . . . . . . . . . . . . . .  82
     7.198. role . . . . . . . . . . . . . . . . . . . . . . . . . .  82
     7.199. domainType . . . . . . . . . . . . . . . . . . . . . . .  83
     7.200. lowSensitivity . . . . . . . . . . . . . . . . . . . . .  83
     7.201. lowCategory  . . . . . . . . . . . . . . . . . . . . . .  83
     7.202. highSensitivity  . . . . . . . . . . . . . . . . . . . .  83
     7.203. highCategory . . . . . . . . . . . . . . . . . . . . . .  83
     7.204. rawlowSensitivity  . . . . . . . . . . . . . . . . . . .  84
     7.205. rawlowCategory . . . . . . . . . . . . . . . . . . . . .  84
     7.206. rawhighSensitivity . . . . . . . . . . . . . . . . . . .  84
     7.207. rawhighCategory  . . . . . . . . . . . . . . . . . . . .  84
     7.208. systemdunitdependency  . . . . . . . . . . . . . . . . .  84
     7.209. unit . . . . . . . . . . . . . . . . . . . . . . . . . .  85
     7.210. dependency . . . . . . . . . . . . . . . . . . . . . . .  85
     7.211. systemdunitproperty  . . . . . . . . . . . . . . . . . .  85
     7.212. property . . . . . . . . . . . . . . . . . . . . . . . .  85
     7.213. systemdunitValue . . . . . . . . . . . . . . . . . . . .  85
     7.214. file . . . . . . . . . . . . . . . . . . . . . . . . . .  86
     7.215. fileType . . . . . . . . . . . . . . . . . . . . . . . .  86
     7.216. groupId  . . . . . . . . . . . . . . . . . . . . . . . .  86
     7.217. aTime  . . . . . . . . . . . . . . . . . . . . . . . . .  86
     7.218. cTime  . . . . . . . . . . . . . . . . . . . . . . . . .  86
     7.219. mTime  . . . . . . . . . . . . . . . . . . . . . . . . .  87
     7.220. size . . . . . . . . . . . . . . . . . . . . . . . . . .  87
     7.221. suid . . . . . . . . . . . . . . . . . . . . . . . . . .  87
     7.222. sgid . . . . . . . . . . . . . . . . . . . . . . . . . .  87
     7.223. sticky . . . . . . . . . . . . . . . . . . . . . . . . .  87
     7.224. hasExtendedAcl . . . . . . . . . . . . . . . . . . . . .  88
     7.225. inetd  . . . . . . . . . . . . . . . . . . . . . . . . .  88
     7.226. serverProgram  . . . . . . . . . . . . . . . . . . . . .  88
     7.227. inetdEndpointType  . . . . . . . . . . . . . . . . . . .  88
     7.228. execAsUser . . . . . . . . . . . . . . . . . . . . . . .  89
     7.229. waitStatus . . . . . . . . . . . . . . . . . . . . . . .  89
     7.230. inetAddr . . . . . . . . . . . . . . . . . . . . . . . .  90
     7.231. netmask  . . . . . . . . . . . . . . . . . . . . . . . .  90
     7.232. passwordInfo . . . . . . . . . . . . . . . . . . . . . .  90
     7.233. username . . . . . . . . . . . . . . . . . . . . . . . .  91
     7.234. password . . . . . . . . . . . . . . . . . . . . . . . .  91
     7.235. gcos . . . . . . . . . . . . . . . . . . . . . . . . . .  91
     7.236. homeDir  . . . . . . . . . . . . . . . . . . . . . . . .  91



Waltermire, et al.      Expires October 29, 2017                [Page 7]

Internet-Draft           SACM Information Model               April 2017


     7.237. loginShell . . . . . . . . . . . . . . . . . . . . . . .  91
     7.238. lastLogin  . . . . . . . . . . . . . . . . . . . . . . .  92
     7.239. process  . . . . . . . . . . . . . . . . . . . . . . . .  92
     7.240. commandLine  . . . . . . . . . . . . . . . . . . . . . .  92
     7.241. ppid . . . . . . . . . . . . . . . . . . . . . . . . . .  92
     7.242. priority . . . . . . . . . . . . . . . . . . . . . . . .  93
     7.243. startTime  . . . . . . . . . . . . . . . . . . . . . . .  93
     7.244. routingtable . . . . . . . . . . . . . . . . . . . . . .  93
     7.245. destination  . . . . . . . . . . . . . . . . . . . . . .  93
     7.246. gateway  . . . . . . . . . . . . . . . . . . . . . . . .  93
     7.247. runlevelInfo . . . . . . . . . . . . . . . . . . . . . .  94
     7.248. runlevel . . . . . . . . . . . . . . . . . . . . . . . .  94
     7.249. start  . . . . . . . . . . . . . . . . . . . . . . . . .  94
     7.250. kill . . . . . . . . . . . . . . . . . . . . . . . . . .  94
     7.251. shadowItem . . . . . . . . . . . . . . . . . . . . . . .  94
     7.252. chgLst . . . . . . . . . . . . . . . . . . . . . . . . .  95
     7.253. chgAllow . . . . . . . . . . . . . . . . . . . . . . . .  95
     7.254. chgReq . . . . . . . . . . . . . . . . . . . . . . . . .  95
     7.255. expWarn  . . . . . . . . . . . . . . . . . . . . . . . .  95
     7.256. expInact . . . . . . . . . . . . . . . . . . . . . . . .  95
     7.257. expDate  . . . . . . . . . . . . . . . . . . . . . . . .  96
     7.258. encryptMethod  . . . . . . . . . . . . . . . . . . . . .  96
     7.259. symlink  . . . . . . . . . . . . . . . . . . . . . . . .  96
     7.260. symlinkFilepath  . . . . . . . . . . . . . . . . . . . .  96
     7.261. canonicalPath  . . . . . . . . . . . . . . . . . . . . .  97
     7.262. sysctl . . . . . . . . . . . . . . . . . . . . . . . . .  97
     7.263. kernelParameterName  . . . . . . . . . . . . . . . . . .  97
     7.264. kernelParameterValue . . . . . . . . . . . . . . . . . .  97
     7.265. uname  . . . . . . . . . . . . . . . . . . . . . . . . .  98
     7.266. machineClass . . . . . . . . . . . . . . . . . . . . . .  98
     7.267. nodeName . . . . . . . . . . . . . . . . . . . . . . . .  98
     7.268. osName . . . . . . . . . . . . . . . . . . . . . . . . .  98
     7.269. osRelease  . . . . . . . . . . . . . . . . . . . . . . .  98
     7.270. processorType  . . . . . . . . . . . . . . . . . . . . .  99
     7.271. internetService  . . . . . . . . . . . . . . . . . . . .  99
     7.272. serviceProtocol  . . . . . . . . . . . . . . . . . . . .  99
     7.273. serviceName  . . . . . . . . . . . . . . . . . . . . . .  99
     7.274. flags  . . . . . . . . . . . . . . . . . . . . . . . . .  99
     7.275. noAccess . . . . . . . . . . . . . . . . . . . . . . . . 100
     7.276. onlyFrom . . . . . . . . . . . . . . . . . . . . . . . . 100
     7.277. port . . . . . . . . . . . . . . . . . . . . . . . . . . 100
     7.278. server . . . . . . . . . . . . . . . . . . . . . . . . . 100
     7.279. serverArguments  . . . . . . . . . . . . . . . . . . . . 100
     7.280. socketType . . . . . . . . . . . . . . . . . . . . . . . 101
     7.281. registeredServiceType  . . . . . . . . . . . . . . . . . 101
     7.282. wait . . . . . . . . . . . . . . . . . . . . . . . . . . 101
     7.283. disabled . . . . . . . . . . . . . . . . . . . . . . . . 102
     7.284. windowsView  . . . . . . . . . . . . . . . . . . . . . . 102



Waltermire, et al.      Expires October 29, 2017                [Page 8]

Internet-Draft           SACM Information Model               April 2017


     7.285. fileauditedpermissions . . . . . . . . . . . . . . . . . 102
     7.286. trusteeName  . . . . . . . . . . . . . . . . . . . . . . 103
     7.287. auditStandardDelete  . . . . . . . . . . . . . . . . . . 103
     7.288. auditStandardReadControl . . . . . . . . . . . . . . . . 103
     7.289. auditStandardWriteDac  . . . . . . . . . . . . . . . . . 104
     7.290. auditStandardWriteOwner  . . . . . . . . . . . . . . . . 104
     7.291. auditStandardSynchronize . . . . . . . . . . . . . . . . 105
     7.292. auditAccessSystemSecurity  . . . . . . . . . . . . . . . 105
     7.293. auditGenericRead . . . . . . . . . . . . . . . . . . . . 106
     7.294. auditGenericWrite  . . . . . . . . . . . . . . . . . . . 106
     7.295. auditGenericExecute  . . . . . . . . . . . . . . . . . . 107
     7.296. auditGenericAll  . . . . . . . . . . . . . . . . . . . . 107
     7.297. auditFileReadData  . . . . . . . . . . . . . . . . . . . 108
     7.298. auditFileWriteData . . . . . . . . . . . . . . . . . . . 108
     7.299. auditFileAppendData  . . . . . . . . . . . . . . . . . . 109
     7.300. auditFileReadEa  . . . . . . . . . . . . . . . . . . . . 109
     7.301. auditFileWriteEa . . . . . . . . . . . . . . . . . . . . 110
     7.302. auditFileExecute . . . . . . . . . . . . . . . . . . . . 110
     7.303. auditFileDeleteChild . . . . . . . . . . . . . . . . . . 111
     7.304. auditFileReadAttributes  . . . . . . . . . . . . . . . . 111
     7.305. auditFileWriteAttributes . . . . . . . . . . . . . . . . 112
     7.306. fileeffectiverights  . . . . . . . . . . . . . . . . . . 112
     7.307. standardDelete . . . . . . . . . . . . . . . . . . . . . 113
     7.308. standardReadControl  . . . . . . . . . . . . . . . . . . 113
     7.309. standardWriteDac . . . . . . . . . . . . . . . . . . . . 113
     7.310. standardWriteOwner . . . . . . . . . . . . . . . . . . . 114
     7.311. standardSynchronize  . . . . . . . . . . . . . . . . . . 114
     7.312. accessSystemSecurity . . . . . . . . . . . . . . . . . . 114
     7.313. genericRead  . . . . . . . . . . . . . . . . . . . . . . 114
     7.314. genericWrite . . . . . . . . . . . . . . . . . . . . . . 114
     7.315. genericExecute . . . . . . . . . . . . . . . . . . . . . 115
     7.316. genericAll . . . . . . . . . . . . . . . . . . . . . . . 115
     7.317. fileReadData . . . . . . . . . . . . . . . . . . . . . . 115
     7.318. fileWriteData  . . . . . . . . . . . . . . . . . . . . . 115
     7.319. fileAppendData . . . . . . . . . . . . . . . . . . . . . 115
     7.320. fileReadEa . . . . . . . . . . . . . . . . . . . . . . . 116
     7.321. fileWriteEa  . . . . . . . . . . . . . . . . . . . . . . 116
     7.322. fileExecute  . . . . . . . . . . . . . . . . . . . . . . 116
     7.323. fileDeleteChild  . . . . . . . . . . . . . . . . . . . . 116
     7.324. fileReadAttributes . . . . . . . . . . . . . . . . . . . 116
     7.325. fileWriteAttributes  . . . . . . . . . . . . . . . . . . 117
     7.326. groupInfo  . . . . . . . . . . . . . . . . . . . . . . . 117
     7.327. group  . . . . . . . . . . . . . . . . . . . . . . . . . 117
     7.328. subgroup . . . . . . . . . . . . . . . . . . . . . . . . 117
     7.329. groupSidInfo . . . . . . . . . . . . . . . . . . . . . . 117
     7.330. userSidInfo  . . . . . . . . . . . . . . . . . . . . . . 118
     7.331. userSid  . . . . . . . . . . . . . . . . . . . . . . . . 118
     7.332. subgroupSid  . . . . . . . . . . . . . . . . . . . . . . 118



Waltermire, et al.      Expires October 29, 2017                [Page 9]

Internet-Draft           SACM Information Model               April 2017


     7.333. lockoutpolicy  . . . . . . . . . . . . . . . . . . . . . 118
     7.334. forceLogoff  . . . . . . . . . . . . . . . . . . . . . . 118
     7.335. lockoutDuration  . . . . . . . . . . . . . . . . . . . . 119
     7.336. lockoutObservationWindow . . . . . . . . . . . . . . . . 119
     7.337. lockoutThreshold . . . . . . . . . . . . . . . . . . . . 119
     7.338. passwordpolicy . . . . . . . . . . . . . . . . . . . . . 119
     7.339. maxPasswdAge . . . . . . . . . . . . . . . . . . . . . . 120
     7.340. minPasswdAge . . . . . . . . . . . . . . . . . . . . . . 120
     7.341. minPasswdLen . . . . . . . . . . . . . . . . . . . . . . 120
     7.342. passwordHistLen  . . . . . . . . . . . . . . . . . . . . 121
     7.343. passwordComplexity . . . . . . . . . . . . . . . . . . . 121
     7.344. reversibleEncryption . . . . . . . . . . . . . . . . . . 121
     7.345. portInfo . . . . . . . . . . . . . . . . . . . . . . . . 121
     7.346. foreignPort  . . . . . . . . . . . . . . . . . . . . . . 121
     7.347. printereffectiverights . . . . . . . . . . . . . . . . . 122
     7.348. printerName  . . . . . . . . . . . . . . . . . . . . . . 122
     7.349. printerAccessAdminister  . . . . . . . . . . . . . . . . 122
     7.350. printerAccessUse . . . . . . . . . . . . . . . . . . . . 122
     7.351. jobAccessAdminister  . . . . . . . . . . . . . . . . . . 122
     7.352. jobAccessRead  . . . . . . . . . . . . . . . . . . . . . 123
     7.353. registry . . . . . . . . . . . . . . . . . . . . . . . . 123
     7.354. registryHive . . . . . . . . . . . . . . . . . . . . . . 123
     7.355. registryKey  . . . . . . . . . . . . . . . . . . . . . . 124
     7.356. registryKeyName  . . . . . . . . . . . . . . . . . . . . 124
     7.357. lastWriteTime  . . . . . . . . . . . . . . . . . . . . . 124
     7.358. registryKeyType  . . . . . . . . . . . . . . . . . . . . 125
     7.359. registryKeyValue . . . . . . . . . . . . . . . . . . . . 126
     7.360. regkeyauditedpermissions . . . . . . . . . . . . . . . . 127
     7.361. auditKeyQueryValue . . . . . . . . . . . . . . . . . . . 128
     7.362. auditKeySetValue . . . . . . . . . . . . . . . . . . . . 128
     7.363. auditKeyCreateSubKey . . . . . . . . . . . . . . . . . . 129
     7.364. auditKeyEnumerateSubKeys . . . . . . . . . . . . . . . . 129
     7.365. auditKeyNotify . . . . . . . . . . . . . . . . . . . . . 130
     7.366. auditKeyCreateLink . . . . . . . . . . . . . . . . . . . 130
     7.367. auditKeyWow6464Key . . . . . . . . . . . . . . . . . . . 131
     7.368. auditKeyWow6432Key . . . . . . . . . . . . . . . . . . . 131
     7.369. auditKeyWow64Res . . . . . . . . . . . . . . . . . . . . 132
     7.370. regkeyeffectiverights  . . . . . . . . . . . . . . . . . 132
     7.371. keyQueryValue  . . . . . . . . . . . . . . . . . . . . . 133
     7.372. keySetValue  . . . . . . . . . . . . . . . . . . . . . . 133
     7.373. keyCreateSubKey  . . . . . . . . . . . . . . . . . . . . 133
     7.374. keyEnumerateSubKeys  . . . . . . . . . . . . . . . . . . 134
     7.375. keyNotify  . . . . . . . . . . . . . . . . . . . . . . . 134
     7.376. keyCreateLink  . . . . . . . . . . . . . . . . . . . . . 134
     7.377. keyWow6464Key  . . . . . . . . . . . . . . . . . . . . . 134
     7.378. keyWow6432Key  . . . . . . . . . . . . . . . . . . . . . 134
     7.379. keyWow64Res  . . . . . . . . . . . . . . . . . . . . . . 134
     7.380. service  . . . . . . . . . . . . . . . . . . . . . . . . 135



Waltermire, et al.      Expires October 29, 2017               [Page 10]

Internet-Draft           SACM Information Model               April 2017


     7.381. displayName  . . . . . . . . . . . . . . . . . . . . . . 135
     7.382. description  . . . . . . . . . . . . . . . . . . . . . . 135
     7.383. serviceType  . . . . . . . . . . . . . . . . . . . . . . 135
     7.384. startType  . . . . . . . . . . . . . . . . . . . . . . . 136
     7.385. currentState . . . . . . . . . . . . . . . . . . . . . . 137
     7.386. controlsAccepted . . . . . . . . . . . . . . . . . . . . 138
     7.387. startName  . . . . . . . . . . . . . . . . . . . . . . . 140
     7.388. serviceFlag  . . . . . . . . . . . . . . . . . . . . . . 140
     7.389. dependencies . . . . . . . . . . . . . . . . . . . . . . 140
     7.390. serviceeffectiverights . . . . . . . . . . . . . . . . . 140
     7.391. trusteeSid . . . . . . . . . . . . . . . . . . . . . . . 141
     7.392. serviceQueryConf . . . . . . . . . . . . . . . . . . . . 141
     7.393. serviceChangeConf  . . . . . . . . . . . . . . . . . . . 141
     7.394. serviceQueryStat . . . . . . . . . . . . . . . . . . . . 141
     7.395. serviceEnumDependents  . . . . . . . . . . . . . . . . . 141
     7.396. serviceStart . . . . . . . . . . . . . . . . . . . . . . 142
     7.397. serviceStop  . . . . . . . . . . . . . . . . . . . . . . 142
     7.398. servicePause . . . . . . . . . . . . . . . . . . . . . . 142
     7.399. serviceInterrogate . . . . . . . . . . . . . . . . . . . 142
     7.400. serviceUserDefined . . . . . . . . . . . . . . . . . . . 142
     7.401. sharedresourceauditedpermissions . . . . . . . . . . . . 143
     7.402. netname  . . . . . . . . . . . . . . . . . . . . . . . . 143
     7.403. sharedresourceeffectiverights  . . . . . . . . . . . . . 143
     7.404. user . . . . . . . . . . . . . . . . . . . . . . . . . . 144
     7.405. enabled  . . . . . . . . . . . . . . . . . . . . . . . . 144
     7.406. lastLogon  . . . . . . . . . . . . . . . . . . . . . . . 144
     7.407. groupSid . . . . . . . . . . . . . . . . . . . . . . . . 144
     7.408. endpointType . . . . . . . . . . . . . . . . . . . . . . 144
     7.409. endpointPurpose  . . . . . . . . . . . . . . . . . . . . 145
     7.410. endpointCriticality  . . . . . . . . . . . . . . . . . . 145
     7.411. ingestTimestamp  . . . . . . . . . . . . . . . . . . . . 145
     7.412. vulnerabilityVersion . . . . . . . . . . . . . . . . . . 146
     7.413. vulnerabilityExternalId  . . . . . . . . . . . . . . . . 146
     7.414. vulnerabilitySeverity  . . . . . . . . . . . . . . . . . 146
     7.415. assessmentTimestamp  . . . . . . . . . . . . . . . . . . 146
     7.416. vulnerableSoftware . . . . . . . . . . . . . . . . . . . 146
     7.417. endpointVulnerabilityStatus  . . . . . . . . . . . . . . 147
     7.418. vulnerabilityDescription . . . . . . . . . . . . . . . . 147
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . 147
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . 148
   10. Security Considerations . . . . . . . . . . . . . . . . . . . 148
   11. Operational Considerations  . . . . . . . . . . . . . . . . . 149
     11.1.  Endpoint Designation . . . . . . . . . . . . . . . . . . 149
     11.2.  Timestamp Accuracy . . . . . . . . . . . . . . . . . . . 150
   12. Privacy Considerations  . . . . . . . . . . . . . . . . . . . 151
   13. References  . . . . . . . . . . . . . . . . . . . . . . . . . 151
     13.1.  Normative References . . . . . . . . . . . . . . . . . . 151
     13.2.  Informative References . . . . . . . . . . . . . . . . . 151



Waltermire, et al.      Expires October 29, 2017               [Page 11]

Internet-Draft           SACM Information Model               April 2017


   Appendix A.  Change Log . . . . . . . . . . . . . . . . . . . . . 152
     A.1.  Changes in Revision 01  . . . . . . . . . . . . . . . . . 152
     A.2.  Changes in Revision 02  . . . . . . . . . . . . . . . . . 154
     A.3.  Changes in Revision 03  . . . . . . . . . . . . . . . . . 154
     A.4.  Changes in Revision 04  . . . . . . . . . . . . . . . . . 154
     A.5.  Changes in Revision 05  . . . . . . . . . . . . . . . . . 155
     A.6.  Changes in Revision 06  . . . . . . . . . . . . . . . . . 155
     A.7.  Changes in Revision 07  . . . . . . . . . . . . . . . . . 155
     A.8.  Changes in Revision 08  . . . . . . . . . . . . . . . . . 156
     A.9.  Changes in Revision 09  . . . . . . . . . . . . . . . . . 156
     A.10. Changes in Revision 10  . . . . . . . . . . . . . . . . . 157
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . 157

1.  Introduction

   The SACM Information Model (IM) serves multiple purposes:

   o  to ensure interoperability between SACM data models that are used
      as transport encodings,

   o  to provide a standardized set of Information Elements - the SACM
      Vocabulary - to enable the exchange of content vital to automated
      security posture assessment, and

   o  to enable secure information sharing in a scalable and extensible
      fashion in order to support the tasks conducted by SACM
      components.

   A complete set of requirements imposed on the IM can be found in
   [I-D.ietf-sacm-requirements].  The SACM IM is intended to be used for
   standardized data exchange between SACM components (data in motion).
   Nevertheless, the Information Elements (IE) and their relationships
   defined in this document can be leveraged to create and align
   corresponding data models for data at rest.

   The information model expresses, for example, target endpoint (TE)
   attributes, guidance, and evaluation results.  The corresponding
   Information Elements are consumed and produced by SACM components as
   they carry out tasks.

   The primary tasks that this information model supports (on data,
   control, and management plane) are:

   o  TE Discovery

   o  TE Characterization

   o  TE Classification



Waltermire, et al.      Expires October 29, 2017               [Page 12]

Internet-Draft           SACM Information Model               April 2017


   o  Collection

   o  Evaluation

   o  Information Sharing

   o  SACM Component Discovery

   o  SACM Component Authentication

   o  SACM Component Authorization

   o  SACM Component Registration

   These tasks are defined in [I-D.ietf-sacm-terminology].

2.  Conventions used in this document

2.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

2.2.  Information Element Examples

   The notation used to define the SACM Information Elements (IEs) is
   based on a customized version of the IPFIX information model syntax
   [RFC7012] which is described in Figure 2.  However, there are several
   examples presented throughout the document that use a simplified
   pseudo-code to illustrate the basic structure.  It should be noted
   that while they include actual names of subjects and attributes as
   well as values, they are not intended to influence how corresponding
   SACM IEs should be defined in Section 7.  The examples are provided
   for demonstration purposes only.

3.  Information Elements

   The IEs defined in this document comprise the building blocks by
   which all SACM content is composed.  They are consumed and provided
   by SACM components on the data plane.  Every Information Element has
   a unique label: its name.  Every type of IE defined by the SACM IM is
   registered as a type at the IANA registry.  The Integer Index of the
   IANA SMI number tables can be used by SACM data models.







Waltermire, et al.      Expires October 29, 2017               [Page 13]

Internet-Draft           SACM Information Model               April 2017


3.1.  Context of Information Elements

   The IEs in this information model represent information related to
   assets in the following areas (based on the use cases described in
   [RFC7632]):

   o  Endpoint Management

   o  Software Inventory Management

   o  Hardware Inventory Management

   o  Configuration Management

   o  Vulnerability Management

3.2.  Extensibility of Information Elements

   A SACM data model based on this information model MAY include
   additional information elements that are not defined here.  The
   labels of additional Information Elements included in different SACM
   data models MUST NOT conflict with the labels of the Information
   Elements defined by this information model, and the names of
   additional Information Elements MUST NOT conflict with each other or
   across multiple data models.  In order to avoid naming conflicts, the
   labels of additional IEs SHOULD be prefixed to avoid collisions
   across extensions.  The prefix MUST include an organizational
   identifier and therefore, for example, MAY be an IANA enterprise
   number, a (partial) name space URI, or an organization name
   abbreviation.

4.  Structure of Information Elements

   There are two basic types of IEs:

   o  Attributes: Atomic information elements that are equivalent to
      name-value-pairs and can be components of Subjects.

   o  Subjects: Composite information elements that have a name and are
      made up of Attributes and/or other Subjects.  Every IE that is
      part of a Subject can have a quantity associated with it (e.g.
      zero-one, none-unbounded).  The content IEs of a Subject can be
      ordered or unordered.








Waltermire, et al.      Expires October 29, 2017               [Page 14]

Internet-Draft           SACM Information Model               April 2017


         Example Instance of an Attribute:
         hostname = "arbutus"

         Example Instance of a Subject:
         coordinates = (
         latitude = N27.99619,
         longitude = E86.92761
         )

          Figure 1: Example instance of an attribute and subject.

   In general, every piece of information that enables security posture
   assessment or further enriches the quality of the assessment process
   can be associated with metadata.  In the SACM IM, metadata is
   represented by specific subjects and is bundled with other attributes
   or subjects to provide additional information about them.  The IM
   explicitly defines two kinds of metadata:

   o  Metadata focusing on the data origin (the SACM component that
      provides the information to the SACM domain)

   o  Metadata focusing on the data source (the target endpoint that is
      assessed)

   Metadata can also include relationships that refer to other
   associated IEs (or SACM content in general) by using referencing
   labels that have to be included in the metadata of the associated IE.

   Subjects can be nested and the SACM IM allows for circular or
   recursive nesting.  The association of IEs via nesting results in a
   tree-like structure wherein subjects compose the root and
   intermediary nodes and attributes the leaves of the tree.  This
   semantic structure does not impose a specific structure on SACM data
   models regarding data in motion or data repository schemata for data
   at rest.

   The SACM IM provides two conceptual top-level subjects that are used
   to ensure a homogeneous structure for SACM content and its associated
   metadata: SACM statements and SACM content-elements.  Every set of
   IEs that is provided by a SACM component must provide the information
   contained in these two subjects although it is up to the implementer
   whether or not the subjects are explicitly defined in a data model.

   The notation the SACM IM is defined in is based on a modified version
   of the IP Information Flow Export (IPFIX) Information Model syntax
   described in Section 2.1 of [RFC7012].  The customized syntax used by
   the SACM IM is defined below in Figure 2.




Waltermire, et al.      Expires October 29, 2017               [Page 15]

Internet-Draft           SACM Information Model               April 2017


       elementId (required):    The numeric identifier of the
                                Information Element. It is used
                                for the compact identification
                                of an Information Element. If
                                this identifier is used without
                                an enterpriseID, then the
                                elementId must be unique, and
                                the description of allowed values
                                is administrated by IANA. The
                                value "TBD" may be used during
                                development of the information
                                model until an elementId is
                                assigned by IANA and filled
                                in at publication time.

       enterpriseId (optional): Enterprises may wish to define
                                Information Elements without
                                registering them with IANA, for
                                example, for enterprise-internal
                                purposes.  For such Information
                                Elements, the elementId is
                                not sufficient when used
                                outside the enterprise. If
                                specifications of enterprise-
                                specific Information Elements
                                are made public and/or if
                                enterprise-specific identifiers
                                are used by SACM components
                                outside the enterprise, then the
                                enterprise-specific identifier
                                MUST be made globally unique by
                                combining it with an enterprise
                                identifier.  Valid values for the
                                enterpriseId are defined by IANA
                                as Structure of Management
                                Information (SMI) network management
                                private enterprise numbers.

       name (required):         A unique and meaningful name for
                                the Information Element.

       dataType (required):     There are two kinds of datatypes:
                                simple and structured. Attributes are
                                defined using simple datatypes
                                and subjects are defined using
                                structured datatypes. The contents of
                                the datatype field will be either
                                a reference to one of the simple



Waltermire, et al.      Expires October 29, 2017               [Page 16]

Internet-Draft           SACM Information Model               April 2017


                                datatypes listed in Section
                                5.1, or the specification of
                                structured datatype as defined in
                                Section 5.2.

       status (required):       The status of the specification
                                of the Information Element.
                                Allowed values are "current" and
                                "deprecated". All newly defined
                                Information Elements have "current"
                                status. The process for moving
                                Information Elements to the
                                "deprecated" status is TBD.

       description (required): Describes the meaning of the
                               Information Element, how it is
                               derived, conditions for its use,
                               etc.

       structure (optional):   A parsable property that provides
                               details about the definition of
                               structured Information Elements as
                               described in Section 5.2.

       references (optional):  Identifies other RFCs or documents
                               outside the IETF which provide
                               additional information or context
                               about the Information Element.

           Figure 2: Information Element Specification Template

4.1.  Information Element Naming Convention

   SACM Information Elements must adhere to the following naming
   conventions.

   o  Names SHOULD be descriptive

   o  Names MUST be unique within the SACM registry.  Enterprise-
      specific names SHOULD be prefixed with a Private Enterprise Number
      [PEN].

   o  Names MUST start with lowercase letters unless it begins with a
      Private Enterprise Number

   o  Composed names MUST use capital letters for the first letter of
      each part




Waltermire, et al.      Expires October 29, 2017               [Page 17]

Internet-Draft           SACM Information Model               April 2017


4.2.  SACM Content Elements

   Every piece of information that is provided by a SACM Component is
   always associated with a set of data source metadata (e.g. the
   timestamp when the information was collected, the target endpoint
   from which the this set of information is about, etc.) which is
   provided in the SACM Content Element Metadata.  The SACM Content
   Element is the subject information element that associates the
   information with the SACM Content Element Metadata.  The SACM Content
   Element Metadata may also include relationships that express
   associations with other SACM Content Elements.

               content-element = (
                 content-metadata = (
                   collection-timestamp = 146193322,
                   data-source = fb02e551-7101-4e68-8dec-1fde6bd10981
                 ),
                 hostname = "arbutus",
                 coordinates = (
                 latitude = N27.99619,
                 longitude = E86.92761
                 )
               )

   Figure 3: Example set of IEs associated with a timestamp and a target
                              endpoint label.

4.3.  SACM Statements

   One or more SACM Content Elements are bundled in a SACM Statement.
   In contrast to SACM Content Element Metadata, SACM Statement Metadata
   focuses on the providing information about the SACM Component that
   provided it rather than the target endpoint that the content is
   about.  The only content-specific metadata included in the SACM
   Statement is the statement-type IE.  Therefore, multiple SACM Content
   Elements that share the same SACM Statement Metadata and are of the
   same statement-type can be included in a single SACM Statement.  A
   SACM Statement functions similar to an envelope or a header and is
   the subject information element that associates SACM Statement
   Metadata with security automation information provided in its SACM
   Content Element(s).  Its purpose is to enable the tracking of the
   origin of data inside a SACM domain and more importantly to enable
   the mitigation of conflicting information that may originate from
   different SACM Components.  How a consuming SACM Component actually
   deals with conflicting information is out-of-scope of the SACM IM.
   Semantically, the term statement implies that the SACM content
   provided by a SACM Component might not be correct in every context,




Waltermire, et al.      Expires October 29, 2017               [Page 18]

Internet-Draft           SACM Information Model               April 2017


   but, rather is the result of a best-effort to produce correct
   information.

               sacm-statement = (
                 statement-metadata = (
                   publish-timestamp = 1461934031,
                   data-origin = 24e67957-3d31-4878-8892-da2b35e121c2,
                   statement-type = observation
                 ),
                 content-element = (
                   content-metadata = (
                     collection-timestamp = 146193322,
                     data-source = fb02e551-7101-4e68-8dec-1fde6bd10981
                   ),
                   hostname = "arbutus"
                 )
               )

      Figure 4: Example of a simple SACM statement including a single
                             content-element.































Waltermire, et al.      Expires October 29, 2017               [Page 19]

Internet-Draft           SACM Information Model               April 2017


               sacm-statement = (
                 statement-metadata = (
                   publish-timestamp = 1461934031,
                   data-origin = 24e67957-3d31-4878-8892-da2b35e121c2
                   statement-type = observation
                 ),
                 content-element = (
                   content-metadata = (
                     collection-timestamp = 146193322,
                     data-source = fb02e551-7101-4e68-8dec-1fde6bd10981
                   ),
                   coordinates = (
                     latitude = N27.99619,
                     longitude = E86.92761
                   )
                 )
               )

               sacm-statement = (
                 statement-metadata = (
                   publish-timestamp = 1461934744,
                   data-origin = e42885a1-0270-44e9-bb5c-865cf6bd4800,
                   statement-type = observation
                 ),
                 content-element = (
                   content-metadata = (
                     collection-timestamp = 146193821,
                     te-label = fb02e551-7101-4e68-8dec-1fde6bd10981
                   ),
                   coordinates = (
                     latitude = N16.67622,
                     longitude = E141.55321
                   )
                 )
               )

       Figure 5: Example of conflicting information originating from
                        different SACM components.

4.4.  Relationships

   An IE can be associated with another IE, e.g. a user-name attribute
   can be associated with a content-authorization subject.  These
   references are expressed via the relationships subject, which can be
   included in a corresponding content-metadata subject.  The
   relationships subject includes a list of one or more references.  The
   SACM IM does not enforce a SACM domain to use unique identifiers as




Waltermire, et al.      Expires October 29, 2017               [Page 20]

Internet-Draft           SACM Information Model               April 2017


   references.  Therefore, there are at least two ways to reference
   another

   o  The value of a reference represents a specific content-label that
      is unique in a SACM domain (and has to be included in the
      corresponding content-element metadata in order to be referenced),
      or

   o  The reference is a subject that includes an appropriate number of
      IEs in order to identify the referenced content-element by its
      actual content.

   It is recommended to provide unique identifiers in a SACM domain and
   the SACM IM provides a corresponding naming-convention as a reference
   in Section 4.1.  The alternative highlighted above summarizes a valid
   approach that does not require unique identifiers and is similar to
   the approach of referencing target endpoints via identifying
   attributes included in a characterization record.

               content-element = (
                 content-metadata = (
                   collection-timestamp = 1461934031,
                   te-label =
                   fb02e551-7101-4e68-8dec-1fde6bd10981
                   relationships = (
                     associated-with-user-account =
                     f3d70ef4-7e18-42af-a894-8955ba87c95d
                   )
                 ),
                 hostname = "arbutus"
               )

               content-element = (
                 content-metadata = (
                   content-label = f3d70ef4-7e18-42af-a894-8955ba87c95d
                 ),
                 user-account = (
                   username = romeo
                   authentication = local
                 )
               )

    Figure 6: Example instance of a content-element subject associated
              with another subject via its content metadata.







Waltermire, et al.      Expires October 29, 2017               [Page 21]

Internet-Draft           SACM Information Model               April 2017


4.5.  Event

   Event subjects provide a structure to represent the change of IE
   values that was detected by a collection task at a specific point of
   time.  It is mandatory to include the new values and the collection
   timestamp in an event subject and it is recommended to include the
   past values and a collection timestamp that were replaced by the new
   IE values.  Every event can also be associated with a subject-
   specific event-timestamp and a lastseen-timestamp that might differ
   from the corresponding collection-timestamps.  If these are omitted
   the collection-timestamp that is included in the content-metadata
   subject is used instead.

           sacm-statement = (
             statement-metadata = (
               publish-timestamp = 1461934031,
               data-origin = 24e67957-3d31-4878-8892-da2b35e121c2,
               statement-type = event
             ),
             event = (
               event-attributes = (
                 event-name = "host-name change",
                 content-element = (
                   content-metadata = (
                   collection-timestamp = 146193322,
                   data-source =
                     fb02e551-7101-4e68-8dec-1fde6bd10981,
                     event-component = past-state
                  ),
                  hostname = "arbutus"
                 ),
                 content-element = (
                   content-metadata = (
                     collection-timestamp = 146195723,
                     data-source =
                     fb02e551-7101-4e68-8dec-1fde6bd10981,
                     event-component = current-state
                   ),
                   hostname = "lilac"
                 )
               )
             )

        Figure 7: Example of a SACM statement containing an event.







Waltermire, et al.      Expires October 29, 2017               [Page 22]

Internet-Draft           SACM Information Model               April 2017


4.6.  Categories

   Categories are special IEs that refer to multiple types of IEs via
   just one name.  Therefore, they are similar to a type-choice.  A
   prominent example of a category is when identifying a target
   endpoint.  In some cases, a target endpoint will be identified by a
   set of identifying attributes and in other cases a target endpoint
   will be identified by a target endpoint label which is unique within
   a SACM domain.  If a subject includes the targetEndpoint information
   element as one of its components, any of the category members
   (targetEndpointIdentifier or targetEndpointLabel) are valid to be
   used in its place.

5.  Abstract Data Types

   This section describes the set of valid abstract data types that can
   be used for the specification of the SACM Information Elements in
   Section 7.  SACM currently supports two classes of datatypes that can
   be used to define Information Elements.

   o  Simple: Datatypes that are atomic and are used to define the type
      of data represented by an attribute Information Element.

   o  Structured: Datatypes that can be used to define the type of data
      represented by a subject Information Element.

   Note that further abstract data types may be specified by future
   extensions of the SACM information model.

5.1.  Simple Datatypes

5.1.1.  IPFIX Datatypes

   To facilitate the use of existing work, SACM supports the following
   abstract data types defined in Section 3 of [RFC7012].

   o  unsigned8, unsigned16, unsigned32, unsigned64

   o  signed8, signed16, signed32, signed64

   o  float32, float64

   o  boolean

   o  macAddress

   o  octetArray




Waltermire, et al.      Expires October 29, 2017               [Page 23]

Internet-Draft           SACM Information Model               April 2017


   o  string

   o  dateTimeSeconds, dateTimeMilliseconds, dateTimeMicroseconds,
      dateTimeNanoSeconds

   o  ipv4Address, ipv6Address

5.2.  Structured Datatypes

5.2.1.  List Datatypes

   SACM defines the following abstract list data types that are used to
   represent the structured data associated with subjects.

   o  list: indicates that the Information Element order is not
      significant but MAY be preserved.

   o  orderedList: indicates that Information Element order is
      significant and MUST be preserved.

   The notation for defining a SACM structured datatype is based on
   regular expressions, which are composed of the keywords "list" or
   "orderedList" and an Information Element expression.  IE expressions
   use some of the regular expression syntax and operators, but the
   terms in the expression are the names of defined Information Elements
   instead of character classes.  The syntax for defining list and
   orderedList datatypes is described below, using BNF:

       <list-def> -> ("list"|"orderedList") "(" <ie-expression> ")"

       <ie-expression> -> <ie-name> <cardinality>?
                          ( ("," | "|") <ie-name> <cardinality>?)*

       <cardinality> -> "*" | "+" | "?" |
                        ( "(" <non-neg-int> ("," <non-neg-int>)? ")" )

               Figure 8: Syntax for Defining List Datatypes

   As seen above, multiple occurrences of an Information Element may be
   present in a structured datatype.  The cardinality of an Information
   Element within a structured Information Element definition is defined
   by the following operators:









Waltermire, et al.      Expires October 29, 2017               [Page 24]

Internet-Draft           SACM Information Model               April 2017


       * - zero or more occurrences

       + - one or more occurrences

       ? - zero or one occurrence

      (m,n) - between m and n occurrences

         Figure 9: Specifying Cardinality for Structured Datatypes

   The absence of a cardinality operator implies one mandatory
   occurrence of the Information Element.

   Below is an example of a structured Information Element definition.

   personInfo = list(firstName, middleNames?, lastName)
   firstName = string
   middleNames = orderedList(middleName+)
   middleName = string
   lastName = string

   As an example, consider the name "John Ronald Reuel Tolkien".
   Below are instances of this name, structured according to the
   personInfo definition.

   personInfo = (firstName="John", middleNames(middleName="Ronald",
                 middleName="Reuel"), lastName="Tolkien")

   personInfo = (middleNames(middleName="Ronald", middleName=" Reuel"),
                 lastName="Tolkien", firstName="John")

   The instance below is not legal with respect to the definition
   of personInfo because the order in middleNames is not preserved.

   personInfo = (firstName="John", middleNames(middleName=" Reuel",
                 middleName="Ronald"), lastName="Tolkien")

         Figure 10: Example of Defining a Structured List Datatype

5.2.2.  Enumeration Datatype

   SACM defines the following abstract enumeration datatype that is used
   to represent the restriction of an attribute value to a set of
   values.







Waltermire, et al.      Expires October 29, 2017               [Page 25]

Internet-Draft           SACM Information Model               April 2017


   name, hex-value, description
   <enumeration-def> -> -> <name> ";" <hex-value> ";" <description>
   <name> -> [0-9a-zA-Z]+
   <hex-value> -> 0x[0-9a-fA-F]+
   <description> -> [0-9a-zA-Z\.\,]+

          Figure 11: Syntax for Defining an Enumeration Datatype

   Below is an example of a structured Information Element definition
   for an enumeration.

                               Red    ; 0x1  ; The color is red.
                               Orange ; 0x2  ; The color is orange.
                               Yellow ; 0x3  ; The color is yellow.
                               Green  ; 0x4  ; The color is green.
                               ...

     Figure 12: Example of Defining a Structured Enumeration Datatype

5.2.3.  Category Datatype

   SACM defines the following abstract category datatype that is used to
   represent a type-choice between a set of information elements.

           <category-def> -> "category(" <ie-expression> ")"
           <ie-expression> -> <ie-name> ("|" <ie-name>)*
           <name> -> [0-9a-zA-Z]+

            Figure 13: Syntax for Defining an Category Datatype

   Below is an example of a structured Information Element definition
   for a category.

       targetEndpoint = category(targetEndpointIdentifier |
                                 targetEndpointLabel)

       Figure 14: Example of Defining a Structured Category Datatype

6.  Information Model Assets

   In order to represent the Information Elements related to the areas
   listed in Section 3.1, the information model defines the information
   needs (or metadata about those information needs) related to
   following types of assets which are defined in
   [I-D.ietf-sacm-terminology] (and included below for convenience)
   which are of interest to SACM.  Specifically:

   o  Endpoint



Waltermire, et al.      Expires October 29, 2017               [Page 26]

Internet-Draft           SACM Information Model               April 2017


   o  Software Component

   o  Hardware Component

   o  Identity

   o  Guidance

   o  Evaluation Results

   The following figure shows the make up of an Endpoint asset which
   contains zero or more hardware components and zero or more software
   components each of which may have zero or more instances running an
   endpoint at any given time as well as zero or more identities that
   act on behalf of the endpoint when interfacing with other endpoints,
   tools, or services.  An endpoint may also contain other endpoints in
   the case of a virtualized environment.

           +---------+*______in>_______*+-----+
           |Hardware |                  |!   !|
           |Component|   +---------+    |!   !|
           +---------+   |Software |in> |!   !|
                         |Component|____|!   !|
                         +---------+*  *|!   !|
                             1|         |!   !|
                             *|         |     |       +----------+
                         +---------+    |End- |*_____*| Identity |
                         |Software |in> |point| acts  +----------+
                         |Instance |____|     | for>
                         +---------+*  1|!   !|
                                        |!   !|
                                        |!   !|
                                        |!   !|
                                        |!   !|____
                                        |!   !|0..1|
                                        +-----+    |
                                           |*      |
                                           |_______|
                                              in>


                      Figure 15: Model of an Endpoint

6.1.  Asset

   As defined in [RFC4949], an asset is a system resource that is (a)
   required to be protected by an information system's security policy,




Waltermire, et al.      Expires October 29, 2017               [Page 27]

Internet-Draft           SACM Information Model               April 2017


   (b) intended to be protected by a countermeasure, or (c) required for
   a system's mission.

   In the scope of SACM, an asset can be composed of other assets.
   Examples of Assets include: Endpoints, Software, Guidance, or
   Identity.  Furthermore, an asset is not necessarily owned by an
   organization.

6.2.  Endpoint

   From [RFC5209], an endpoint is any computing device that can be
   connected to a network.  Such devices normally are associated with a
   particular link layer address before joining the network and
   potentially an IP address once on the network.  This includes:
   laptops, desktops, servers, cell phones, or any device that may have
   an IP address.

   To further clarify, an endpoint is any physical or virtual device
   that may have a network address.  Note that, network infrastructure
   devices (e.g. switches, routers, firewalls), which fit the
   definition, are also considered to be endpoints within this document.

   Physical endpoints are always composites that are composed of
   hardware components and software components.  Virtual endpoints are
   composed entirely of software components and rely on software
   components that provide functions equivalent to hardware components.

   The SACM architecture differentiates two essential categories of
   endpoints: Endpoints whose security posture is intended to be
   assessed (target endpoints) and endpoints that are specifically
   excluded from endpoint posture assessment (excluded endpoints).

6.3.  Hardware Component

   Hardware components are the distinguishable physical components that
   compose an endpoint.  The composition of an endpoint can be changed
   over time by adding or removing hardware components.  In essence,
   every physical endpoint is potentially a composite of multiple
   hardware components, typically resulting in a hierarchical
   composition of hardware components.  The composition of hardware
   components is based on interconnects provided by specific hardware
   types (e.g.  mainboard is a hardware type that provides local busses
   as an interconnect).  In general, a hardware component can be
   distinguished by its serial number.

   Examples of a hardware components include: motherboards, network
   interfaces, graphics cards, hard drives, etc.




Waltermire, et al.      Expires October 29, 2017               [Page 28]

Internet-Draft           SACM Information Model               April 2017


6.4.  Software Component

   A software package installed on an endpoint (including the operating
   system) as well as a unique serial number if present (e.g. a text
   editor associated with a unique license key).

   It should be noted that this includes both benign and harmful
   software packages.  Examples of benign software components include:
   applications, patches, operating system kernel, boot loader,
   firmware, code embedded on a webpage, etc.  Examples of malicious
   software components include: malware, trojans, viruses, etc.

6.4.1.  Software Instance

   A running instance of the software component (e.g. on a multi-user
   system, one logged-in user has one instance of a text editor running
   and another logged-in user has another instance of the same text
   editor running, or on a single-user system, a user could have
   multiple independent instances of the same text editor running).

6.5.  Identity

   Any mechanism that can be used to identify an asset during an
   authentication process.  Examples include usernames, user and device
   certificates, etc.  Note, that this is different than the identity of
   assets in the context of designation as described in Section 11.1.

6.6.  Guidance

   Guidance is input instructions to processes and tasks, such as
   collection or evaluation.  Guidance influences the behavior of a SACM
   component and is considered content of the management plane.
   Guidance can be manually or automatically generated or provided.
   Typically, the tasks that provide guidance to SACM components have a
   low-frequency and tend to be sporadic.  A prominent example of
   guidance are target endpoint profiles,but guidance can have many
   forms, including:

      Configuration, e.g. a SACM component's name, or a CMDB's IPv6
      address.

      Profiles, e.g. a set of expected states for network behavior
      associated with target endpoints employed by specific users.

      Policies, e.g. an interval to refresh the registration of a SACM
      component, or a list of required capabilities for SACM components
      in a specific location.




Waltermire, et al.      Expires October 29, 2017               [Page 29]

Internet-Draft           SACM Information Model               April 2017


6.6.1.  Collection Guidance

   A collector may need guidance to govern what it collects and when.
   Collection Guidance provides instructions for a Collector that
   specifies which endpoint attributes to collect, when to collect them,
   and how to collect them.  Collection Guidance is composed of Target
   Endpoint Attribute Guidance, Frequency Guidance, and Method Guidance.

   o  Target Endpoint Attribute Guidance: Set of endpoint attributes
      that are supposed to be collected from a target endpoint.  The
      definition of the set of endpoint attributes is typically based on
      an endpoint characterization record.

   o  Frequency Guidance: Specifies when endpoint attributes are to be
      collected.

   o  Method Guidance: Indicates how endpoint attributes are to be
      collected.

6.6.2.  Evaluation Guidance

   An evaluator typically needs guidance to govern what it considers to
   be a good or bad security posture.  Evaluation Guidance provides
   instructions for an Evaluator that specifies which endpoint
   attributes to evaluate, the desired state of those endpoint
   attributes, and any special requirements that enable an Evaluator to
   determine if the endpoint attributes can be used in the evaluation
   (e.g. freshness of data, how it was collected, etc.).  Evaluation
   Guidance is composed of Target Endpoint Attribute Guidance, Expected
   Endpoint Attribute Value Guidance, and Frequency Guidance.

   o  Target Endpoint Attribute Guidance: Set of target endpoint
      attributes that are supposed to be used in an evaluation as well
      as any requirements on the endpoint attributes.  The definition of
      the set of endpoint attributes is typically based on an endpoint
      characterization record.

   o  Expected Endpoint Attribute Value Guidance: The expected values of
      the endpoint attributes described in the Target Endpoint Attribute
      Guidance.

   o  Frequency Guidance: Specifies when endpoint attributes are to be
      evaluated.

   o  Method Guidance: Indicates how endpoint attributes are to be
      collected.





Waltermire, et al.      Expires October 29, 2017               [Page 30]

Internet-Draft           SACM Information Model               April 2017


6.6.3.  Classification Guidance

   A SACM Component carrying out the Target Endpoint Classification Task
   may need guidance on how to classify an endpoint.  Specifically, how
   to associate endpoint classes with a specific target endpoint
   characterization record.  Target Endpoint Classes function as
   guidance for collection, evaluation, remediation and security posture
   assessment in general.  Classification Guidance is composed of Target
   Endpoint Attribute Guidance and Class Guidance.

   o  Target Endpoint Attribute Guidance: Set of target endpoint
      attributes that are supposed to be used to identify the endpoint
      characterization record.

   o  Class Guidance: A list of target endpoint classes that are to be
      associated with the identified target endpoint characterization
      record.

6.6.4.  Storage Guidance

   An SACM Component typically needs guidance to govern what information
   it should store and where.  Storage Guidance provides instructions
   for a SACM Component that specifies which security automation
   information should be stored, for how long, and on which endpoint.
   Storage Guidance is composed of Target Endpoint Attribute Guidance,
   Expected Security Automation Information Guidance, and Retention
   Guidance.

   o  Target Endpoint Attribute Guidance: Set of target endpoint
      attributes that are supposed to be used to identify the endpoint
      where the security automation information is to be stored.

   o  Expected Security Automation Information Guidance: The security
      automation information that is expected to be stored (guidance,
      collected posture attributes, results, etc.).

   o  Retention Guidance: Specifies how long the security automation
      information should be stored.

6.6.5.  Evaluation Results

   Evaluation Results are the output of comparing the actual state of an
   endpoint against the expected state of an endpoint.  In addition to
   the actual results of the comparison, Evaluation Results should
   include the Evaluation Guidance and actual target endpoint attributes
   values used to perform the evaluation.





Waltermire, et al.      Expires October 29, 2017               [Page 31]

Internet-Draft           SACM Information Model               April 2017


7.  Information Model Elements

   This section defines the specific Information Elements and
   relationships that will be implemented by data models and transported
   between SACM Components.

7.1.  sacmStatement

               elementId: TBD
               name: sacmStatement
               dataType: orderedList
               status: current
               description: Associates SACM Statement Metadata
               which provides data origin information about
               the providing SACM Component with one or more
               SACM Content Elements that contain security
               automation information.
               structure: orderedList(sacmStatementMetadata,
                                      sacmContentElement+)

7.2.  sacmStatementMetadata

               elementId: TBD
               name: sacmStatementMetadata
               dataType: orderedList
               status: current
               description: Contains IEs that provide
               information about the data origin of the
               providing SACM Component as well as the
               information necessary for other SACM
               Components to understand the type of
               security automation information in the
               SACM Statement's SACM Content Element(s).
               structure: orderedList(publicationTimestamp,
                                      dataOrigin, anyIE*)

7.3.  sacmContentElement

               elementId: TBD
               name: sacmContentElement
               dataType: list
               status: current
               description: Associates SACM Content Element
               Metadata which provides information about the
               data source and type of security automation
               information with the actual security automation
               information.
               structure: TODO



Waltermire, et al.      Expires October 29, 2017               [Page 32]

Internet-Draft           SACM Information Model               April 2017


7.4.  sacmContentElementMetadata

               elementId: TBD
               name: sacmContentElementMetadata
               dataType: orderedList
               status: current
               description: Contains IEs that provide
               information about the data source and type of
               security automation information such that other
               SACM Components are able to parse and understand
               the security automation information contained
               within the SACM Statement's SACM Content Element(s).
               structure: orderedList(collectionTimestamp,
                                      targetEndpoint, anyIE*)

7.5.  targetEndpoint

           elementId: TBD
           name: targetEndpoint
           dataType: category
           status: current
           description: Information that identifies a target
                   endpoint on the network. This may be a set of
           attributes that can be used to identify an endpoint
           on the network or a label that is unique to a SACM
           domain.
                   structure: category(targetEndpointIdentifier |
                                       targetEndpointLabel)

7.6.  targetEndpointIdentifier

               elementId: TBD
               name: targetEndpointIdentifier
               dataType: list
               status: current
               description: A set of attributes that uniquely
                           identify a target endpoint on the network.
               structure: list(anyIE+)

7.7.  targetEndpointLabel

               elementId: TBD
               name: targetEndpointLabel
               dataType: string
               status: current
               description: A label that uniquely identifies
                           a target endpoint on SACM domain.




Waltermire, et al.      Expires October 29, 2017               [Page 33]

Internet-Draft           SACM Information Model               April 2017


7.8.  anyIE

               elementId: TBD
               name: anyIE
               dataType: category
               status: current
               description: This category is a placeholder
                           for any information element defined within
                           the SACM Information Model. Its purpose is
               to provide an extension point in other
                           information elements that enable them to
                           support the specific needs of an enterprise,
                           user, product, or service.

7.9.  accessPrivilegeType

               elementId: TBD
               name: accessPrivilegeType
               dataType: string
               status: current
               description: A set of types that represent access
               privileges (read, write, none, etc.).

7.10.  accountName

               elementId: TBD
               name: accountName
               dataType: string
               status: current
               description: A label that uniquely identifies an account
               that can require some form of (user) authentication to
               access.

7.11.  administrativeDomainType

               elementId: TBD
               name: administrativeDomainType
               dataType: string
               status: current
               description: A label the is supposed to uniquely
               identify an administrative domain.

7.12.  addressAssociationType








Waltermire, et al.      Expires October 29, 2017               [Page 34]

Internet-Draft           SACM Information Model               April 2017


               elementId: TBD
               name: addressAssociationType
               dataType: string
               status: current
               description: A label the is supposed to uniquely
               identify an administrative domain.

7.13.  addressMaskValue

               elementId: TBD
               name: addressMaskValue
               dataType: string
               status: current
               description: A value that expresses a generic address
               subnetting bitmask.

7.14.  addressType

               elementId: TBD
               name: addressType
               dataType: string
               status: current
               description: A set of types that specifies the type
               of address that is expressed in an address subject
               (e.g. ethernet, modbus, zigbee).

7.15.  addressValue

               elementId: TBD
               name: addressValue
               dataType: string
               status: current
               description: A value that expresses a generic network
                            address.

7.16.  applicationComponent

               elementId: TBD
               name: applicationComponent
               dataType: string
               status: current
               description: A label that references a "sub"-application
               that is part of the application (e.g. an add-on, a
               cipher-suite, a library).







Waltermire, et al.      Expires October 29, 2017               [Page 35]

Internet-Draft           SACM Information Model               April 2017


7.17.  applicationLabel

               elementId: TBD
               name: applicationLabel
               dataType: string
               status: current
               description: A label that is supposed to uniquely
               reference an application.

7.18.  applicationType

               elementId: TBD
               name: applicationType
               dataType: string
               status: current
               description: A set of types (FIXME maybe a finite set
               is not realistic here - value not enumerator?) that
               identifies the type of (user-space) application
               (e.g. text-editor, policy-editor, service-client,
               service-server, calendar, rouge-like RPG).

7.19.  applicationManufacturer

               elementId: TBD
               name: applicationManufacturer
               dataType: string
               status: current
               description: The name of the vendor that created the
               application.

7.20.  authenticator

               elementId: TBD
               name: authenticator
               dataType: string
               status: current
               description: A label that references a SACM component
               that can authenticate target endpoints (can be used in
               a target-endpoint subject to express that the target
               endpoint was authenticated by that SACM component.

7.21.  authenticationType









Waltermire, et al.      Expires October 29, 2017               [Page 36]

Internet-Draft           SACM Information Model               April 2017


               elementId: TBD
               name: authenticationType
               dataType: string
               status: current
               description: A set of types that express which type
               of authentication was used to enable a network
               interaction/connection.

7.22.  birthdate

            elementId: TBD
            name: birthdate
            dataType: string
            status: current
            description: A label for the registered day of
            birth of a natural person (e.g. the date of birth
            of a person as an ISO date string).
            references: http://rs.tdwg.org/ontology/voc/Person#birthdate

7.23.  bytesReceived

               elementId: TBD
               name: bytesReceived
               dataType: string
               status: current
               description: A value that represents a number of octets
               received on a network interface.

7.24.  bytesReceived

               elementId: TBD
               name: bytesReceived
               dataType: string
               status: current
               description: A value that represents the number of
               octets received on a network interface.

7.25.  bytesSent

               elementId: TBD
               name: bytesSent
               dataType: string
               status: current
               description: A value that represents the number of
               octets sent on a network interface.






Waltermire, et al.      Expires October 29, 2017               [Page 37]

Internet-Draft           SACM Information Model               April 2017


7.26.  certificate

               elementId: TBD
               name: certificate
               dataType: string
               status: current
               description: A value that expresses a certificate that
               can be collected from a target endpoint.

7.27.  collectionTaskType

               elementId: TBD
               name: collectionTaskType
               dataType: string
               status: current
               description: A set of types that defines how collected
               SACM content was acquired (e.g. network-observation,
               remote-acquisition, self-reported, derived, authority,
               verified).

7.28.  confidence

            elementId: TBD
            name: confidence
            dataType: string
            status: current
            description: A representation of the subjective probability
            that the assessed value is correct. If no confidence value
            is given, it is assumed that the confidence is 1. Acceptable
            values are between 0 and 1.

7.29.  contentAction

               elementId: TBD
               name: contentAction
               dataType: string
               status: current
               description: A set of types that express a type of
               action (e.g. add, delete, update). It can be associated,
               for instance, with an event subject or with a network
               observation.

7.30.  countryCode








Waltermire, et al.      Expires October 29, 2017               [Page 38]

Internet-Draft           SACM Information Model               April 2017


               elementId: TBD
               name: countryCode
               dataType: string
               status: current
               description: A set of types according to ISO 3166-1.

7.31.  dataOrigin

               elementId: TBD
               name: dataOrigin
               dataType: string
               status: current
               description: A label that uniquely identifies a SACM
               component in and across SACM domains.

7.32.  dataSource

               elementId: TBD
               name: dataSource
               dataType: string
               status: current
               description: A label that is supposed to uniquely
               identify the data source (e.g. a target endpoint or
               sensor) that provided an initial endpoint attribute
               record.

7.33.  default-depth

               elementId: TBD
               name: default-depth
               dataType: string
               status: current
               description: A value that expresses how often a circular
               reference of subject is allowed to repeat, or how deep
               a recursive nesting may occur, respectively.

7.34.  discoverer

               elementId: TBD
               name: discoverer
               dataType: string
               status: current
               description: A label that refers to the SACM component
               that discovered a target endpoint (can be used in a
               target-endpoint subject to express, for example, that
               the target endpoint was authenticated by that SACM
               component).




Waltermire, et al.      Expires October 29, 2017               [Page 39]

Internet-Draft           SACM Information Model               April 2017


7.35.  emailAddress

               elementId: TBD
               name: emailAddress
               dataType: string
               status: current
               description: A value that expresses an email-address.

7.36.  eventType

               elementId: TBD
               name: eventType
               dataType: string
               status: current
               description: a set of types that define the categories
               of an event (e.g. access-level-change,
               change-of-privilege, change-of-authorization,
               environmental-event, or provisioning-event).

7.37.  eventThreshold

               elementId: TBD
               name: eventThreshold
               dataType: string
               status: current
               description: If applicable, a value that can be
               included in an event subject to indicate what numeric
               threshold value was crossed to trigger that event.

7.38.  eventThresholdName

               elementId: TBD
               name: eventThresholdName
               dataType: string
               status: current
               description: If an event is created due to a crossed
               threshold, the threshold might have a name associated
               with it that can be expressed via this value.

7.39.  eventTrigger

               elementId: TBD
               name: eventTrigger
               dataType: string
               status: current
               description: This value is used to express more
               complex trigger conditions that may cause the creation
               of an event.



Waltermire, et al.      Expires October 29, 2017               [Page 40]

Internet-Draft           SACM Information Model               April 2017


7.40.  firmwareId

               elementId: TBD
               name: firmwareId
               dataType: string
               status: current
               description: A label that represents the BIOS or
               firmware ID of a specific target endpoint.

7.41.  hostName

               elementId: TBD
               name: hostName
               dataType: string
               status: current
               description: A label typically associated with an
               endpoint, but, not always intended to be unique given
               scope.

7.42.  interfaceLabel

               elementId: TBD
               name: interfaceLabel
               dataType: string
               status: current
               description: A unique label that can be used to
                            reference a network interface.

7.43.  ipv6AddressSubnetMask

               elementId: TBD
               name: ipv6AddressSubnetMask
               dataType: string
               status: current
               description: An IPv6 subnet bitmask.

7.44.  ipv6AddressSubnetMaskCidrNotation

               elementId: TBD
               name: ipv6AddressSubnetMaskCidrNotation
               dataType: string
               status: current
               description: An IPv6 subnet bitmask in CIDR notation.








Waltermire, et al.      Expires October 29, 2017               [Page 41]

Internet-Draft           SACM Information Model               April 2017


7.45.  ipv6AddressValue

               elementId: TBD
               name: ipv6AddressValue
               dataType: ipv6Address
               status: current
               description: An IPv6 subnet bitmask in CIDR notation.

7.46.  ipv4AddressSubnetMask

               elementId: TBD
               name: ipv4AddressSubnetMask
               dataType: string
               status: current
               description: An IPv4 subnet bitmask.

7.47.  ipv4AddressSubnetMaskCidrNotation

               elementId: TBD
               name: ipv4AddressSubnetMaskCidrNotation
               dataType: string
               status: current
               description: An IPv4 subnet bitmask in CIDR notation.

7.48.  ipv4AddressValue

               elementId: TBD
               name: ipv4AddressValue
               dataType: ipv4Address
               status: current
               description: An IPv4 address value.

7.49.  layer2InterfaceType

               elementId: TBD
               name: layer2InterfaceType
               dataType: string
               status: current
               description: A set of types referenced by IANA ifType.

7.50.  layer4PortAddress










Waltermire, et al.      Expires October 29, 2017               [Page 42]

Internet-Draft           SACM Information Model               April 2017


               elementId: TBD
               name: layer4PortAddress
               dataType: unsigned32
               status: current
               description: A layer 4 port address
               typically associated with TCP and UDP
               protocols.

7.51.  layer4Protocol

               elementId: TBD
               name: layer4Protocol
               dataType: string
               status: current
               description: A set of types that express a layer 4
               protocol (e.g. UDP or TCP).

7.52.  locationName

               elementId: TBD
               name: locationName
               dataType: string
               status: current
               description: A value that represents a named region of
                            physical space.

7.53.  networkZoneLocation

               elementId: TBD
               name: networkZoneLocation
               dataType: string
               status: current
               description: The zone location of an endpoint on the
                            network (e.g. internet, enterprise DMZ,
                            enterprise WAN, enclave DMZ, enclave).

7.54.  layer2NetworkLocation

               elementId: TBD
               name: layer2NetworkLocation
               dataType: string
               status: current
               description: The location of a layer-2 interface on
               the network (e.g. link-layer neighborhood,
               shared broadcast domain).






Waltermire, et al.      Expires October 29, 2017               [Page 43]

Internet-Draft           SACM Information Model               April 2017


7.55.  layer3NetworkLocation

               elementId: TBD
               name: layer3NetworkLocation
               dataType: string
               status: current
               description: The location of a layer-3 interface on
               the network (e.g. next-hop routing neighbor).

7.56.  macAddressValue

               elementId: TBD
               name: macAddressValue
               dataType: string
               status: current
               description: A value that expresses an Ethernet address.

7.57.  methodLabel

               elementId: TBD
               name: methodLabel
               dataType: string
               status: current
               description: A label that references a specific method
               registered and used in a SACM domain (e.g. method to
               match and re-identify target endpoints via identifying
               attributes).

7.58.  methodRepository

               elementId: TBD
               name: methodRepository
               dataType: string
               status: current
               description: A label that references a SACM component
               methods can be registered at and that can provide
               guidance in the form of registered methods to other
               SACM components.

7.59.  networkAccessLevelType

               elementId: TBD
               name: networkAccessLevelType
               dataType: string
               status: current
               description: A set of types that express categories
               of network access-levels (e.g. block, quarantine, etc.).




Waltermire, et al.      Expires October 29, 2017               [Page 44]

Internet-Draft           SACM Information Model               April 2017


7.60.  networkId

               elementId: TBD
               name: networkId
               dataType: string
               status: current
               description: Most networks such as AS, OSBF domains,
               or VLANs can have an ID.

7.61.  networkInterfaceName

               elementId: TBD
               name: networkInterfaceName
               dataType: string
               status: current
               description: A label that uniquely identifies an
               interface associated with a distinguishable endpoint.

7.62.  networkLayer

               elementId: TBD
               name: networkLayer
               dataType: string
               status: current
               description: A set of layers that expresses the specific
               network layer an interface operates on.

7.63.  networkName

               elementId: TBD
               name: networkName
               dataType: string
               status: current
               description: A label that is associated with a network.
               Some networks, for example, effective
               layer2-broadcast-domains are difficult to "grasp" and
               therefore quite difficult to name.

7.64.  organizationId

               elementId: TBD
               name: organizationId
               dataType: string
               status: current
               description: A label that uniquely identifies an
                            organization via a PEN.





Waltermire, et al.      Expires October 29, 2017               [Page 45]

Internet-Draft           SACM Information Model               April 2017


7.65.  patchId

               elementId: TBD
               name: patchId
               dataType: string
               status: current
               description: A label that uniquely identifies a specific
                            software patch.

7.66.  patchName

               elementId: TBD
               name: patchName
               dataType: string
               status: current
               description: The vendor's name of a software patch.

7.67.  personFirstName

               elementId: TBD
               name: personFirstName
               dataType: string
               status: current
               description: The first name of a natural person.

7.68.  personLastName

               elementId: TBD
               name: personLastName
               dataType: string
               status: current
               description: The last name of a natural person.

7.69.  personMiddleName

               elementId: TBD
               name: personMiddleName
               dataType: string
               status: current
               description: The middle name of a natural person.

7.70.  phoneNumber









Waltermire, et al.      Expires October 29, 2017               [Page 46]

Internet-Draft           SACM Information Model               April 2017


             elementId: TBD
             name: phoneNumber
             dataType: string
             status: current
             description: A label that expresses the U.S. national
             phone number (e.g. pattern value="((\d{3}) )?\d{3}-\d{4}").

7.71.  phoneNumberType

               elementId: TBD
               name: phoneNumberType
               dataType: string
               status: current
               description: A set of types that express the type of
               a phone number (e.g. DSN, Fax, Home, Mobile, Pager,
               Secure, Unsecure, Work, Other).

7.72.  privilegeName

               elementId: TBD
               name: privilegeName
               dataType: string
               status: current
               description: The attribute name of the privilege
               represented as an AVP.

7.73.  privilegeValue

               elementId: TBD
               name: privilegeValue
               dataType: string
               status: current
               description: The value content of the privilege
               represented as an AVP.

7.74.  protocol

               elementId: TBD
               name: protocol
               dataType: string
               status: current
               description: A set of types that defines specific
               protocols above layer 4 (e.g. http, https, dns, ipp,
               or unknown).







Waltermire, et al.      Expires October 29, 2017               [Page 47]

Internet-Draft           SACM Information Model               April 2017


7.75.  publicKey

               elementId: TBD
               name: publicKey
               dataType: string
               status: current
               description: The value of a public key (regardless of its
               method of creation, crypto-system, or signature scheme)
               that can be collected from a target endpoint.

7.76.  relationshipContentElementGuid

               elementId: TBD
               name: relationshipContentElementGuid
               dataType: string
               status: current
               description: A reference to a specific content element
               used in a relationship subject.

7.77.  relationshipStatementElementGuid

               elementId: TBD
               name: relationshipStatementElementGuid
               dataType: string
               status: current
               description: A reference to a specific SACM statement
               used in a relationship subject.

7.78.  relationshipObjectLabel

               elementId: TBD
               name: relationshipObjectLabel
               dataType: string
               status: current
               description: A reference to a specific label used in
               content (e.g. a te-label or a user-id). This
               reference is typically used if matching content
               attribute can be done efficiantly and can also be
               included in addition to a
               relationship-content-element-guid reference.

7.79.  relationshipType









Waltermire, et al.      Expires October 29, 2017               [Page 48]

Internet-Draft           SACM Information Model               April 2017


               elementId: TBD
               name: relationshipType
               dataType: string
               status: current
               description: A set of types that is in every instance
               of a relationship subject to highlight what kind of
               relationship exists between the subject the relationship
               is included in (e.g. associated_with_user,
               applies_to_session, seen_on_interface,
               associated_with_flow, contains_virtual_device).

7.80.  roleName

               elementId: TBD
               name: roleName
               dataType: string
               status: current
               description: A label that references a collection of
               privileges assigned to a specific entity.

7.81.  sessionStateType

               elementId: TBD
               name: sessionStateType
               dataType: string
               status: current
               description: A set of types a discernible session (an
               ongoing network interaction) can be in (e.g.
               Authenticating, Authenticated, Postured, Started,
               Disconnected).

7.82.  statementGuid

               elementId: TBD
               name: statementGuid
               dataType: string
               status: current
               description: A label that expresses a global unique
               ID referencing a specific SACM statement that was
               produced by a SACM component.

7.83.  statementType









Waltermire, et al.      Expires October 29, 2017               [Page 49]

Internet-Draft           SACM Information Model               April 2017


               elementId: TBD
               name: statementType
               dataType: string
               status: current
               description: A set of types that define the type of
               content that is included in a SACM statement (e.g.
               Observation, DirectoryContent, Correlation, Assessment,
               Guidance, Event).

7.84.  status

               elementId: TBD
               name: status
               dataType: string
               status: current
               description: A set of types that defines possible
               result values for a finding in general (e.g. true,
               false, error, unknown, not applicable, not evaluated).

7.85.  subAdministrativeDomain

               elementId: TBD
               name: subAdministrativeDomain
               dataType: string
               status: current
               description: A label for related child domains an
               administrative domain can be composed of (used in the
               subject administrativeDomain).

7.86.  subInterfaceLabel

               elementId: TBD
               name: subInterfaceLabel
               dataType: string
               status: current
               description: A unique label a sub network interface
               (e.g. a tagged vlan on a trunk) can be referenced
               with.

7.87.  superAdministrativeDomain

               elementId: TBD
               name: superAdministrativeDomain
               dataType: string
               status: current
               description: a label for related parent domains an
                            administrative domain is part of (used
                            in the subject administrativeDomain).



Waltermire, et al.      Expires October 29, 2017               [Page 50]

Internet-Draft           SACM Information Model               April 2017


7.88.  superInterfaceLabel

               elementId: TBD
               name: superInterfaceLabel
               dataType: string
               status: current
               description: a unique label a super network interface
                            (e.g. a physical interface a tunnel
                            interface terminates on) can be referenced
                            with.

7.89.  teAssessmentState

               elementId: TBD
               name: teAssessmentState
               dataType: string
               status: current
               description: a set of types that defines the state of
                            assessment of a target-endpoint (e.g.
                            in-discovery, discovered, in-classification,
                            classified, in-assessment, assessed).

7.90.  teLabel

               elementId: TBD
               name: teLabel
               dataType: string
               status: current
               description: an identifying label created from a set
                            of identifying attributes used to reference
                            a specific target endpoint.

7.91.  teId

               elementId: TBD
               name: teId
               dataType: string
               status: current
               description: an identifying label that is created
                            randomly, is supposed to be unique, and
                            used to reference a specific target
                            endpoint.

7.92.  timestampType







Waltermire, et al.      Expires October 29, 2017               [Page 51]

Internet-Draft           SACM Information Model               April 2017


               elementId: TBD
               name: timestampType
               dataType: string
               status: current
               description: a set of types that express what type of
                            action or event happened at that point
                            of time (e.g. discovered, classified,
                            collected, published). Can be included in
                            a generic timestamp subject.

7.93.  unitsReceived

               elementId: TBD
               name: unitsReceived
               dataType: string
               status: current
               description: a value that represents a number of units
                            (e.g. frames, packets, cells or segments)
                            received on a network interface.

7.94.  unitsSent

               elementId: TBD
               name: unitsSent
               dataType: string
               status: current
               description: a value that represents a number of units
                            (e.g. frames, packets, cells or segments)
                            sent on a network interface.

7.95.  userDirectory

               elementId: TBD
               name: userDirectory
               dataType: string
               status: current
               description: a label that identifies a specific type
               of user-directory (e.g. ldap, active-directory,
               local-user).

7.96.  sacmUserId

               elementId: TBD
               name: sacmUserId
               dataType: string
               status: current
               description: a label that references a specific user
               known in a SACM domain.



Waltermire, et al.      Expires October 29, 2017               [Page 52]

Internet-Draft           SACM Information Model               April 2017


7.97.  webSite

               elementId: TBD
               name: webSite
               dataType: string
               status: current
               description: a URI that references a web-site.

7.98.  WGS84Longitude

               elementId: TBD
               name: WGS84Longitude
               dataType: float64
               status: current
               description: a label that represents WGS 84 rev 2004
               longitude.

7.99.  WGS84Latitude

               elementId: TBD
               name: WGS84Latitude
               dataType: float64
               status: current
               description: a label that represents WGS 84 rev 2004
               latitude.

7.100.  WGS84Altitude

               elementId: TBD
               name: WGS84Altitude
               dataType: float64
               status: current
               description: a label that represents WGS 84 rev 2004
               altitude.

7.101.  hardwareSerialNumber

               elementId: TBD
               name: hardwareSerialNumber
               dataType: string
               status: current
               description: A globally unique identifier for a
                            particular piece of hardware assigned
                            by the vendor.







Waltermire, et al.      Expires October 29, 2017               [Page 53]

Internet-Draft           SACM Information Model               April 2017


7.102.  interfaceName

               elementId: TBD
               name: interfaceName
               dataType: string
               status: current
               description: A short name uniquely describing an
                            interface, e.g. "Eth1/0". See [RFC2863]
                            for the definition of the ifName object.

7.103.  interfaceIndex

   elementId: TBD
   name: interfaceIndex
   dataType: unsigned32
   status: current
   description: The index of an interface installed on an endpoint.
                The value matches the value of managed object
                'ifIndex' as defined in [RFC2863]. Note that ifIndex
                values are not assigned statically to an interface
                and that the interfaces may be renumbered every time
                the device's management system is re-initialized,
                as specified in [RFC2863].

7.104.  interfaceMacAddress

   elementId: TBD
   name: interfaceMacAddress
   dataType: macAddress
   status: current
   description: The IEEE 802 MAC address associated with a network
                interface on an endpoint.

7.105.  interfaceType

   elementId: TBD
   name: interfaceType
   dataType: unsigned32
   status: current
   description: The type of a network interface. The value matches
                the value of managed object 'ifType' as defined in
                [IANA registry ianaiftype-mib].

7.106.  interfaceFlags







Waltermire, et al.      Expires October 29, 2017               [Page 54]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: interfaceFlags
   dataType: unsigned16
   status: current
   description: This information element specifies the flags
                associated with a network interface. Possible
                values include:
   structure:
          Up                  ; 0x1   ; Interface is up.
          Broadcast           ; 0x2   ; Broadcast address valid.
          Debug               ; 0x4   ; Turn on debugging.
          Loopback            ; 0x8   ; Is a loopback net.
          Point-to-point      ; 0x10  ; Interface is point-to-point
                                        link.
          No trailers         ; 0x20  ; Avoid use of trailers.
          Resources allocated ; 0x40  ; Resources allocated.
          No ARP              ; 0x80  ; No address resolution protocol.
          Receive all         ; 0x100 ; Receive all packets.

7.107.  networkInterface

   elementId: TBD
   name: networkInterface
   dataType: orderedList
   status: current
   description: Information about a network interface
                installed on an endpoint. The
                following high-level digram
                describes the structure of
                networkInterface information
                element.
   structure: orderedList(interfaceName, interfaceIndex, macAddress,
                          interfaceType, flags)

7.108.  softwareIdentifier

   elementId: TBD
   name: softwareIdentifier
   dataType: string
   status: current
   description: A globally unique identifier for a particular
                software application.

7.109.  softwareTitle







Waltermire, et al.      Expires October 29, 2017               [Page 55]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: softwareTitle
   dataType: string
   status: current
   description: The title of the software application.

7.110.  softwareCreator

   elementId: TBD
   name: softwareCreator
   dataType: string
   status: current
   description: The software developer (e.g., vendor or author).

7.111.  simpleSoftwareVersion

   elementId: TBD
   name: simpleSoftwareVersion
   dataType: string
   status: current
   description: The version string for a software application that
                conforms to the format of a list of hierarchical
                non-negative integers separated by a single character
                delimiter format.

7.112.  rpmSoftwareVersion

   elementId: TBD
   name: rpmSoftwareVersion
   dataType: string
   status: current
   description: The version string for a software application that
                conforms to the EPOCH:VERSION-RELEASE format.

7.113.  ciscoTrainSoftwareVersion

   elementId: TBD
   name: ciscoTrainSoftwareVersion
   dataType: string
   status: current
   description: The version string for a software application that
                conforms to the Cisco IOS Train string format.

7.114.  softwareVersion







Waltermire, et al.      Expires October 29, 2017               [Page 56]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: softwareVerison
   dataType: category
   status: current
   description: The version of the software application. Software
                applications may be versioned using a number of
                schemas. The following high-level digram describes
                the structure of the softwareVersion information
                element.
   structure: category(simpleSoftwareVersion | rpmSoftwareVersion |
                   ciscoTrainSoftwareVersion)


7.115.  softwareLastUpdated

   elementId: TBD
   name: softwareLastUpdated
   dataType: dateTimeSeconds
   status: current
   description: The date and time when the software instance
                was last updated on the system (e.g., new
                version instlalled or patch applied)

7.116.  softwareClass



























Waltermire, et al.      Expires October 29, 2017               [Page 57]

Internet-Draft           SACM Information Model               April 2017


               elementId: TBD
               name: softwareClass
               dataType: enumeration
               status: current
               description: The class of the software instance.
               structure:
           Unknown                ; 0x1 ; The class is not known.
           Other                  ; 0x2 ; The class is known, but,
                                          something other than a value
                                          listed in the enumeration.
           Driver                 ; 0x3 ; The class is a device driver.
           Configuration Software ; 0x4 ; The class is configuration
                                          software.
           Application Software   ; 0x5 ; The class is application
                                          software.
           Instrumentation        ; 0x6 ; The class is instrumentation.
           Diagnostic Software    ; 0x8 ; The class is diagnostic
                                          software.
           Operating System       ; 0x9 ; The class is operating
                                          system.
           Middleware             ; 0xA ; The class is middleware.
           Firmware               ; 0xB ; The class is firmware.
           BIOS/FCode             ; 0xC ; The class is BIOS or FCode.
           Support/Service Pack   ; 0xD ; The class is a support or
                                          service pack.
           Software Bundle        ; 0xE ; The class is a software
                                          bundle.
               References: See Classifications of the DMTF
                           CIM_SoftwareIdentity schema.

7.117.  softwareInstance

   elementId: TBD
   name: softwareInstance
   dataType: orderedList
   status: current
   description: Information about an instance of software
                installed on an endpoint. The following
                high-level digram describes the structure of
                the softwareInstance information element.
   structure: orderedList(softwareIdentifier, softwareTitle,
                          softwareCreator, softwareVersion,
                          softwareLastUpdated, softwareClass)








Waltermire, et al.      Expires October 29, 2017               [Page 58]

Internet-Draft           SACM Information Model               April 2017


7.118.  globallyUniqueIdentifier

   elementId: TBD
   name: globallyUniqueIdentifier
   dataType: unsigned8
   status: current
   description: TODO.

7.119.  creationTimestamp

   elementId: TBD
   name: creationTimestamp
   dataType: dateTimeSeconds
   status: current
   description: The date and time when the posture
                information was created by a SACM Component.

7.120.  collectionTimestamp

   elementId: TBD
   name: collectionTimestamp
   dataType: dateTimeSeconds
   status: current
   description: The date and time when the posture
                information was collected or observed by a SACM
                Component.

7.121.  publicationTimestamp

   elementId: TBD
   name: publicationTimestamp
   dataType: dateTimeSeconds
   status: current
   description: The date and time when the posture
                information was published.

7.122.  relayTimestamp

   elementId: TBD
   name: relayTimestamp
   dataType: dateTimeSeconds
   status: current
   description: The date and time when the posture
                information was relayed to another SACM Component.







Waltermire, et al.      Expires October 29, 2017               [Page 59]

Internet-Draft           SACM Information Model               April 2017


7.123.  storageTimestamp

   elementId: TBD
   name: storageTimestamp
   dataType: dateTimeSeconds
   status: current
   description: The date and time when the posture
                information was stored in a Repository.

7.124.  type

   elementId: TBD
   name: type
   dataType: enumeration
   status: current
   description: The type of data model use to represent
                some set of endpoint information. The following
                table lists the set of data models supported by SACM.
   structure: TBD

7.125.  protocolIdentifier

   elementId: TBD
   name: protocolIdentifier
   dataType: unsigned8
   status: current
   description: The value of the protocol number in the IP packet
                header. The protocol number identifies the IP packet
                payload type. Protocol numbers are defined in the
                IANA Protocol Numbers registry.

                In Internet Protocol version 4 (IPv4), this is
                carried in the Protocol field.  In Internet Protocol
                version 6 (IPv6), this is carried in the Next Header
                field in the last extension header of the packet.

7.126.  sourceTransportPort

   elementId: TBD
   name: sourceTransportPort
   dataType: unsigned16
   status: current
   description: The source port identifier in the transport header.
                For the transport protocols UDP, TCP, and SCTP, this
                is the source port number given in the respective
                header.  This field MAY also be used for future
                transport protocols that have 16-bit source port
                identifiers.



Waltermire, et al.      Expires October 29, 2017               [Page 60]

Internet-Draft           SACM Information Model               April 2017


7.127.  sourceIPv4PrefixLength

   elementId: TBD
   name: sourceIPv4PrefixLength
   dataType: unsigned8
   status: current
   description: The number of contiguous bits that are relevant in
                the sourceIPv4Prefix Information Element.

7.128.  ingressInterface

   elementId: TBD
   name: ingressInterface
   dataType: unsigned32
   status: current
   description: The index of the IP interface where packets of this
                Flow are being received.  The value matches the
                value of managed object 'ifIndex' as defined in
                [RFC2863]. Note that ifIndex values are not assigned
                statically to an interface and that the interfaces
                may be renumbered every time the device's management
                system is re-initialized, as specified in [RFC2863].

7.129.  destinationTransportPort

   elementId: TBD
   name: destinationTransportPort
   dataType: unsigned16
   status: current
   description: The destination port identifier in the transport
                header. For the transport protocols UDP, TCP, and
                SCTP, this is the destination port number given in
                the respective header. This field MAY also be used
                for future transport protocols that have 16-bit
                destination port identifiers.

7.130.  sourceIPv6PrefixLength

   elementId: TBD
   name: sourceIPv6PrefixLength
   dataType: unsigned8
   status: current
   description: The number of contiguous bits that are relevant in
                the sourceIPv6Prefix Information Element.







Waltermire, et al.      Expires October 29, 2017               [Page 61]

Internet-Draft           SACM Information Model               April 2017


7.131.  sourceIPv4Prefix

   elementId: TBD
   name: sourceIPv4Prefix
   dataType: ipv4Address
   status: current
   description: IPv4 source address prefix.

7.132.  destinationIPv4Prefix

   elementId: TBD
   name: destinationIPv4Prefix
   dataType: ipv4Address
   status: current
   description: IPv4 destination address prefix.

7.133.  sourceMacAddress

   elementId: TBD
   name: sourceMacAddress
   dataType: macAddress
   status: current
   description: The IEEE 802 source MAC address field.

7.134.  ipVersion

   elementId: TBD
   name: ipVersion
   dataType: unsigned8
   status: current
   description: The IP version field in the IP packet header.

7.135.  interfaceDescription

   elementId: TBD
   name: interfaceDescription
   dataType: string
   status: current
   description: The description of an interface, e.g.
                "FastEthernet 1/0" or "ISP connection".

7.136.  applicationDescription

   elementId: TBD
   name: applicationDescription
   dataType: string
   status: current
   description: Specifies the description of an application.



Waltermire, et al.      Expires October 29, 2017               [Page 62]

Internet-Draft           SACM Information Model               April 2017


7.137.  applicationId

   elementId: TBD
   name: applicationId
   dataType: octetArray
   status: current
   description: Specifies an Application ID per [RFC6759].

7.138.  applicationName

   elementId: TBD
   name: applicationName
   dataType: string
   status: current
   description: Specifies the name of an application.

7.139.  exporterIPv4Address

   elementId: TBD
   name: exporterIPv4Address
   dataType: ipv4Address
   status: current
   description: The IPv4 address used by the Exporting Process.
                This is used by the Collector to identify the
                Exporter in cases where the identity of the Exporter
                may have been obscured by the use of a proxy.

7.140.  exporterIPv6Address

   elementId: TBD
   name: exporterIPv6Address
   dataType: ipv6Address
   status: current
   description: The IPv6 address used by the Exporting Process.
                This is used by the Collector to identify the
                Exporter in cases where the identity of the
                Exporter may have been obscured by the use of a
                proxy.

7.141.  portId











Waltermire, et al.      Expires October 29, 2017               [Page 63]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: portId
   dataType: unsigned32
   status: current
   description: An identifier of a line port that is unique per
                IPFIX Device hosting an Observation Point.
                Typically, this Information Element is used for
                limiting the scope of other Information Elements.

7.142.  templateId

   elementId: TBD
   name: templateId
   dataType: unsigned16
   status: current
   description: An identifier of a Template that is locally unique
                within a combination of a Transport session and an
                Observation Domain.

                Template IDs 0-255 are reserved for Template Sets,
                Options Template Sets, and other reserved Sets yet
                to be created. Template IDs of Data Sets are
                numbered from 256 to 65535.

                Typically, this Information Element is used for
                limiting the scope of other Information Elements.
                Note that after a re-start of the Exporting Process
                Template identifiers may be re-assigned.

7.143.  collectorIPv4Address

   elementId: TBD
   name: collectorIPv4Address
   dataType: ipv4Address
   status: current
   description: An IPv4 address to which the Exporting Process sends
                Flow information.

7.144.  collectorIPv6Address

   elementId: TBD
   name: collectorIPv6Address
   dataType: ipv6Address
   status: current
   description: An IPv6 address to which the Exporting Process sends
                Flow information.





Waltermire, et al.      Expires October 29, 2017               [Page 64]

Internet-Draft           SACM Information Model               April 2017


7.145.  informationElementIndex

   elementId: TBD
   name: informationElementIndex
   dataType: unsigned16
   status: current
   description: A zero-based index of an Information Element
                referenced by informationElementId within a Template
                referenced by templateId; used to disambiguate
                scope for templates containing multiple identical
                Information Elements.

7.146.  informationElementId

   elementId: TBD
   name: informationElementId
   dataType: unsigned16
   status: current
   description: This Information Element contains the ID of another
                Information Element.

7.147.  informationElementDataType

   elementId: TBD
   name: informationElementDataType
   dataType: unsigned8
   status: current
   description: A description of the abstract data type of an IPFIX
                information element.These are taken from the
                abstract data types defined in section 3.1 of the
                IPFIX Information Model [RFC5102]; see that section
                for more information on the types described in the
                informationElementDataType sub-registry.

                These types are registered in the IANA IPFIX
                Information Element Data Type subregistry.  This
                subregistry is intended to assign numbers for type
                names, not to provide a mechanism for adding data
                types to the IPFIX Protocol, and as such requires a
                Standards Action [RFC5226] to modify.

7.148.  informationElementDescription









Waltermire, et al.      Expires October 29, 2017               [Page 65]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: informationElementDescription
   dataType: string
   status: current
   description: A UTF-8 [RFC3629] encoded Unicode string containing
                a human-readable description of an Information
                Element.  The content of the
                informationElementDescription MAY be annotated with
                one or more language tags [RFC4646], encoded
                in-line [RFC2482] within the UTF-8 string, in order
                to specify the language in which the description is
                written.  Description text in multiple languages MAY
                tag each section with its own language tag; in this
                case, the description information in each language
                SHOULD have equivalent meaning.  In the absence of
                any language tag, the "i-default" [RFC2277] language
                SHOULD be assumed.  See the Security Considerations
                section for notes on string handling for Information
                Element type records.

7.149.  informationElementName

   elementId: TBD
   name: informationElementName
   dataType: string
   status: current
   description: A UTF-8 [RFC3629] encoded Unicode string containing
                the name of an Information Element, intended as a
                simple identifier.  See the Security Considerations
                section for notes on string handling for Information
                Element type records.

7.150.  informationElementRangeBegin

   elementId: TBD
   name: informationElementRangeBegin
   dataType: unsigned64
   status: current
   description: Contains the inclusive low end of the range of
                acceptable values for an Information Element.

7.151.  informationElementRangeEnd









Waltermire, et al.      Expires October 29, 2017               [Page 66]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: informationElementRangeEnd
   dataType: unsigned64
   status: current
   description: Contains the inclusive high end of the range of
                acceptable values for an Information Element.

7.152.  informationElementSemantics

   elementId: TBD
   name: informationElementSemantics
   dataType: unsigned8
   status: current
   description: A description of the semantics of an IPFIX
                Information Element.  These are taken from the data
                type semantics defined in section 3.2 of the IPFIX
                Information Model [RFC5102]; see that section for
                more information on the types defined in the
                informationElementSemantics sub-registry.  This
                field may take the values in Table ; the special
                value 0x00 (default) is used to note that no
                semantics apply to the field; it cannot be
                manipulated by a Collecting Process or File Reader
                that does not understand it a priori.

                These semantics are registered in the IANA IPFIX
                Information Element Semantics subregistry.  This
                subregistry is intended to assign numbers for
                semantics names, not to provide a mechanism for
                adding semantics to the IPFIX Protocol, and as such
                requires a Standards Action [RFC5226] to modify.

7.153.  informationElementUnits


















Waltermire, et al.      Expires October 29, 2017               [Page 67]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: informationElementUnits
   dataType: unsigned16
   status: current
   description: A description of the units of an IPFIX Information
                Element.  These correspond to the units implicitly
                defined in the Information Element definitions in
                section 5 of the IPFIX Information Model [RFC5102];
                see that section for more information on the types
                described in the informationElementsUnits
                sub-registry. This field may take the values in
                Table 3 below; the special value 0x00 (none) is
                used to note that the field is unitless.

                These types are registered in the IANA IPFIX
                Information Element Units subregistry; new types
                may be added on a First Come First Served [RFC5226]
                basis.

7.154.  applicationCategoryName

   elementId: TBD
   name: applicationCategoryName
   dataType: string
   status: current
   description: An attribute that provides a first level
                categorization for each Application ID.

7.155.  mibObjectValueInteger

   elementId: TBD
   name: mibObjectValueInteger
   dataType: signed64
   status: current
   description: An IPFIX Information Element which denotes that the
                integer value of a MIB object will be exported.
                The MIB Object Identifier ("mibObjectIdentifier")
                for this field MUST be exported in a MIB Field
                Option or via another means.  This Information
                Element is used for MIB objects with the Base
                Syntax of Integer32 and INTEGER with IPFIX Reduced
                Size Encoding used as required. The value is
                encoded as per the standard IPFIX Abstract Data Type
                of signed64.







Waltermire, et al.      Expires October 29, 2017               [Page 68]

Internet-Draft           SACM Information Model               April 2017


7.156.  mibObjectValueOctetString

   elementId: TBD
   name: mibObjectValueOctetString
   dataType: octetArray
   status: current
   description: An IPFIX Information Element which denotes that an
                Octet String or Opaque value of a MIB object will
                be exported. The MIB Object Identifier
                ("mibObjectIdentifier") for this field MUST be
                exported in a MIB Field Option or via another means.
                This Information Element is used for MIB objects
                with the Base Syntax of OCTET STRING and Opaque. The
                value is encoded as per the standard IPFIX Abstract
                Data Type of octetArray.

7.157.  mibObjectValueOID

   elementId: TBD
   name: mibObjectValueOID
   dataType: octetArray
   status: current
   description: An IPFIX Information Element which denotes that an
                Object Identifier or OID value of a MIB object will
                be exported. The MIB Object Identifier
                ("mibObjectIdentifier") for this field MUST be
                exported in a MIB Field Option or via another means.
                This Information Element is used for MIB objects
                with the Base Syntax of OBJECT IDENTIFIER.  Note -
                In this case the "mibObjectIdentifier" will define
                which MIB object is being exported while the value
                contained in this Information Element will be an
                OID as a value.  The mibObjectValueOID Information
                Element is encoded as ASN.1/BER [BER] in an
                octetArray.

7.158.  mibObjectValueBits














Waltermire, et al.      Expires October 29, 2017               [Page 69]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: mibObjectValueBits
   dataType: octetArray
   status: current
   description: An IPFIX Information Element which denotes that a
                set of Enumerated flags or bits from a MIB object
                will be exported. The MIB Object Identifier
                ("mibObjectIdentifier") for this field MUST be
                exported in a MIB Field Option or via another means.
                This Information Element is used for MIB objects
                with the Base Syntax of BITS.  The flags or bits are
                encoded as per the standard IPFIX Abstract Data Type
                of octetArray, with sufficient length to accommodate
                the required number of bits.  If the number of bits
                is not an integer multiple of octets then the most
                significant bits at end of the octetArray MUST be
                set to zero.

7.159.  mibObjectValueIPAddress

   elementId: TBD
   name: mibObjectValueIPAddress
   dataType: ipv4Address
   status: current
   description: An IPFIX Information Element which denotes that the
                IPv4 Address of a MIB object will be exported.  The
                MIB Object Identifier ("mibObjectIdentifier") for
                this field MUST be exported in a MIB Field Option
                or via another means.  This Information Element is
                used for MIB objects with the Base Syntax of
                IPaddress. The value is encoded as per the standard
                IPFIX Abstract Data Type of ipv4Address.

7.160.  mibObjectValueCounter

















Waltermire, et al.      Expires October 29, 2017               [Page 70]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: mibObjectValueCounter
   dataType: unsigned64
   status: current
   description: An IPFIX Information Element which denotes that the
                counter value of a MIB object will be exported.
                The MIB Object Identifier ("mibObjectIdentifier")
                for this field MUST be exported in a MIB Field
                Option or via another means.  This Information
                Element is used for MIB objects with the Base
                Syntax of Counter32 or Counter64 with IPFIX Reduced
                Size Encoding used as required. The value is encoded
                as per the standard IPFIX Abstract Data Type
                of unsigned64.

7.161.  mibObjectValueGauge

   elementId: TBD
   name: mibObjectValueGauge
   dataType: unsigned32
   status: current
   description: An IPFIX Information Element which denotes that the
                Gauge value of a MIB object will be exported.  The
                MIB Object Identifier ("mibObjectIdentifier") for
                this field MUST be exported in a MIB Field Option
                or via another means.  This Information Element is
                used for MIB objects with the Base Syntax of Gauge32.
                The value is encoded as per the standard IPFIX
                Abstract Data Type of unsigned64.  This value will
                represent a non-negative integer, which may increase
                or decrease, but shall never exceed a maximum
                value, nor fall below a minimum value.

7.162.  mibObjectValueTimeTicks

   elementId: TBD
   name: mibObjectValueTimeTicks
   dataType: unsigned32
   status: current
   description: An IPFIX Information Element which denotes that the
                TimeTicks value of a MIB object will be exported.
                The MIB Object Identifier ("mibObjectIdentifier")
                for this field MUST be exported in a MIB Field
                Option or via another means.  This Information
                Element is used for MIB objects with the Base
                Syntax of TimeTicks. The value is encoded as per
                the standard IPFIX Abstract Data Type of unsigned32.




Waltermire, et al.      Expires October 29, 2017               [Page 71]

Internet-Draft           SACM Information Model               April 2017


7.163.  mibObjectValueUnsigned

   elementId: TBD
   name: mibObjectValueUnsigned
   dataType: unsigned64
   status: current
   description: An IPFIX Information Element which denotes that an
                unsigned integer value of a MIB object will be
                exported.  The MIB Object Identifier
                ("mibObjectIdentifier") for this field MUST be
                exported in a MIB Field Option or via another means.
                This Information Element is used for MIB objects
                with the Base Syntax of unsigned64 with IPFIX
                Reduced Size Encoding used as required. The value is
                encoded as per the standard IPFIX Abstract Data Type
                of unsigned64.

7.164.  mibObjectValueTable

   elementId: TBD
   name: mibObjectValueTable
   dataType: orderedList
   status: current
   description: An IPFIX Information Element which denotes that a
                complete or partial conceptual table will be
                exported.  The MIB Object Identifier
                ("mibObjectIdentifier") for this field MUST be
                exported in a MIB Field Option or via another means.
                This Information Element is used for MIB objects
                with a SYNTAX of SEQUENCE.  This is encoded as a
                subTemplateList of mibObjectValue Information
                Elements.  The template specified in the
                subTemplateList MUST be an Options Template and
                MUST include all the Objects listed in the INDEX
                clause as Scope Fields.
   structure:   orderedList(mibObjectValueRow+)

7.165.  mibObjectValueRow













Waltermire, et al.      Expires October 29, 2017               [Page 72]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: mibObjectValueRow
   dataType: orderedList
   status: current
   description: An IPFIX Information Element which denotes that a
                single row of a conceptual table will be exported.
                The MIB Object Identifier ("mibObjectIdentifier")
                for this field MUST be exported in a MIB Field
                Option or via another means.  This Information
                Element is used for MIB objects with a SYNTAX of
                SEQUENCE.  This is encoded as a subTemplateList of
                mibObjectValue Information Elements.  The
                subTemplateList exported MUST contain exactly one
                row (i.e., one instance of the subtemplate).  The
                template specified in the subTemplateList MUST be
                an Options Template and MUST include all the
                Objects listed in the INDEX clause as Scope Fields.
   structure:   orderedList(mibObjectValue+)


7.166.  mibObjectIdentifier

   elementId: TBD
   name: mibObjectIdentifier
   dataType: octetArray
   status: current
   description: An IPFIX Information Element which denotes that a
                MIB Object Identifier (MIB OID) is exported in the
                (Options) Template Record.  The mibObjectIdentifier
                Information Element contains the OID assigned to
                the MIB Object Type Definition encoded as
                ASN.1/BER [BER].

7.167.  mibSubIdentifier

   elementId: TBD
   name: mibSubIdentifier
   dataType: unsigned32
   status: current
   description: A non-negative sub-identifier of an Object
                Identifier (OID).

7.168.  mibIndexIndicator








Waltermire, et al.      Expires October 29, 2017               [Page 73]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: mibIndexIndicator
   dataType: unsigned64
   status: current
   description: This set of bit fields is used for marking the
                Information Elements of a Data Record that serve as
                INDEX MIB objects for an indexed Columnar MIB
                object.  Each bit represents an Information Element
                in the Data Record with the n-th bit representing
                the n-th Information Element.  A bit set to value 1
                indicates that the corresponding Information Element
                is an index of the Columnar Object represented by
                the mibFieldValue.  A bit set to value 0 indicates
                that this is not the case.

                If the Data Record contains more than 64
                Information Elements, the corresponding Template
                SHOULD be designed such that all INDEX
                Fields are among the first 64 Information Elements,
                because the mibIndexIndicator only contains 64 bits.
                If the Data Record contains less than 64
                Information Elements, then the extra bits in the
                mibIndexIndicator for which no corresponding
                Information Element exists MUST have the value 0,
                and must be disregarded by the Collector.  This
                Information Element may be exported with
                IPFIX Reduced Size Encoding.

7.169.  mibCaptureTimeSemantics






















Waltermire, et al.      Expires October 29, 2017               [Page 74]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: mibCaptureTimeSemantics
   dataType: unsigned8
   status: current
   description: Indicates when in the lifetime of the flow the MIB
                value was retrieved from the MIB for a
                mibObjectIdentifier.  This is used to indicate if
                the value exported was collected from the MIB
                closer to flow creation or flow export time and
                will refer to the Timestamp fields included in the
                same record.  This field SHOULD be used when
                exporting a mibObjectValue that specifies counters
                or statistics.

                If the MIB value was sampled by SNMP prior to the
                IPFIX Metering Process or Exporting Process
                retrieving the value (i.e., the data is already
                stale) and it's important to know the exact sampling
                time, then an additional observationTime* element
                should be paired with the OID using structured data.
                Similarly, if different mibCaptureTimeSemantics
                apply to different mibObject elements within the
                Data Record, then individual mibCaptureTimeSemantics
                should be paired with each OID using structured data.

                Values:
                0.  undefined
                1.  begin - The value for the MIB object is captured
                from the MIB when the Flow is first observed
                2.  end - The value for the MIB object is captured
                from the MIB when the Flow ends
                3.  export - The value for the MIB object is
                captured from the MIB at export time
                4.  average - The value for the MIB object is an
                average of multiple captures from the MIB over the
                observed life of the Flow

7.170.  mibContextEngineID

   elementId: TBD
   name: mibContextEngineID
   dataType: octetArray
   status: current
   description: A mibContextEngineID that specifies the SNMP engine
                ID for a MIB field being exported over IPFIX.
                Definition as per [RFC3411] section 3.3.





Waltermire, et al.      Expires October 29, 2017               [Page 75]

Internet-Draft           SACM Information Model               April 2017


7.171.  mibContextName

   elementId: TBD
   name: mibContextName
   dataType: string
   status: current
   description: This Information Element denotes that a MIB Context
                Name is specified for a MIB field being exported
                over IPFIX. Reference [RFC3411] section 3.3.

7.172.  mibObjectName

   elementId: TBD
   name: mibObjectName
   dataType: string
   status: current
   description: The name (called a descriptor in [RFC2578]
                of an object type definition.

7.173.  mibObjectDescription

   elementId: TBD
   name: mibObjectDescription
   dataType: string
   status: current
   description: The value of the DESCRIPTION clause of an MIB object
                type definition.

7.174.  mibObjectSyntax

   elementId: TBD
   name: mibObjectSyntax
   dataType: string
   status: current
   description: The value of the SYNTAX clause of an MIB object type
                definition, which may include a Textual Convention
                or Subtyping. See [RFC2578].

7.175.  mibModuleName

   elementId: TBD
   name: mibModuleName
   dataType: string
   status: current
   description: The textual name of the MIB module that defines a MIB
                Object.





Waltermire, et al.      Expires October 29, 2017               [Page 76]

Internet-Draft           SACM Information Model               April 2017


7.176.  interface

   elementId: TBD
   name: interface
   dataType: list
   structure: list (interfaceName, hwAddress, inetAddr, netmask)
   status: current
   description: Represents an interface and its configuration
   options.

7.177.  iflisteners

   elementId: TBD
   name: iflisteners
   dataType: list
   structure: list (interfaceName, physicalProtocol, hwAddress,
         programName, pid, userId)
   status: current
   description: Stores the results of checking for applications that
   are bound to an ethernet interface on the system.

7.178.  physicalProtocol

   elementId: TBD
   name: physicalProtocol
   dataType: enumeration
   structure:
   ETH_P_LOOP ; 0x1 ; Ethernet loopback packet.
   ETH_P_PUP ; 0x2 ; Xerox PUP packet.
   ETH_P_PUPAT ; 0x3 ; Xerox PUP Address Transport packet.
   ETH_P_IP ; 0x4 ; Internet protocol packet.
   ETH_P_X25 ; 0x5 ; CCITT X.25 packet.
   ETH_P_ARP ; 0x6 ; Address resolution packet.
   ETH_P_BPQ ; 0x7 ; G8BPQ AX.25 ethernet packet.
   ETH_P_IEEEPUP ; 0x8 ; Xerox IEEE802.3 PUP packet.
   ETH_P_IEEEPUPAT ; 0x9 ; Xerox IEEE802.3 PUP address transport
                           packet.
   ETH_P_DEC ; 0xA ; DEC assigned protocol.
   ETH_P_DNA_DL ; 0xB ; DEC DNA Dump/Load.
   ETH_P_DNA_RC ; 0xC ; DEC DNA Remote Console.
   ETH_P_DNA_RT ; 0xD ; DEC DNA Routing.
   ETH_P_LAT ; 0xE ; DEC LAT.
   ETH_P_DIAG ; 0xF ; DEC Diagnostics.
   ETH_P_CUST ; 0x10 ; DEC Customer use.
   ETH_P_SCA ; 0x11 ; DEC Systems Comms Arch.
   ETH_P_RARP ; 0x12 ; Reverse address resolution packet.
   ETH_P_ATALK ; 0x13 ; Appletalk DDP.
   ETH_P_AARP ; 0x14 ; Appletalk AARP.



Waltermire, et al.      Expires October 29, 2017               [Page 77]

Internet-Draft           SACM Information Model               April 2017


   ETH_P_8021Q ; 0x15 ; 802.1Q VLAN Extended Header.
   ETH_P_IPX ; 0x16 ; IPX over DIX.
   ETH_P_IPV6 ; 0x17 ; IPv6 over bluebook.
   ETH_P_SLOW ; 0x18 ; Slow Protocol. See 802.3ad 43B.
   ETH_P_WCCP ; 0x19 ; Web-cache coordination protocol.
   ETH_P_PPP_DISC ; 0x1A ; PPPoE discovery messages.
   ETH_P_PPP_SES ; 0x1B ; PPPoE session messages.
   ETH_P_MPLS_UC ; 0x1C ; MPLS Unicast traffic.
   ETH_P_MPLS_MC ; 0x1D ; MPLS Multicast traffic.
   ETH_P_ATMMPOA ; 0x1E ; MultiProtocol Over ATM.
   ETH_P_ATMFATE ; 0x1F ; Frame-based ATM Transport over Ethernet.
   ETH_P_AOE ; 0x20 ; ATA over Ethernet.
   ETH_P_TIPC ; 0x21 ; TIPC.
   ETH_P_802_3 ; 0x22 ; Dummy type for 802.3 frames.
   ETH_P_AX25 ; 0x23 ; Dummy protocol id for AX.25.
   ETH_P_ALL ; 0x24 ; Every packet.
   ETH_P_802_2 ; 0x25 ; 802.2 frames.
   ETH_P_SNAP ; 0x26 ; Internal only.
   ETH_P_DDCMP ; 0x27 ; DEC DDCMP: Internal only
   ETH_P_WAN_PPP ; 0x28 ; Dummy type for WAN PPP frames.
   ETH_P_PPP_MP ; 0x29 ; Dummy type for PPP MP frames.
   ETH_P_PPPTALK ; 0x2A ; Dummy type for Atalk over PPP.
   ETH_P_LOCALTALK ; 0x2B ; Localtalk pseudo type.
   ETH_P_TR_802_2 ; 0x2C ; 802.2 frames.
   ETH_P_MOBITEX ; 0x2D ; Mobitex.
   ETH_P_CONTROL ; 0x2E ; Card specific control frames.
   ETH_P_IRDA ; 0x2F ; Linux-IrDA.
   ETH_P_ECONET ; 0x30 ; Acorn Econet.
   ETH_P_HDLC ; 0x31 ; HDLC frames.
   ETH_P_ARCNET ; 0x32 ; 1A for ArcNet.
                ; 0x33 ; The empty string value is permitted here
                to allow for detailed error reporting.
   status: current
   description: The physical layer protocol used by the AF_PACKET
   socket.

7.179.  hwAddress

   elementId: TBD
   name: hwAddress
   dataType: string
   status: current
   description: The hardware address associated
         with the interface.







Waltermire, et al.      Expires October 29, 2017               [Page 78]

Internet-Draft           SACM Information Model               April 2017


7.180.  programName

   elementId: TBD
   name: programName
   dataType: string
   status: current
   description: The name of the communicating
         program.

7.181.  userId

   elementId: TBD
   name: userId
   dataType: unsigned32
   status: current
   description: The numeric user id.

7.182.  inetlisteningserver

   elementId: TBD
   name: inetlisteningserver
   dataType: list
   structure: list (transportProtocol, localAddress,
         localPort, localFullAddress, programName, foreignAddress,
         foreignPort, foreignFullAddress, pid, userId)
   status: current
   description: Stores the results of checking for network servers
   currently active on a system. It holds information pertaining to
   a specific protocol-address-port combination.

7.183.  transportProtocol

   elementId: TBD
   name: transportProtocol
   dataType: string
   status: current
   description: The transport-layer
         protocol (tcp or udp).

7.184.  localAddress

   elementId: TBD
   name: localAddress
   dataType: ipAddress
   status: current
   description: This is the IP address being listened to. Note that
   the IP address can be IPv4 or IPv6.




Waltermire, et al.      Expires October 29, 2017               [Page 79]

Internet-Draft           SACM Information Model               April 2017


7.185.  localPort

   elementId: TBD
   name: localPort
   dataType: unsigned32
   status: current
   description: This is the TCP or UDP port
         being listened to.

7.186.  localFullAddress

   elementId: TBD
   name: localFullAddress
   dataType: string
   status: current
   description: The IP address and network port on which the program
   listens, including the local address and the local port. Note
   that the IP address can be IPv4 or IPv6.

7.187.  foreignAddress

   elementId: TBD
   name: foreignAddress
   dataType: ipAddress
   status: current
   description: The IP address with which the program is
   communicating, or with which it will communicate. Note that the
   IP address can be IPv4 or IPv6.

7.188.  foreignFullAddress

   elementId: TBD
   name: foreignFullAddress
   dataType: ipAddress
   status: current
   description: The IP address and network port to which the program
   is communicating or will accept communications from, including
   the foreign address and foreign port. Note that the IP address
   can be IPv4 or IPv6.

7.189.  selinuxboolean










Waltermire, et al.      Expires October 29, 2017               [Page 80]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: selinuxboolean
   dataType: list
   structure: list (selinuxName, currentStatus,
         pendingStatus)
   status: current
   description: Describes the current and pending status of a
   SELinux boolean.

7.190.  selinuxName

   elementId: TBD
   name: selinuxName
   dataType: string
   status: current
   description: The name of the SELinux
         boolean.

7.191.  currentStatus

   elementId: TBD
   name: currentStatus
   dataType: boolean
   status: current
   description: Indicates current state of
         the specified SELinux boolean.

7.192.  pendingStatus

   elementId: TBD
   name: pendingStatus
   dataType: boolean
   status: current
   description: Indicates the pending
         state of the specified SELinux boolean.

7.193.  selinuxsecuritycontext

   elementId: TBD
   name: selinuxsecuritycontext
   dataType: list
   structure: list (filepath, path, filename, pid,
         username, role, domainType, lowSensitivity, lowCategory,
         highSensitivity, highCategory, rawlowSensitivity,
         rawlowCategory, rawhighSensitivity, rawhighCategory)
   status: current
   description: Describes the SELinux security
         context of a file or process on the local system.



Waltermire, et al.      Expires October 29, 2017               [Page 81]

Internet-Draft           SACM Information Model               April 2017


7.194.  filepath

   elementId: TBD
   name: filepath
   dataType: string
   status: current
   description: Specifies the absolute path for a file on the
   machine. A directory cannot be specified as a filepath.

7.195.  path

   elementId: TBD
   name: path
   dataType: string
   status: current
   description: Specifies the directory component of
         the absolute path to a file on the machine.

7.196.  filename

   elementId: TBD
   name: filename
   dataType: string
   status: current
   description: The name of the file.

7.197.  pid

   elementId: TBD
   name: pid
   dataType: unsigned32
   status: current
   description: The process ID of the
         process.

7.198.  role

   elementId: TBD
   name: role
   dataType: string
   status: current
   description: Specifies the types that a process
         may transition to (domain transitions).








Waltermire, et al.      Expires October 29, 2017               [Page 82]

Internet-Draft           SACM Information Model               April 2017


7.199.  domainType

   elementId: TBD
   name: domainType
   dataType: string
   status: current
   description: Specifies the domain in which the file is accessible
   or the domain in which a process executes.

7.200.  lowSensitivity

   elementId: TBD
   name: lowSensitivity
   dataType: string
   status: current
   description: Specifies the current sensitivity of a file or
   process.

7.201.  lowCategory

   elementId: TBD
   name: lowCategory
   dataType: string
   status: current
   description: Specifies the set of
         categories associated with the low sensitivity.

7.202.  highSensitivity

   elementId: TBD
   name: highSensitivity
   dataType: string
   status: current
   description: Specifies the maximum
         range for a file or the clearance for a process.

7.203.  highCategory

   elementId: TBD
   name: highCategory
   dataType: string
   status: current
   description: Specifies the set of
         categories associated with the high sensitivity.







Waltermire, et al.      Expires October 29, 2017               [Page 83]

Internet-Draft           SACM Information Model               April 2017


7.204.  rawlowSensitivity

   elementId: TBD
   name: rawlowSensitivity
   dataType: string
   status: current
   description: Specifies the current sensitivity of a file or
   process but in its raw context.

7.205.  rawlowCategory

   elementId: TBD
   name: rawlowCategory
   dataType: string
   status: current
   description: Specifies the set of categories associated with the
   low sensitivity but in its raw context.

7.206.  rawhighSensitivity

   elementId: TBD
   name: rawhighSensitivity
   dataType: string
   status: current
   description: Specifies the maximum range for a file or the
   clearance for a process but in its raw context.

7.207.  rawhighCategory

   elementId: TBD
   name: rawhighCategory
   dataType: string
   status: current
   description: Specifies the set of categories associated with the
   high sensitivity but in its raw context.

7.208.  systemdunitdependency

   elementId: TBD
   name: systemdunitdependency
   dataType: list
   structure: list (unit, dependency)
   status: current

   description: Stores the dependencies of the systemd
   unit.





Waltermire, et al.      Expires October 29, 2017               [Page 84]

Internet-Draft           SACM Information Model               April 2017


7.209.  unit

   elementId: TBD
   name: unit
   dataType: string
   status: current
   description: Refers to the full systemd unit name, which has a
   form of "$name.$type". For example "cupsd.service". This name is
   usually also the filename of the unit configuration file.

7.210.  dependency

   elementId: TBD
   name: dependency
   dataType: string
   status: current
   description: Refers to the name of a unit that was confirmed to
   be a dependency of the given unit.

7.211.  systemdunitproperty

   elementId: TBD
   name: systemdunitproperty
   dataType: list
   structure: list (unit, property, systemdunitValue)

   status: current
   description: Stores the properties and values of a systemd unit.

7.212.  property

   elementId: TBD
   name: property
   dataType: string
   status: current
   description: The property associated with a
         systemd unit.

7.213.  systemdunitValue

   elementId: TBD
   name: systemdunitValue
   dataType: string
   status: current
   description: The value of the property associated with a systemd
   unit. Exactly one value shall be used for all property types
   except dbus arrays - each array element shall be represented by
   one value.



Waltermire, et al.      Expires October 29, 2017               [Page 85]

Internet-Draft           SACM Information Model               April 2017


7.214.  file

   elementId: TBD
   name: file
   dataType: list
   structure: list (filepath, path, filename, fileType, userId,
   aTime, cTime, mTime, size)
   status: current
   description: The metadata associated with a file on the endpoint.

7.215.  fileType

   elementId: TBD
   name: fileType
   dataType: string
   status: current
   description: The file's type (e.g., regular file (regular),
   directory, named pipe (fifo), symbolic link, socket or block
   special.)

7.216.  groupId

   elementId: TBD
   name: groupId
   dataType: unsigned32
   status: current
   description: The group owner of the file, by
         group number.

7.217.  aTime

   elementId: TBD
   name: aTime
   dataType: dateTimeSeconds
   status: current
   description: The time that the file was last
         accessed.

7.218.  cTime

   elementId: TBD
   name: cTime
   dataType: dateTimeSeconds
   status: current
   description: The time of the last change
         to the file's inode.





Waltermire, et al.      Expires October 29, 2017               [Page 86]

Internet-Draft           SACM Information Model               April 2017


7.219.  mTime

   elementId: TBD
   name: mTime
   dataType: dateTimeSeconds
   status: current
   description: The time of the last change to
         the file's contents.

7.220.  size

   elementId: TBD
   name: size
   dataType: unsigned32
   status: current
   description: This is the size of the file in
         bytes.

7.221.  suid

   elementId: TBD
   name: suid
   dataType: boolean
   status: current
   description: Indicates whether the program runs with the uid
   (thus privileges) of the file's owner, rather than the calling
   user.

7.222.  sgid

   elementId: TBD
   name: sgid
   dataType: boolean
   status: current
   description: Indicates whether the program runs with the gid
   (thus privileges) of the file's group owner, rather than the
   calling user's group.

7.223.  sticky

   elementId: TBD
   name: sticky
   dataType: boolean
   status: current
   description: Indicates whether users can delete each other's
   files in this directory, when said directory is writable by
   those users.




Waltermire, et al.      Expires October 29, 2017               [Page 87]

Internet-Draft           SACM Information Model               April 2017


7.224.  hasExtendedAcl

   elementId: TBD
   name: hasExtendedAcl
   dataType: boolean
   status: current
   description: Indicates whether the file or directory hasACL
   permissions applied to it. If a system supports ACLs and the
   file or directory doesn't have an ACL, or it matches the standard
   UNIX permissions, the entity will have a status of 'exists' and
   a value of 'false'. If the system supports ACLs and the file or
   directory has an ACL, the entity will have a status of 'exists'
   and a value of 'true'. Lastly, if a system doesn't support ACLs,
   the entity will have a status of 'does not exist'.

7.225.  inetd

   elementId: TBD
   name: inetd
   dataType: list
   structure: list (serviceProtocol, serviceName, serverProgram,
         serverArguments, inetdEndpointType, execAsUser, waitStatus)
   status: current
   description: Holds information associated
         with different Internet services.

7.226.  serverProgram

   elementId: TBD
   name: serverProgram
   dataType: string
   status: current
   description: Either the pathname of a server program to be
   invoked by inetd to perform the requested service, or the value
   internal if inetd itself provides the service.

7.227.  inetdEndpointType














Waltermire, et al.      Expires October 29, 2017               [Page 88]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: inetdEndpointType
   dataType: enumeration
   structure:
   stream ; 0x1 ; The stream value is used to describe a stream
   socket.
   dgram ; 0x2 ; The dgram value is used to describe a datagram
   socket.
   raw ; 0x3 ; The raw value is used to describe a raw socket.
   seqpacket ; 0x4 ; The seqpacket value is used to describe a
   sequenced packet socket.
   tli ; 0x5 ; The tli value is used to describe all TLI endpoints.
   sunrpc_tcp ; 0x6 ; The sunrpc_tcp value is used to describe all
   SUNRPC TCP endpoints.
   sunrpc_udp ; 0x7 ; The sunrpc_udp value is used to describe all
   SUNRPC UDP endpoints.
    ; 0x8 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: The endpoint type (aka, socket type) associated with
   the service.

7.228.  execAsUser

   elementId: TBD
   name: execAsUser
   dataType: string
   status: current
   description: The user id of the user the
         server program should run under.

7.229.  waitStatus



















Waltermire, et al.      Expires October 29, 2017               [Page 89]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: waitStatus
   dataType: enumeration
   structure: wait ; 0x1 ; The value of 'wait' specifies that the
   server that is invoked by inetd will take over the listening
   socket associated with the service, and once launched, inetd will
   wait for that server to exit, if ever, before it resumes
   listening for new service requests.

   nowait ; 0x2 ; The value of 'nowait' specifies that the server
   that is invoked by inetd will not wait for any existing server
   to finish before taking over the listening socket associated with
   the service.

   ; 0x3 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Specifies whether the server that is invoked by
   inetd will take over the listening socket associated with the
   service, and whether once launched, inetd will wait for that
   server to exit, if ever, before it resumes listening for new
   service requests. The legal values are "wait" or "nowait".

7.230.  inetAddr

   elementId: TBD
   name: inetAddr
   dataType: ipAddress
   status: current
   description: The IP address of the specific interface. Note that
   the IP address can be IPv4 or IPv6.

7.231.  netmask

   elementId: TBD
   name: netmask
   dataType: ipAddress
   status: current
   description: The bitmask used to calculate
         the interface's IP network.

7.232.  passwordInfo









Waltermire, et al.      Expires October 29, 2017               [Page 90]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: passwordInfo
   dataType: list
   structure: list (username, password, userId, groupId, gcos,
         homeDir, loginShell, lastLogin)
   status: current
   description: Describes user account information for a
         system.

7.233.  username

   elementId: TBD
   name: username
   dataType: string
   status: current
   description: The name of the user.

7.234.  password

   elementId: TBD
   name: password
   dataType: string
   status: current
   description: The encrypted version of the
         user's password.

7.235.  gcos

   elementId: TBD
   name: gcos
   dataType: string
   status: current
   description:

7.236.  homeDir

   elementId: TBD
   name: homeDir
   dataType: string
   status: current
   description: The user's home
         directory.

7.237.  loginShell







Waltermire, et al.      Expires October 29, 2017               [Page 91]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: loginShell
   dataType: string
   status: current
   description: The user's shell
         program.

7.238.  lastLogin

   elementId: TBD
   name: lastLogin
   dataType: unsigned32
   status: current
   description: The date and time when the
         last login occurred.

7.239.  process

   elementId: TBD
   name: process
   dataType: list
   structure: list (commandLine, pid, ppid, priority, startTime)

   status: current
   description: Information about a process running on an endpoint.

7.240.  commandLine

   elementId: TBD
   name: commandLine
   dataType: string
   status: current
   description: The string used to start the
         process. This includes any parameters that are part of the
         command line.

7.241.  ppid

   elementId: TBD
   name: ppid
   dataType: unsigned32
   status: current
   description: The process ID of the process's
         parent process.







Waltermire, et al.      Expires October 29, 2017               [Page 92]

Internet-Draft           SACM Information Model               April 2017


7.242.  priority

   elementId: TBD
   name: priority
   dataType: unsigned32
   status: current
   description: The scheduling priority with
         which the process runs.

7.243.  startTime

   elementId: TBD
   name: startTime
   dataType: string
   status: current
   description: The time of day the process
         started.

7.244.  routingtable

   elementId: TBD
   name: routingtable
   dataType: list
   structure: list (destination, gateway, flags,
         interfaceName)
   status: current
   description: Holds information about an individual routing table
   entry found in a system's primary routing table.

7.245.  destination

   elementId: TBD
   name: destination
   dataType: ipAddress
   status: current
   description: The destination IP address
         prefix of the routing table entry.

7.246.  gateway

   elementId: TBD
   name: gateway
   dataType: ipAddress
   status: current
   description: The gateway of the specified
         routing table entry.





Waltermire, et al.      Expires October 29, 2017               [Page 93]

Internet-Draft           SACM Information Model               April 2017


7.247.  runlevelInfo

   elementId: TBD
   name: runlevelInfo
   dataType: list
   structure: list (serviceName, runlevel, start, kill)

   status: current
   description: Information about the start or kill state of a
   specified service at a given runlevel.

7.248.  runlevel

   elementId: TBD
   name: runlevel
   dataType: string
   status: current
   description: Specifies the system runlevel
         associated with a service.

7.249.  start

   elementId: TBD
   name: start
   dataType: boolean
   status: current
   description: Specifies whether the service is
         scheduled to start at the runlevel.

7.250.  kill

   elementId: TBD
   name: kill
   dataType: boolean
   status: current
   description: Specifies whether the service is
         scheduled to be killed at the runlevel.

7.251.  shadowItem

   elementId: TBD
   name: shadowItem
   dataType: list
   structure: list (username, password, chgLst, chgAllow,
         chgReq, expWarn, expInact, expDate, flags, encryptMethod)
   status: current
   description:




Waltermire, et al.      Expires October 29, 2017               [Page 94]

Internet-Draft           SACM Information Model               April 2017


7.252.  chgLst

   elementId: TBD
   name: chgLst
   dataType: dateTimeSeconds
   status: current
   description: The date of the last password
         change.

7.253.  chgAllow

   elementId: TBD
   name: chgAllow
   dataType: unsigned32
   status: current
   description: Specifies how often in days a
         user may change their password. It can also be thought of
         as the minimum age of a password.

7.254.  chgReq

   elementId: TBD
   name: chgReq
   dataType: unsigned32
   status: current
   description: Describes how long a user can
         keep a password before the system forces her to change it.

7.255.  expWarn

   elementId: TBD
   name: expWarn
   dataType: unsigned32
   status: current
   description: Describes how long before
         password expiration the system begins warning the user.

7.256.  expInact

   elementId: TBD
   name: expInact
   dataType: unsigned32
   status: current
   description: Describes how many days of
         account inactivity the system will wait after a password
         expires before locking the account.





Waltermire, et al.      Expires October 29, 2017               [Page 95]

Internet-Draft           SACM Information Model               April 2017


7.257.  expDate

   elementId: TBD
   name: expDate
   dataType: dateTimeSeconds
   status: current
   description: Specifies when will the
         account's password expire.

7.258.  encryptMethod

   elementId: TBD
   name: encryptMethod
   dataType: enumeration
   structure: DES ; 0x1 ; The DES method corresponds to the (none)
   prefix.
         BSDi ; 0x2 ; The BSDi method corresponds to BSDi modified
         DES or the '_' prefix.
         MD5 ; 0x3 ; The MD5 method corresponds to MD5 for Linux/BSD
         or the $1$ prefix.
         Blowfish ; 0x4 ; The Blowfish method corresponds to Blowfish
         (OpenBSD) or the $2$ or $2a$ prefixes.
         Sun MD5 ; 0x5 ; The Sun MD5 method corresponds to the $md5$
         prefix.
         SHA-256 ; 0x6 ; The SHA-256 method corresponds to the $5$
         prefix.
         SHA-512 ; 0x7 ; The SHA-512 method corresponds to the $6$
         prefix. ; 0x8 ; The empty string value is permitted here to
         allow for empty elements associated with variable references.
   status: current
   description: Describes method that is used for hashing
         passwords.

7.259.  symlink

   elementId: TBD
   name: symlink
   dataType: list
   structure: list (symlinkFilepath, canonicalPath)
   status: current

   description: Identifies the result generated for a symlink.

7.260.  symlinkFilepath







Waltermire, et al.      Expires October 29, 2017               [Page 96]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: symlinkFilepath
   dataType: string
   status: current
   description: Specifies the filepath to
         the subject symbolic link file.

7.261.  canonicalPath

   elementId: TBD
   name: canonicalPath
   dataType: string
   status: current
   description: Specifies the canonical
         path for the target of the symbolic link file specified by
         the filepath.

7.262.  sysctl

   elementId: TBD
   name: sysctl
   dataType: list
   structure: list (kernelParameterName, kernelParameterValue+,
         uname, machineClass, nodeName, osName, osRelease,
         osVersion, processorType)
   status: current
   description: Stores
         information retrieved from the local system about a kernel
         parameter and its respective value(s).

7.263.  kernelParameterName

   elementId: TBD
   name: kernelParameterName
   dataType: string
   status: current
   description: The name of a kernel
         parameter that was collected from the local system.

7.264.  kernelParameterValue

   elementId: TBD
   name: kernelParameterValue
   dataType: string
   status: current
   description: The current value(s)
         for the specified kernel parameter on the local system.




Waltermire, et al.      Expires October 29, 2017               [Page 97]

Internet-Draft           SACM Information Model               April 2017


7.265.  uname

   elementId: TBD
   name: uname
   dataType: list
   structure: list (machineClass, nodeName, osName, osRelease,
         osVersion, processorType)
   status: current
   description: Information about the hardware the machine is running
         on.

7.266.  machineClass

   elementId: TBD
   name: machineClass
   dataType: string
   status: current
   description: Specifies the machine
         hardware name.

7.267.  nodeName

   elementId: TBD
   name: nodeName
   dataType: string
   status: current
   description: Specifies the host
         name.

7.268.  osName

   elementId: TBD
   name: osName
   dataType: string
   status: current
   description: Specifies the operating system
         name.

7.269.  osRelease

   elementId: TBD
   name: osRelease
   dataType: string
   status: current
   description: Specifies the build
         version.





Waltermire, et al.      Expires October 29, 2017               [Page 98]

Internet-Draft           SACM Information Model               April 2017


7.270.  processorType

   elementId: TBD
   name: processorType
   dataType: string
   status: current
   description: Specifies the processor
         type.

7.271.  internetService

   elementId: TBD
   name: internetService
   dataType: list
   structure: list (serviceProtocol, serviceName, flags,
         noAccess, onlyFrom, port, server, serverArguments,
         socketType, registeredServiceType, user, wait, disabled)

   status: current
   description: Holds information associated with Internet services.

7.272.  serviceProtocol

   elementId: TBD
   name: serviceProtocol
   dataType: string
   status: current
   description: Specifies the protocol
         that is used by the service.

7.273.  serviceName

   elementId: TBD
   name: serviceName
   dataType: string
   status: current
   description: Specifies the name of the
         service.

7.274.  flags

   elementId: TBD
   name: flags
   dataType: string
   status: current
   description: Specifies miscellaneous settings
         associated with the service with executing a program.




Waltermire, et al.      Expires October 29, 2017               [Page 99]

Internet-Draft           SACM Information Model               April 2017


7.275.  noAccess

   elementId: TBD
   name: noAccess
   dataType: string
   status: current
   description: Specifies the remote hosts to
         which the service is unavailable.

7.276.  onlyFrom

   elementId: TBD
   name: onlyFrom
   dataType: ipAddress
   status: current
   description: Specifies the remote hosts to
         which the service is available.

7.277.  port

   elementId: TBD
   name: port
   dataType: unsigned32
   status: current
   description: The port entity specifies the port
         used by the service.

7.278.  server

   elementId: TBD
   name: server
   dataType: string
   status: current
   description: Specifies the executable that is
         used to launch the service.

7.279.  serverArguments

   elementId: TBD
   name: serverArguments
   dataType: string
   status: current
   description: Specifies the arguments
         that are passed to the executable when launching the service.







Waltermire, et al.      Expires October 29, 2017              [Page 100]

Internet-Draft           SACM Information Model               April 2017


7.280.  socketType

   elementId: TBD
   name: socketType
   dataType: string
   status: current
   description: Specifies the type of socket
         that is used by the service. Possible values include: stream,
         dgram, raw, or seqpacket.

7.281.  registeredServiceType

   elementId: TBD
   name: registeredServiceType
   dataType: enumeration
   structure: INTERNAL ; 0x1 ; The INTERNAL type is used to describe
   services like echo, chargen, and others whose functionality is
   supplied by xinetd itself.
         RPC ; 0x2 ; The RPC type is used to describe services that
         use remote procedure call ala NFS.
         UNLISTED ; 0x3 ; The UNLISTED type is used to describe
         services that aren't listed in /etc/protocols or /etc/rpc.
         TCPMUX ; 0x4 ; The TCPMUX type is used to describe services
         that conform to RFC 1078. This type indiciates that the service
         is responsible for handling the protocol handshake.
         TCPMUXPLUS ; 0x5 ; The TCPMUXPLUS type is used to describe
         services that conform to RFC 1078. This type indicates that
         xinetd is responsible for handling the protocol
         handshake.
         ; 0x6 ; The empty string value is permitted here to allow
         for detailed error reporting.
   status: current

   description: Specifies the type of internet service.

7.282.  wait

   elementId: TBD
   name: wait
   dataType: boolean
   status: current
   description: Specifies whether or not the service is single-threaded
   or multi-threaded and whether or not xinetd accepts the connection
   or the service accepts the connection. A value of 'true' indicates
   that the service is single-threaded and the service will accept the
   connection. A value of 'false' indicates that the service is multi-
   threaded and xinetd will accept the connection.




Waltermire, et al.      Expires October 29, 2017              [Page 101]

Internet-Draft           SACM Information Model               April 2017


7.283.  disabled

   elementId: TBD
   name: disabled
   dataType: boolean
   status: current
   description: Specifies whether or not the
         service is disabled. A value of 'true' indicates that the
         service is disabled and will not start. A value of
         'false' indicates that the service is not disabled.

7.284.  windowsView

   elementId: TBD
   name: windowsView
   dataType: enumeration
   structure: 32_bit ; 0x1 ; Indicates the 32_bit windows view.
   64_bit ; 0x2 ; Indicates the 64_bit windows view.
   ; 0x3 ; The empty string value is permitted here to allow for
   empty elements associated with error conditions.
   status: current
   description: Indicates from which
         view (32-bit or 64-bit), the information was collected.
         A value of '32_bit' indicates the Item was collected from
         the 32-bit view. A value of '64-bit' indicates the Item
         was collected from the 64-bit view.

7.285.  fileauditedpermissions

   elementId: TBD
   name: fileauditedpermissions
   dataType: list
   structure: list (filepath, path, filename,
         trusteeSid, trusteeName, auditStandardDelete,
         auditStandardReadControl, auditStandardWriteDac,
         auditStandardWriteOwner, auditStandardSynchronize,
         auditAccessSystemSecurity, auditGenericRead, auditGenericWrite,
         auditGenericExecute, auditGenericAll, auditFileReadData,
         auditFileWriteData, auditFileAppendData, auditFileReadEa,
         auditFileWriteEa, auditFileExecute, auditFileDeleteChild,
         auditFileReadAttributes, auditFileWriteAttributes,
         windowsView)
   status: current
   description: Stores the audited access rights of a file that a
   system access control list (SACL) structure grants to a specified
   trustee. The trustee's audited access rights are determined checking
   all access control entries (ACEs) in the SACL.




Waltermire, et al.      Expires October 29, 2017              [Page 102]

Internet-Draft           SACM Information Model               April 2017


7.286.  trusteeName

   elementId: TBD
   name: trusteeName
   dataType: string
   status: current
   description: Specifies the trustee name. A
         trustee can be a user, group, or program (such as a Windows
         service).

7.287.  auditStandardDelete

   elementId: TBD
   name: auditStandardDelete
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: The right to delete the object.

7.288.  auditStandardReadControl



















Waltermire, et al.      Expires October 29, 2017              [Page 103]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: auditStandardReadControl
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: The right to read the information in the object's
   security descriptor, not including the information in the SACL.

7.289.  auditStandardWriteDac

   elementId: TBD
   name: auditStandardWriteDac
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: The right to modify the DACL in the object's security
         descriptor.

7.290.  auditStandardWriteOwner








Waltermire, et al.      Expires October 29, 2017              [Page 104]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: auditStandardWriteOwner
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: The right to change the owner in the object's security
         descriptor.

7.291.  auditStandardSynchronize

   elementId: TBD
   name: auditStandardSynchronize
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: The right to use the object for synchronization.
   This enables a thread to wait until the object is in the signaled
   state. Some object types do not support this access right.

7.292.  auditAccessSystemSecurity







Waltermire, et al.      Expires October 29, 2017              [Page 105]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: auditAccessSystemSecurity
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Indicates access to a system access control list (SACL).

7.293.  auditGenericRead

   elementId: TBD
   name: auditGenericRead
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Read access.

7.294.  auditGenericWrite










Waltermire, et al.      Expires October 29, 2017              [Page 106]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: auditGenericWrite
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Write access.

7.295.  auditGenericExecute

   elementId: TBD
   name: auditGenericExecute
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Execute access.

7.296.  auditGenericAll










Waltermire, et al.      Expires October 29, 2017              [Page 107]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: auditGenericAll
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Read, write, and execute access.

7.297.  auditFileReadData

   elementId: TBD
   name: auditFileReadData
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Grants the right to read data from the file.

7.298.  auditFileWriteData










Waltermire, et al.      Expires October 29, 2017              [Page 108]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: auditFileWriteData
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Grants the right to write data to the file.

7.299.  auditFileAppendData

   elementId: TBD
   name: auditFileAppendData
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Grants the right to append data to the file.

7.300.  auditFileReadEa










Waltermire, et al.      Expires October 29, 2017              [Page 109]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: auditFileReadEa
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Grants the right to read extended attributes.

7.301.  auditFileWriteEa

   elementId: TBD
   name: auditFileWriteEa
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Grants the right to write extended attributes.

7.302.  auditFileExecute










Waltermire, et al.      Expires October 29, 2017              [Page 110]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: auditFileExecute
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Grants the right to execute a file.

7.303.  auditFileDeleteChild

   elementId: TBD
   name: auditFileDeleteChild
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Right to delete a directory and all the files it
   contains (its children), even if the files are read-only.

7.304.  auditFileReadAttributes









Waltermire, et al.      Expires October 29, 2017              [Page 111]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: auditFileReadAttributes
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Grants the right to read file attributes.

7.305.  auditFileWriteAttributes

   elementId: TBD
   name: auditFileWriteAttributes
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Grants the right to change file attributes.

7.306.  fileeffectiverights










Waltermire, et al.      Expires October 29, 2017              [Page 112]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: fileeffectiverights
   dataType: list
   structure: list (filepath, path, filename,
         trusteeSid, trusteeName, standardDelete, standardReadControl,
         standardWriteDac, standardWriteOwner,
         standardSynchronize, accessSystemSecurity, genericRead,
         genericWrite, genericExecute, genericAll, fileReadData,
         fileWriteData, fileAppendData, fileReadEa, fileWriteEa,
         fileExecute, fileDeleteChild, fileReadAttributes,
         fileWriteAttributes, windowsView)
   status: current
   description: Stores the effective rights of a file that a
         discretionary access control list (DACL) structure grants
         to a specified trustee. The trustee's effective rights
         are determined checking all access-allowed and access-denied
         access control entries (ACEs) in the DACL.

7.307.  standardDelete

   elementId: TBD
   name: standardDelete
   dataType: boolean
   status: current
   description: The right to delete the
         object.

7.308.  standardReadControl

   elementId: TBD
   name: standardReadControl
   dataType: boolean
   status: current
   description: The right to read
         the information in the object's security descriptor, not
         including the information in the SACL.

7.309.  standardWriteDac

   elementId: TBD
   name: standardWriteDac
   dataType: boolean
   status: current
   description: The right to modify the
         DACL in the object's security descriptor.






Waltermire, et al.      Expires October 29, 2017              [Page 113]

Internet-Draft           SACM Information Model               April 2017


7.310.  standardWriteOwner

   elementId: TBD
   name: standardWriteOwner
   dataType: boolean
   status: current
   description: The right to change
         the owner in the object's security descriptor.

7.311.  standardSynchronize

   elementId: TBD
   name: standardSynchronize
   dataType: boolean
   status: current
   description: The right to use the
         object for synchronization. This enables a thread to wait
         until the object is in the signaled state. Some object
         types do not support this access right.

7.312.  accessSystemSecurity

   elementId: TBD
   name: accessSystemSecurity
   dataType: boolean
   status: current
   description: Indicates access to
         a system access control list (SACL).

7.313.  genericRead

   elementId: TBD
   name: genericRead
   dataType: boolean
   status: current
   description: Read access.

7.314.  genericWrite

   elementId: TBD
   name: genericWrite
   dataType: boolean
   status: current
   description: Write access.







Waltermire, et al.      Expires October 29, 2017              [Page 114]

Internet-Draft           SACM Information Model               April 2017


7.315.  genericExecute

   elementId: TBD
   name: genericExecute
   dataType: boolean
   status: current
   description: Execute access.

7.316.  genericAll

   elementId: TBD
   name: genericAll
   dataType: boolean
   status: current
   description: Read, write, and execute
         access.

7.317.  fileReadData

   elementId: TBD
   name: fileReadData
   dataType: boolean
   status: current
   description: Grants the right to read
         data from the file

7.318.  fileWriteData

   elementId: TBD
   name: fileWriteData
   dataType: boolean
   status: current
   description: Grants the right to write
         data to the file.

7.319.  fileAppendData

   elementId: TBD
   name: fileAppendData
   dataType: boolean
   status: current
   description: Grants the right to
         append data to the file.








Waltermire, et al.      Expires October 29, 2017              [Page 115]

Internet-Draft           SACM Information Model               April 2017


7.320.  fileReadEa

   elementId: TBD
   name: fileReadEa
   dataType: boolean
   status: current
   description: Grants the right to read
         extended attributes.

7.321.  fileWriteEa

   elementId: TBD
   name: fileWriteEa
   dataType: boolean
   status: current
   description: Grants the right to write
         extended attributes.

7.322.  fileExecute

   elementId: TBD
   name: fileExecute
   dataType: boolean
   status: current
   description: Grants the right to execute
         a file.

7.323.  fileDeleteChild

   elementId: TBD
   name: fileDeleteChild
   dataType: boolean
   status: current
   description: Right to delete a
         directory and all the files it contains (its children),
         even if the files are read-only.

7.324.  fileReadAttributes

   elementId: TBD
   name: fileReadAttributes
   dataType: boolean
   status: current
   description: Grants the right to
         read file attributes.






Waltermire, et al.      Expires October 29, 2017              [Page 116]

Internet-Draft           SACM Information Model               April 2017


7.325.  fileWriteAttributes

   elementId: TBD
   name: fileWriteAttributes
   dataType: boolean
   status: current
   description: Grants the right to
         change file attributes.

7.326.  groupInfo

   elementId: TBD
   name: groupInfo
   dataType: list
   structure: list (group, username, subgroup)
   status: current
   description: Specifies the different users and subgroups, that
   directly belong to specific groups.

7.327.  group

   elementId: TBD
   name: group
   dataType: string
   status: current
   description: Represents the name of a particular
         group.

7.328.  subgroup

   elementId: TBD
   name: subgroup
   dataType: string
   status: current
   description: Represents the name of a
         particular subgroup in the specified group.

7.329.  groupSidInfo

   elementId: TBD
   name: groupSidInfo
   dataType: list
   structure: list (groupSid, userSid, subgroupSid)
   status: current
   description: Specifies the different users and subgroups, that
   directly belong to specific groups
         (identified by SID).




Waltermire, et al.      Expires October 29, 2017              [Page 117]

Internet-Draft           SACM Information Model               April 2017


7.330.  userSidInfo

   elementId: TBD
   name: userSidInfo
   dataType: list
   structure: list (userSid, enabled, groupSid, lastLogon)

   status: current
   description: Specifies the different groups (identified by SID)
   that a user belongs to.

7.331.  userSid

   elementId: TBD
   name: userSid
   dataType: string
   status: current
   description: Represents the SID of a
         particular user.

7.332.  subgroupSid

   elementId: TBD
   name: subgroupSid
   dataType: string
   status: current
   description: Represents the SID of a
         particular subgroup.

7.333.  lockoutpolicy

   elementId: TBD
   name: lockoutpolicy
   dataType: list
   structure: list (forceLogoff, lockoutDuration,
         lockoutObservationWindow, lockoutThreshold)
   status: current
   description: Specifies various attributes associated
         with lockout information for users and global groups in the
         security database.

7.334.  forceLogoff









Waltermire, et al.      Expires October 29, 2017              [Page 118]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: forceLogoff
   dataType: unsigned32
   status: current
   description: Specifies, in seconds, the
         amount of time between the end of the valid logon time and
         the time when the user is forced to log off the
         network.

7.335.  lockoutDuration

   elementId: TBD
   name: lockoutDuration
   dataType: unsigned32
   status: current
   description: Specifies, in seconds,
         how long a locked account remains locked before it is
         automatically unlocked.

7.336.  lockoutObservationWindow

   elementId: TBD
   name: lockoutObservationWindow
   dataType: unsigned32
   status: current
   description: Specifies the
         maximum time, in seconds, that can elapse between any two
         failed logon attempts before lockout occurs.

7.337.  lockoutThreshold

   elementId: TBD
   name: lockoutThreshold
   dataType: unsigned32
   status: current
   description: Specifies the number of
         invalid password authentications that can occur before an
         account is marked "locked out."

7.338.  passwordpolicy











Waltermire, et al.      Expires October 29, 2017              [Page 119]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: passwordpolicy
   dataType: list
   structure: list (maxPasswdAge, minPasswdAge,
         minPasswdLen, passwordHistLen, passwordComplexity,
         reversibleEncryption)
   status: current
   description: Specifies
         policy information associated with passwords.

7.339.  maxPasswdAge

   elementId: TBD
   name: maxPasswdAge
   dataType: unsigned32
   status: current
   description: Specifies, in seconds (from
         a DWORD), the maximum allowable password age. A value of
         TIMEQ_FOREVER (max DWORD value, 4294967295) indicates
         that the password never expires. The minimum valid value
         for this element is ONE_DAY (86400). See the
         USER_MODALS_INFO_0 structure returned by a call to
         NetUserModalsGet().

7.340.  minPasswdAge

   elementId: TBD
   name: minPasswdAge
   dataType: unsigned32
   status: current
   description: Specifies the minimum
         number of seconds that can elapse between the time a password
         changes and when it can be changed again. A value of
         zero indicates that no delay is required between password
         updates.

7.341.  minPasswdLen

   elementId: TBD
   name: minPasswdLen
   dataType: unsigned32
   status: current
   description: Specifies the minimum
         allowable password length. Valid values for this element are
         zero through PWLEN.






Waltermire, et al.      Expires October 29, 2017              [Page 120]

Internet-Draft           SACM Information Model               April 2017


7.342.  passwordHistLen

   elementId: TBD
   name: passwordHistLen
   dataType: unsigned32
   status: current
   description: Specifies the length of
         password history maintained. A new password cannot match any
         of the previous usrmod0_password_hist_len passwords.
         Valid values for this element are zero through DEF_MAX_PWHIST.

7.343.  passwordComplexity

   elementId: TBD
   name: passwordComplexity
   dataType: boolean
   status: current
   description: Indicates whether
         passwords must meet the complexity requirements put forth
         by the operating system.

7.344.  reversibleEncryption

   elementId: TBD
   name: reversibleEncryption
   dataType: boolean
   status: current
   description: Indicates whether
         or not passwords are stored using reversible encryption.

7.345.  portInfo

   elementId: TBD
   name: portInfo
   dataType: list
   structure: list (localAddress, localPort, transportProtocol,
         pid, foreignAddress, foreignPort)
   status: current
   description: Information about open listening ports.

7.346.  foreignPort

   elementId: TBD
   name: foreignPort
   dataType: string
   status: current
   description: The TCP or UDP port to which
         the program communicates.



Waltermire, et al.      Expires October 29, 2017              [Page 121]

Internet-Draft           SACM Information Model               April 2017


7.347.  printereffectiverights

   elementId: TBD
   name: printereffectiverights
   dataType: list
   structure: list (printerName, trusteeSid,
         standardDelete, standardReadControl, standardWriteDac,
         standardWriteOwner, standardSynchronize,
         accessSystemSecurity, genericRead, genericWrite,
         genericExecute, genericAll, printerAccessAdminister,
         printerAccessUse, jobAccessAdminister, jobAccessRead)
   status: current
   description: Stores the effective rights of a printer that a
   discretionary access control list (DACL) structure grants to a
   specified trustee. The trustee's effective rights are determined
   checking all access-allowed and access-denied access control
   entries (ACEs) in the DACL.

7.348.  printerName

   elementId: TBD
   name: printerName
   dataType: string
   status: current
   description: Specifies the name of the
         printer.

7.349.  printerAccessAdminister

   elementId: TBD
   name: printerAccessAdminister
   dataType: boolean
   status: current
   description:

7.350.  printerAccessUse

   elementId: TBD
   name: printerAccessUse
   dataType: boolean
   status: current
   description:

7.351.  jobAccessAdminister







Waltermire, et al.      Expires October 29, 2017              [Page 122]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: jobAccessAdminister
   dataType: boolean
   status: current
   description:

7.352.  jobAccessRead

   elementId: TBD
   name: jobAccessRead
   dataType: boolean
   status: current
   description:

7.353.  registry

   elementId: TBD
   name: registry
   dataType: list
   structure: list (registryHive, registryKey, registryKeyName,
                    lastWriteTime, registryKeyType, registryKeyValue,
                    windowsView)
   status: current
   description: Specifies information that can be
         collected about a particular registry key.

7.354.  registryHive
























Waltermire, et al.      Expires October 29, 2017              [Page 123]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: registryHive
   dataType: enumeration
   structure: HKEY_CLASSES_ROOT ; 0x1 ; This registry subtree
         contains information that associates file types with programs
         and configuration data for automation (e.g. COM
         objects and Visual Basic Programs).
         HKEY_CURRENT_CONFIG ; 0x2 ; This registry subtree contains
         configuration data for the current hardware profile.
         HKEY_CURRENT_USER ; 0x3 ; This registry subtree contains the
         user profile of the user that is currently logged into the
         system.
         HKEY_LOCAL_MACHINE ; 0x4 ; This registry subtree contains
         information about the local system.
         HKEY_USERS ; 0x5 ; This registry subtree contains user-specific
         data.
         ; 0x6 ; The empty string value is permitted here to allow
         for detailed error reporting.
   status: current
   description: The
         hive that the registry key belongs to.

7.355.  registryKey

   elementId: TBD
   name: registryKey
   dataType: string
   status: current
   description: Describes the registry key.
         Note that the hive portion of the string should not be
         included, as this data can be found under the hive
         element.

7.356.  registryKeyName

   elementId: TBD
   name: registryKeyName
   dataType: string
   status: current
   description: Describes the name of a
         registry key.

7.357.  lastWriteTime








Waltermire, et al.      Expires October 29, 2017              [Page 124]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: lastWriteTime
   dataType: unsigned64
   status: current
   description: The last time that the key or any of its value entries
         were modified. The value of this entity represents the
         FILETIME structure which is a 64-bit value representing the
         number of 100-nanosecond intervals since January 1, 1601
         (UTC). Last write time can be queried on any key, with hives
         being classified as a type of key. When collecting only
         information about a registry hive or key the last write time
         will be the time the key or any of its entries were modified.
         When collecting only information about a registry name the
         last write time will be the time the containing key was
         modified. Thus when collecting information about a registry
         name, the last write time does not correlate directly
         to the specified name. See the RegQueryInfoKey function
         lpftLastWriteTime.

7.358.  registryKeyType

   elementId: TBD
   name: registryKeyType
   dataType: enumeration
   structure: reg_binary ; 0x1 ; The reg_binary type
         is used by registry keys that specify binary data in any
         form.
         reg_dword ; 0x2 ; The reg_dword type is used by
         registry keys that specify an unsigned 32-bit integer.
         reg_dword_little_endian ; 0x3 ; The reg_dword_little_endian
         type is used by registry keys that specify an unsigned 32-bit
         little-endian integer. It is designed to run on
         little-endian computer architectures.
         reg_dword_big_endian ; 0x4 ; The reg_dword_big_endian type
         is used by registry keys that specify an unsigned 32-bit
         big-endian integer. It is designed to run on big-endian
         computer architectures.
         reg_expand_sz ; 0x5 ; The reg_expand_sz type is used by
         registry keys to specify a null-terminated
         string that contains unexpanded references to environment
         variables (for example, "%PATH%").
         reg_link ; 0x6 ; The reg_link type is used by the registry
         keys for null-terminated unicode strings. It is related to
         target path of a symbolic link created by the
         RegCreateKeyEx function.
         reg_multi_sz ; 0x7 ; The reg_multi_sz type is used by
         registry keys that specify an array of null-terminated
         strings, terminated by two null characters.



Waltermire, et al.      Expires October 29, 2017              [Page 125]

Internet-Draft           SACM Information Model               April 2017


         reg_none; 0x8 ;
         The reg_none type is used by registry keys that have no
         defined value type.
         reg_qword; 0x9 ; The reg_qword type is used by registry keys
         that specify an unsigned 64-bit integer.
         reg_qword_little_endian; 0xA ; The reg_qword_little_endian
         type is used by registry keys that specify an unsigned
         64-bit integer in little-endian computer architectures.
         reg_sz; 0xB ; The reg_sz type is used by registry keys that
         specify a single null-terminated string.
         reg_resource_list; 0xC ; The reg_resource_list type is used
         by registry keys that specify a resource list.
         reg_full_resource_descriptor; 0xD ; The
         reg_full_resource_descriptor type is used by registry
         keys that specify a full resource descriptor.
         reg_resource_requirements_list; 0xE ; The
         reg_resource_requirements_list type is used by registry keys
         that specify a resource requirements list.
         ; 0xF ; The empty string value is permitted here to allow
         for detailed error reporting.
   status: current
   description:
         Specifies the type of data stored by the registry key.

7.359.  registryKeyValue


























Waltermire, et al.      Expires October 29, 2017              [Page 126]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: registryKeyValue
   dataType: string
   status: current
   description: Holds the actual value
         of the specified registry key. The representation of the
         value as well as the associated datatype attribute
         depends on type of data stored in the registry key. If the
         value being tested is of type REG_BINARY, then the
         datatype attribute should be set to 'binary' and the data
         represented by the value entity should follow the
         xsd:hexBinary form. (each binary octet is encoded as two hex
         digits) If the value being tested is of type
         REG_DWORD, REG_QWORD, REG_DWORD_LITTLE_ENDIAN,
         REG_DWORD_BIG_ENDIAN, or REG_QWORD_LITTLE_ENDIAN then the
         datatype attribute should be set to 'int' and the value
         entity should represent the data as an unsigned integer.
         DWORD and QWORD values represnt unsigned 32-bit and 64-bit
         integers, respectively. If the value being tested is of type
         REG_EXPAND_SZ, then the datatype attribute should be set to
         'string' and the pre-expanded string should be
         represented by the value entity. If the value being tested
         is of type REG_MULTI_SZ, then only a single string (one
         of the multiple strings) should be tested using the value
         entity with the datatype attribute set to 'string'. In
         order to test multiple values, multiple OVAL registry tests
         should be used. If the specified registry key is of
         type REG_SZ, then the datatype should be 'string' and the
         value entity should be a copy of the string. If the
         value being tested is of type REG_LINK, then the datatype
         attribute should be set to 'string' and the
         null-terminated Unicode string should be represented by the
         value entity.

7.360.  regkeyauditedpermissions
















Waltermire, et al.      Expires October 29, 2017              [Page 127]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: regkeyauditedpermissions
   dataType: list
   structure: list (registryKey, trusteeSid, trusteeName,
         standardDelete, standardReadControl, standardWriteDac,
         standardWriteOwner, standardSynchronize,
         accessSystemSecurity, genericRead, genericWrite,
         genericExecute, genericAll, keyQueryValue, keySetValue,
         keyCreateSubKey, keyEnumerateSubKeys, keyNotify,
         keyCreateLink, keyWow6464Key, keyWow6432Key, keyWow64Res,
         windowsView)
   status: current
   description: Stores the audited access rights of a registry key
   that a system access control list (SACL) structure grants to a
   specified trustee. The trustee's audited access rights are
   determined checking all access control entries (ACEs) in the SACL.

7.361.  auditKeyQueryValue

   elementId: TBD
   name: auditKeyQueryValue
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description:

7.362.  auditKeySetValue












Waltermire, et al.      Expires October 29, 2017              [Page 128]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: auditKeySetValue
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description:

7.363.  auditKeyCreateSubKey

   elementId: TBD
   name: auditKeyCreateSubKey
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description:

7.364.  auditKeyEnumerateSubKeys










Waltermire, et al.      Expires October 29, 2017              [Page 129]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: auditKeyEnumerateSubKeys
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description:

7.365.  auditKeyNotify

   elementId: TBD
   name: auditKeyNotify
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description:

7.366.  auditKeyCreateLink










Waltermire, et al.      Expires October 29, 2017              [Page 130]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: auditKeyCreateLink
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description:

7.367.  auditKeyWow6464Key

   elementId: TBD
   name: auditKeyWow6464Key
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description:

7.368.  auditKeyWow6432Key










Waltermire, et al.      Expires October 29, 2017              [Page 131]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: auditKeyWow6432Key
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description:

7.369.  auditKeyWow64Res

   elementId: TBD
   name: auditKeyWow64Res
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description:

7.370.  regkeyeffectiverights










Waltermire, et al.      Expires October 29, 2017              [Page 132]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: regkeyeffectiverights
   dataType: list
   structure: list (registryHive, registryKey, trusteeSid,
         trusteeName, standardDelete, standardReadControl,
         standardWriteDac, standardWriteOwner, standardSynchronize,
         accessSystemSecurity, genericRead, genericWrite,
         genericExecute, genericAll, keyQueryValue, keySetValue,
         keyCreateSubKey, keyEnumerateSubKeys, keyNotify,
         keyCreateLink, keyWow6464Key, keyWow6432Key, keyWow64Res,
         windowsView)
   status: current
   description: Stores the effective rights of a registry key that a
   discretionary access control list (DACL) structure grants to a
   specified trustee. The trustee's effective rights are determined
   checking all access-allowed and access-denied access control
   entries (ACEs) in the DACL.

7.371.  keyQueryValue

   elementId: TBD
   name: keyQueryValue
   dataType: boolean
   status: current
   description: Specifies whether or not
         permission is granted to query the key's value.

7.372.  keySetValue

   elementId: TBD
   name: keySetValue
   dataType: boolean
   status: current
   description: Specifies whether or not
         permission is granted to set the key's value.

7.373.  keyCreateSubKey

   elementId: TBD
   name: keyCreateSubKey
   dataType: boolean
   status: current
   description: Specifies whether or not
         permission is granted to create a subkey.







Waltermire, et al.      Expires October 29, 2017              [Page 133]

Internet-Draft           SACM Information Model               April 2017


7.374.  keyEnumerateSubKeys

   elementId: TBD
   name: keyEnumerateSubKeys
   dataType: boolean
   status: current
   description: Specifies whether or
         not permission is granted to list the subkeys associated
         with key.

7.375.  keyNotify

   elementId: TBD
   name: keyNotify
   dataType: boolean
   status: current
   description:

7.376.  keyCreateLink

   elementId: TBD
   name: keyCreateLink
   dataType: boolean
   status: current
   description:

7.377.  keyWow6464Key

   elementId: TBD
   name: keyWow6464Key
   dataType: boolean
   status: current
   description:

7.378.  keyWow6432Key

   elementId: TBD
   name: keyWow6432Key
   dataType: boolean
   status: current
   description:

7.379.  keyWow64Res








Waltermire, et al.      Expires October 29, 2017              [Page 134]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: keyWow64Res
   dataType: boolean
   status: current
   description:

7.380.  service

   elementId: TBD
   name: service
   dataType: list
   structure: list (serviceName, displayName, description,
         serviceType, startType, currentState, controlsAccepted,
         startName, path, pid, serviceFlag, dependencies)
   status: current
   description: Stores information about Windows services that are
   present on the system.

7.381.  displayName

   elementId: TBD
   name: displayName
   dataType: string
   status: current
   description: Specifies the name of the
         service as specified in administrative tools.

7.382.  description

   elementId: TBD
   name: description
   dataType: string
   status: current
   description: Specifies the description of
         the service.

7.383.  serviceType














Waltermire, et al.      Expires October 29, 2017              [Page 135]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: serviceType
   dataType: enumeration
   structure: SERVICE_FILE_SYSTEM_DRIVER ; 0x1 ; The
         SERVICE_FILE_SYSTEM_DRIVER type means that the service is
         a file system driver. The DWORD value that this
         corresponds to is 0x00000002.
         SERVICE_KERNEL_DRIVER ; 0x2 ; The SERVICE_KERNEL_DRIVER type
         means that the service is a driver. The DWORD value that
         this corresponds to is 0x00000001.
         SERVICE_WIN32_OWN_PROCESS ; 0x3 ; The SERVICE_WIN32_OWN_PROCESS
         type means that the service runs in its own process. The DWORD
         value that this corresponds to is 0x00000010.
         SERVICE_WIN32_SHARE_PROCESS ; 0x4 ; The
         SERVICE_WIN32_SHARE_PROCESS type means that the service runs
         in a process with other services. The DWORD value that this
         corresponds to is 0x00000020.
         SERVICE_INTERACTIVE_PROCESS ; 0x5 ; The
         SERVICE_WIN32_SHARE_PROCESS type means that the service runs
         in a process with other services. The DWORD value that this
         corresponds to is 0x00000100.
         ; 0x6 ; The empty string value is permitted here to allow for
         empty elements associated with error conditions.
   status: current
   description:
         Specifies the type of the service.

7.384.  startType























Waltermire, et al.      Expires October 29, 2017              [Page 136]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: startType
   dataType: enumeration
   structure: SERVICE_AUTO_START ; 0x1 ; The SERVICE_AUTO_START type
         means that the service is started automatically by the Service
         Control Manager (SCM) during startup. The DWORD value that
         this corresponds to is 0x00000002.
         SERVICE_BOOT_START ; 0x2 ; The SERVICE_BOOT_START type means
         that the driver service is started by the system loader. The
         DWORD value that this corresponds to is 0x00000000.
         SERVICE_DEMAND_START ; 0x3 ; The SERVICE_DEMAND_START type
         means that the service is started by the Service Control
         Manager (SCM) when StartService() is called. The DWORD value
         that this corresponds to is 0x00000003.
         SERVICE_DISABLED ; 0x4 ; The SERVICE_DISABLED type means
         that the service cannot be started. The DWORD value that
         this corresponds to is 0x00000004.
         SERVICE_SYSTEM_START ; 0x5 ; The SERVICE_SYSTEM_START type
         means that the service is a device driver started by
         IoInitSystem(). The DWORD value that this corresponds to is
         0x00000001.
         ; 0x6 ; The empty string value is permitted here to allow
         for empty elements associated with error conditions.
   status: current
   description: Specifies when the service should be started.

7.385.  currentState
























Waltermire, et al.      Expires October 29, 2017              [Page 137]

Internet-Draft           SACM Information Model               April 2017


   elementId: TBD
   name: currentState
   dataType: enumeration
   structure: SERVICE_CONTINUE_PENDING ; 0x1 ; The
         SERVICE_CONTINUE_PENDING type means that the service has been
         sent a command to continue, however, the command has
         not yet been executed. The DWORD value that this corresponds
         to is 0x00000005. SERVICE_PAUSE_PENDING ; 0x2 ; The
         SERVICE_PAUSE_PENDING type means that the service has been
         sent a command to pause, however, the command has not
         yet been executed. The DWORD value that this corresponds to
         is 0x00000006.
         SERVICE_PAUSED ; 0x3 ; The SERVICE_PAUSED type means that
         the service is paused. The DWORD value that this corresponds
         to is 0x00000007.
         SERVICE_RUNNING ; 0x4 ; The SERVICE_RUNNING type means that
         the service is running. The DWORD value that this
         corresponds to is 0x00000004.
         SERVICE_START_PENDING ; 0x5 ; The SERVICE_START_PENDING type
         means that the service has been sent a command to start,
         however, the command has not yet been executed. The DWORD
         value that this corresponds to is 0x00000002.
         SERVICE_STOP_PENDING ; 0x6 ; The SERVICE_STOP_PENDING type
         means that the service
         has been sent a command to stop, however, the command has
         not yet been executed. The DWORD value that this
         corresponds to is 0x00000003.
         SERVICE_STOPPED ; 0x7 ; The SERVICE_STOPPED type means that
         the service is stopped. The DWORD value that this corresponds
         to is 0x00000001.
         ; 0x8 ; The empty string value is permitted here to allow
         for empty elements associated with error conditions.
   status: current
   description: Specifies the current state of
         the service.

7.386.  controlsAccepted

   elementId: TBD
   name: controlsAccepted
   dataType: enumeration
   structure:
     SERVICE_ACCEPT_NETBINDCHANGE ; 0x1 ;
     The SERVICE_ACCEPT_NETBINDCHANGE type means that the
     service is a network component and can accept changes in its
     binding without being stopped or restarted. The DWORD value
     that this corresponds to is 0x00000010.
     SERVICE_ACCEPT_PARAMCHANGE ; 0x2 ; The SERVICE_ACCEPT_PARAMCHANGE



Waltermire, et al.      Expires October 29, 2017              [Page 138]

Internet-Draft           SACM Information Model               April 2017


     type means that the service can re-read its
     startup parameters without being stopped or restarted. The
     DWORD value that this corresponds to is 0x00000008.
     SERVICE_ACCEPT_PAUSE_CONTINUE ; 0x3 ; The
     SERVICE_ACCEPT_PAUSE_CONTINUE type means that the service
     can be paused or continued. The DWORD value that this
     corresponds to is 0x00000002.
     SERVICE_ACCEPT_PRESHUTDOWN ; 0x4 ; The
     SERVICE_ACCEPT_PRESHUTDOWN type means that the service can
     receive pre-shutdown notifications. The DWORD value
     that this corresponds to is 0x00000100.
     SERVICE_ACCEPT_SHUTDOWN ; 0x5 ; The SERVICE_ACCEPT_SHUTDOWN
     type means that the service can receive shutdown notifications.
     The DWORD value that this corresponds to is 0x00000004.
     SERVICE_ACCEPT_STOP ; 0x6 ; The SERVICE_ACCEPT_STOP type
     means that the service can be stopped. The DWORD value
     that this corresponds to is 0x00000001.
     SERVICE_ACCEPT_HARDWAREPROFILECHANGE ; 0x7 ; The
     SERVICE_ACCEPT_HARDWAREPROFILECHANGE type means that the
     service can receive notifications when the system's
     hardware profile changes. The DWORD value that this
     corresponds to is 0x00000020.
     SERVICE_ACCEPT_POWEREVENT ; 0x8 ; The SERVICE_ACCEPT_POWEREVENT
     type means that the service can receive notifications when the
     system's power status has changed. The DWORD value that this
     corresponds to is 0x00000040.
     SERVICE_ACCEPT_SESSIONCHANGE ; 0x9 ; The
     SERVICE_ACCEPT_SESSIONCHANGE type means that the service can
     receive notifications when the system's session
     status has changed. The DWORD value that this corresponds
     to is 0x00000080.
     SERVICE_ACCEPT_TIMECHANGE ; 0xA ; The SERVICE_ACCEPT_TIMECHANGE
     type means that the service can receive notifications when
     the system time changes. The DWORD value that this corresponds
     to is 0x00000200.
     SERVICE_ACCEPT_TRIGGEREVENT ; 0xB ; The
     SERVICE_ACCEPT_TRIGGEREVENT type means that the service can
     receive notifications when an event that the service
     has registered for occurs on the system. The DWORD value that
     this corresponds to is 0x00000400.
     ; 0xC ; The empty string value is permitted here to allow
     for empty elements associated with error conditions.
   status: current

   description: Specifies the control codes that a service will
               accept and process.





Waltermire, et al.      Expires October 29, 2017              [Page 139]

Internet-Draft           SACM Information Model               April 2017


7.387.  startName

   elementId: TBD
   name: startName
   dataType: string
   status: current
   description: Specifies the account under
         which the process should run.

7.388.  serviceFlag

   elementId: TBD
   name: serviceFlag
   dataType: boolean
   status: current
   description: Specifies whether the
         service is in a system process that must always run (true)
         or if the service is in a non-system process or is not
         running (false).

7.389.  dependencies

   elementId: TBD
   name: dependencies
   dataType: string
   status: current
   description: Specifies the dependencies
         of this service on other services.

7.390.  serviceeffectiverights

   elementId: TBD
   name: serviceeffectiverights
   dataType: list
   structure: list (serviceName, trusteeSid,
         standardDelete, standardReadControl, standardWriteDac,
         standardWriteOwner, genericRead, genericWrite,
         genericExecute, serviceQueryConf, serviceChangeConf,
         serviceQueryStat, serviceEnumDependents, serviceStart,
         serviceStop, servicePause, serviceInterrogate,
         serviceUserDefined)
   status: current
   description: Stores the
         effective rights of a service that a discretionary access
         control list (DACL) structure grants to a specified
         trustee. The trustee's effective rights are determined by
         checking all access-allowed and access-denied access
         control entries (ACEs) in the DACL.



Waltermire, et al.      Expires October 29, 2017              [Page 140]

Internet-Draft           SACM Information Model               April 2017


7.391.  trusteeSid

   elementId: TBD
   name: trusteeSid
   dataType: string
   status: current
   description: Specifies the SID that is
         associated with a user, group, system, or program (such as a
         Windows service).

7.392.  serviceQueryConf

   elementId: TBD
   name: serviceQueryConf
   dataType: boolean
   status: current
   description: Specifies whether or
         not permission is granted to query the service configuration.

7.393.  serviceChangeConf

   elementId: TBD
   name: serviceChangeConf
   dataType: boolean
   status: current
   description: Specifies whether or
         not permission is granted to change service configuration.

7.394.  serviceQueryStat

   elementId: TBD
   name: serviceQueryStat
   dataType: boolean
   status: current
   description: Specifies whether or
         not permission is granted to query the service control
         manager about the status of the service.

7.395.  serviceEnumDependents

   elementId: TBD
   name: serviceEnumDependents
   dataType: boolean
   status: current
   description: Specifies whether
         or not permission is granted to query for an enumeration of
         all the services dependent on the service.




Waltermire, et al.      Expires October 29, 2017              [Page 141]

Internet-Draft           SACM Information Model               April 2017


7.396.  serviceStart

   elementId: TBD
   name: serviceStart
   dataType: boolean
   status: current
   description: Specifies whether or not
         permission is granted to start the service.

7.397.  serviceStop

   elementId: TBD
   name: serviceStop
   dataType: boolean
   status: current
   description: Specifies whether or not
         permission is granted to stop the service.

7.398.  servicePause

   elementId: TBD
   name: servicePause
   dataType: boolean
   status: current
   description: Specifies whether or not
         permission is granted to pause or continue the service.

7.399.  serviceInterrogate

   elementId: TBD
   name: serviceInterrogate
   dataType: boolean
   status: current
   description: Specifies whether or not permission is granted to
               request the service to report its status immediately.

7.400.  serviceUserDefined

   elementId: TBD
   name: serviceUserDefined
   dataType: boolean
   status: current
   description: Specifies whether or
         not permission is granted to specify a user-defined
         control code.






Waltermire, et al.      Expires October 29, 2017              [Page 142]

Internet-Draft           SACM Information Model               April 2017


7.401.  sharedresourceauditedpermissions

   elementId: TBD
   name: sharedresourceauditedpermissions
   dataType: list
   structure: list (netname, trusteeSid,
         standardDelete, standardReadControl, standardWriteDac,
         standardWriteOwner, standardSynchronize,
         accessSystemSecurity, genericRead, genericWrite,
         genericExecute, genericAll)
   status: current
   description: Stores
         the audited access rights of a shared resource that a system
         access control list (SACL) structure grants to a
         specified trustee. The trustee's audited access rights are
         determined checking all access control entries (ACEs)
         in the SACL.

7.402.  netname

   elementId: TBD
   name: netname
   dataType: string
   status: current
   description: Specifies the name associated
         with a particular shared resource.

7.403.  sharedresourceeffectiverights

   elementId: TBD
   name: sharedresourceeffectiverights
   dataType: list
   structure: list (netname, trusteeSid,
         standardDelete, standardReadControl, standardWriteDac,
         standardWriteOwner, standardSynchronize,
         accessSystemSecurity, genericRead, genericWrite,
         genericExecute, genericAll)
   status: current
   description: Stores
         the effective rights of a shared resource that a
         discretionary access control list (DACL) structure grants
         to a specified trustee. The trustee's effective rights are
         determined checking all access-allowed and access-denied
         access control entries (ACEs) in the DACL.







Waltermire, et al.      Expires October 29, 2017              [Page 143]

Internet-Draft           SACM Information Model               April 2017


7.404.  user

   elementId: TBD
   name: user
   dataType: list
   structure: list (username, enabled, group, lastLogon)
   status: current
   description: Specifies the groups to which a user belongs.

7.405.  enabled

   elementId: TBD
   name: enabled
   dataType: boolean
   status: current
   description: Represents whether the
         particular user is enabled or not.

7.406.  lastLogon

   elementId: TBD
   name: lastLogon
   dataType: unsigned32
   status: current
   description: The date and time when the
         last logon occurred.

7.407.  groupSid

   elementId: TBD
   name: groupSid
   dataType: string
   status: current
   description: Represents the SID of a
         particular group. If the specified user belongs to more than
         one group, then multiple groupSid elements are
         applicable. If the specified user is not a member of a single
         group, then a single groupSid element should be
         incldued with a status of 'does not exist'. If there is an
         error determining the groups that the user belongs to,
         then a single groupSid element should be included with a
         status of 'error'.

7.408.  endpointType







Waltermire, et al.      Expires October 29, 2017              [Page 144]

Internet-Draft           SACM Information Model               April 2017


                   elementId: TBD
                   name: endpointType
                   dataType: enumeration
                   status: current
                   description: The possible types of endpoint in the
                                enterprise.
                   structure:
                   workstation; 0x1; Workstation Endpoint
                   printer;     0x2; Printer Endpoint
                   router;      0x3; Router Endpoint
                   tablet;      0x4; Tablet Endpoint

7.409.  endpointPurpose

                   elementId: TBD
                   name: endpointPurpose
                   dataType: string
                   status: current
                   description: A description of how the endpoint is
                                used within the enterprise.
                                Examples include end user system,
                                and public web server.

7.410.  endpointCriticality

                   elementId: TBD
                   name: endpointCriticality
                   dataType: string
                   status: current
                   description: An enterprise-defined rating which
                                indicates the criticality of the
                                endpoint. The rating should be
                                specific enough to assess the impact
                                to the overall enterprise if the
                                endpoint is attacked or lost.

7.411.  ingestTimestamp

                   elementId: TBD
                   name: ingestTimestamp
                   dataType: dateTimeSeconds
                   status: current
                   description: The point in time that the
                                description of a vulnerability was
                                received by the enterprise.






Waltermire, et al.      Expires October 29, 2017              [Page 145]

Internet-Draft           SACM Information Model               April 2017


7.412.  vulnerabilityVersion

                   elementId: TBD
                   name: vulnerabilityVersion
                   dataType: string
                   status: current
                   description: The version or iteration of the
                                vulnerability description information
                                (reported by the author, if applicable).

7.413.  vulnerabilityExternalId

                   elementId: TBD
                   name: vulnerabilityExternalId
                   dataType: string
                   status: current
                   description: An external or third-party ID
                                assigned to the vulnerability
                                description. This could be multiple
                                IDs in some cases (e.g., vendor bug
                                ID, global ID, discoverer's local ID,
                                third-party vulnerability database
                                ID, etc.).

7.414.  vulnerabilitySeverity

                   elementId: TBD
                   name: vulnerabilitySeverity
                   dataType: string
                   status: current
                   description: The severity of the vulnerability
                                (reported by the author, if applicable).

7.415.  assessmentTimestamp

                   elementId: TBD
                   name: assessmentTimestamp
                   dataType: dateTimeSeconds
                   status: current
                   description: The point in time that the assessment
                                was performed against an endpoint.

7.416.  vulnerableSoftware








Waltermire, et al.      Expires October 29, 2017              [Page 146]

Internet-Draft           SACM Information Model               April 2017


                   elementId: TBD
                   name: vulnerableSoftware
                   dataType: list
                   status: current
                   description: A listing of software products
                                installed on the endpoint which are
                                known to have vulnerabilities.
                   structure: list(softwareInstance*)

7.417.  endpointVulnerabilityStatus

                   elementId: TBD
                   name: endpointVulnerabilityStatus
                   dataType: enumeration
                   status: current
                   description: Overall vulnerability status of an
                                enterprise endpoint.
                   structure: Pass; 0x1; Endpoint passed the
                                         vulnerability test(s).
                              Fail; 0x2; Endpoint failed the
                                         vulnerability test(s).


7.418.  vulnerabilityDescription

                   elementId: TBD
                   name: vulnerabilityDescription
                   dataType: string
                   status: current
                   description: A human-readable description of the
                                vulnerability.


8.  Acknowledgements

   Many of the specifications in this document have been developed in a
   public-private partnership with vendors and end-users.  The hard work
   of the SCAP community is appreciated in advancing these efforts to
   their current level of adoption.

   Over the course of developing the initial draft, Brant Cheikes, Matt
   Hansbury, Daniel Haynes, Scott Pope, Charles Schmidt, and Steve
   Venema have contributed text to many sections of this document.








Waltermire, et al.      Expires October 29, 2017              [Page 147]

Internet-Draft           SACM Information Model               April 2017


9.  IANA Considerations

   This document specifies an initial set of Information Elements for
   SACM in Section 7.  An Internet Assigned Numbers Authority (IANA)
   registry will be created and populated with the Information Elements
   in Section 7.  New assignments for SACM Information Elements will be
   administered by IANA through Expert Review [RFC2434].  The designated
   experts MUST check the requested Information Elements for
   completeness and accuracy of the submission with respect to the
   template and requirements expressed in Section 4 and Section 4.1.
   Requests for Information Elements that duplicate the functionality of
   existing Information Elements SHOULD be declined.  The smallest
   available Information Element identifier SHOULD be assigned to a new
   Information Element.  The definition of new Information Elements MUST
   be published using a well-established and persistent publication
   medium.

10.  Security Considerations

   Posture Assessments need to be performed in a safe and secure manner.
   In that regard, there are multiple aspects of security that apply to
   the communications between components as well as the capabilities
   themselves.  This information model only contains an initial listing
   of items that need to be considered with respect to security and will
   need to be augmented as the model continues to be developed.

   Security considerations include:

   Authentication:  Every SACM Component and asset needs to be able to
           identify itself and verify the identity of other SACM
           Components and assets.

   Confidentiality:  Communications between SACM Components need to be
           protected from eavesdropping or unauthorized collection.
           Some communications between SACM Components and assets may
           need to be protected as well.

   Integrity:  The information exchanged between SACM Components needs
           to be protected from modification.  Some exchanges between
           assets and SACM Components will also have this requirement.

   Restricted Access:  Access to the information collected, evaluated,
           reported, and stored should only be viewable and consumable
           to authenticated and authorized entities.

   Considerations with respect to the operational aspects of collection,
   evaluation, and storage security automation information can be found
   in Section 11.



Waltermire, et al.      Expires October 29, 2017              [Page 148]

Internet-Draft           SACM Information Model               April 2017


   Considerations concerning the privacy of security automation
   information can be found in Section 12.

11.  Operational Considerations

   The following sections outline a series of operational considerations
   for SACM deployments within an organization.  This section may be
   expanded to include other considerations as the WG gains additional
   operational experience with SACM deployments and extending the
   information model.

11.1.  Endpoint Designation

   In order to successfully carry out endpoint posture assessment, it is
   necessary to be able to identify the endpoints on a network and track
   the changes to them over time.  Specifically, enabling SACM
   Components to:

   o  Tell whether two endpoint attribute assertions concern the same
      endpoint

   o  Respond to compliance measurements, for example by reporting,
      remediating, and quarantining (SACM does not specify these
      responses, but SACM exists to enable them).

   Ideally, every endpoint would be identified by a unique identifier
   present on the endpoint, but, this is complicated due to different
   factors such as the variety of endpoints on a network, the ability of
   tools to reliably access such an identifer, and the ability of tools
   to correlate disparate identifiers.  As a result, it is necessary for
   an endpoint to be identified by a set of attributes that uniquely
   identify it on a network.  The set of attributes that uniquely
   identify an endpoint on a network will likely vary by organization;
   however, there are a number of properties to consider when selecting
   identifying attributes as some are better suited for identification
   purposes than others.

   Multiplicity:  Is the attribute typically associated with a single
           endpoint or with multiple endpoints?  If the attribute is
           associated with a single endpoint, it is better for
           identifying an endpoint on a network.

   Persistence:  How likely is the attribute to change?  Does it never
           change?  Does it only change when the endpoint is
           reprovisioned?  Does it only change due to an event?  Does it
           change on an ad-hoc and often unpredictable basis?  Does it
           constantly change?  The less likely it is for an attribute to




Waltermire, et al.      Expires October 29, 2017              [Page 149]

Internet-Draft           SACM Information Model               April 2017


           change over time, the better it is for identifying an
           endpoint on a network.

   Immutability:  How difficult is it to change the attribute?  Is the
           attribute hardware rooted and never changes?  Can the
           attribute be changed by a user/process with the appropriate
           access?  Can the attribute be changed without controlled
           access.  The less likely an attribute is to change over time,
           the better chance it will be usable to identify an endpoint
           over time.

   Verifiable:  Can the attribute be corroborated?  Can the attribute be
           externally verified with source authentication?  Can the
           attribute be externally verified without source
           authentication?  Is it impossible to externally verify the
           attribute.  Attributes that can be externally verified are
           more likely to be accurate and are better for identifying
           endpoints on a network.

   With that said, requiring SACM Components and end users to constantly
   refer to a set of attributes to identify an endpoint, is particularly
   burdensome.  As a result, SACM supports the concept of a target
   endpoint label which associates an identifier (unique to a SACM
   domain) with the set of attributes used by an organization to
   identify endpoints on a network.  Once defined for an endpoint, the
   target endpoint label can be used in place of the set of identifying
   attributes.

11.2.  Timestamp Accuracy

   An organization will likely have different collectors deployed across
   the network that will be configured to collect posture attributes on
   varying frequencies (periodic, ad-hoc, event-driven, on endpoint, off
   endpoint, etc.).  Some collectors will detect changes as soon as they
   occur whereas others will detect them at a later point during a
   periodic scan or when an event has triggered the collection of
   posture attributes.  Furthermore, some changes will be detected on
   the endpoint and others will be observed off of the endpoint.  As a
   result of these differences, the accuracy of the timestamp associated
   with the collected information will vary.  For example, if a
   collector is only running once every 12 hours, the change probably
   happened at some point in time prior to the scan and the timestamp is
   likely not accurate.  Due to this, it is important for system
   administrators to determine if the accuracy of a timestamp is good
   enough for their intended purposes.






Waltermire, et al.      Expires October 29, 2017              [Page 150]

Internet-Draft           SACM Information Model               April 2017


12.  Privacy Considerations

   In the IETF, there are privacy concerns with respect to endpoint
   identity and monitoring.  This is especially true when the activity
   on an endpoint can be linked to a particular person.  For example, by
   correlating endpoint attributes such as usernames, certificates, etc.
   with browser activity, it may be possible to gain insight in to user
   behavior and trends beyond what is required to carry out endpoint
   posture assessments.  In the hands of the wrong person, this
   information could be used to negatively influence a user's behavior
   or to plan attacks against the organization's infrastructure.

   As a result, SACM data models should incorporate a mechanism by which
   an organization can designate which endpoint attributes are
   considered sensitive with respect to privacy.  This will allow SACM
   Components to handle endpoint attributes in a manner consistent with
   the organization's privacy policies.  Furthermore, organization's
   should put the proper mechanism in place to ensure endpoint
   attributes are protected when transmitted, stored, and accessed to
   ensure only authorized parties are granted access.

   It should also be noted that some of this is often mitigated by
   organizational policies that require a user of an organization's
   network to consent to some level of monitoring in return for access
   to the network and other resources.  The information that is
   monitored and collected will vary by organization and further
   highlights the need for a mechanism by which an organization can
   specify what constitutes privacy sensitive information for them.

13.  References

13.1.  Normative References

   [PEN]      Internet Assigned Numbers Authority, "Private Enterprise
              Numbers", July 2016, <https://www.iana.org/assignments/
              enterprise-numbers/enterprise-numbers>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

13.2.  Informative References

   [I-D.ietf-sacm-requirements]
              Cam-Winget, N. and L. Lorenzin, "Secure Automation and
              Continuous Monitoring (SACM) Requirements", draft-ietf-
              sacm-requirements-01 (work in progress), October 2014.



Waltermire, et al.      Expires October 29, 2017              [Page 151]

Internet-Draft           SACM Information Model               April 2017


   [I-D.ietf-sacm-terminology]
              Waltermire, D., Montville, A., Harrington, D., and N. Cam-
              Winget, "Terminology for Security Assessment", draft-ietf-
              sacm-terminology-05 (work in progress), August 2014.

   [RFC2434]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", RFC 2434,
              DOI 10.17487/RFC2434, October 1998,
              <http://www.rfc-editor.org/info/rfc2434>.

   [RFC3580]  Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese,
              "IEEE 802.1X Remote Authentication Dial In User Service
              (RADIUS) Usage Guidelines", RFC 3580,
              DOI 10.17487/RFC3580, September 2003,
              <http://www.rfc-editor.org/info/rfc3580>.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
              FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
              <http://www.rfc-editor.org/info/rfc4949>.

   [RFC5209]  Sangster, P., Khosravi, H., Mani, M., Narayan, K., and J.
              Tardo, "Network Endpoint Assessment (NEA): Overview and
              Requirements", RFC 5209, DOI 10.17487/RFC5209, June 2008,
              <http://www.rfc-editor.org/info/rfc5209>.

   [RFC7012]  Claise, B., Ed. and B. Trammell, Ed., "Information Model
              for IP Flow Information Export (IPFIX)", RFC 7012,
              DOI 10.17487/RFC7012, September 2013,
              <http://www.rfc-editor.org/info/rfc7012>.

   [RFC7632]  Waltermire, D. and D. Harrington, "Endpoint Security
              Posture Assessment: Enterprise Use Cases", RFC 7632,
              DOI 10.17487/RFC7632, September 2015,
              <http://www.rfc-editor.org/info/rfc7632>.

Appendix A.  Change Log

A.1.  Changes in Revision 01

   Added some proposed normative text.

   For provenance:

      Added a class "Method"

      Added the produced-using relationship between an AVP and a method





Waltermire, et al.      Expires October 29, 2017              [Page 152]

Internet-Draft           SACM Information Model               April 2017


      Added the produced-by relationship between a Guidance and a SACM
      Component

      Added the hosted-by relationship between a SACM Component and an
      Endpoint

   asserted-by and summarized-by have been renamed to produced-by.

   "User" is now "Account".  If a user has different credentials, SACM
   cannot know that they belong to the same user.  But, per Kim W, many
   organizations do have accounts that associate credentials.

   The multiplicity of the based-on relationships has been corrected.

   More relationships now have labels, per UML convention.

   The diagram no longer has causal arrow.  They had become redundant
   and were nonstandard and clutter.

   Renamed "credential" to "identity", following industry usage.  A
   credential includes proof, such as a key or password.  A username or
   a distinguished name is called an "identity".

   Removed Session, because an endpoint's network activity is not SACM's
   initial focus

   Removed Authorization, for the same reason

   Added many-to-many relationship between Hardware Component and
   Endpoint, for clarity

   Added many-to-many relationship between Software Component and
   Endpoint, for clarity

   Added "contains" relationship between Network Interface and Network
   Interface

   Removed relationship between Network Interface and Account.  The
   endpoint knows the identity it used to gain network access.  The PDP
   also knows that.  But they probably do not know the account.

   Added relationship between Network Interface and Identity.  The
   endpoint and the PDP will typically know the identity.

   Made identity-to-account a many-to-one relationship.






Waltermire, et al.      Expires October 29, 2017              [Page 153]

Internet-Draft           SACM Information Model               April 2017


A.2.  Changes in Revision 02

   Added Section Identifying Attributes.

   Split the figure into Figure Model of Endpoint and Figure Information
   Elements.

   Added Figure Information Elements Take 2, proposing a triple-store
   model.

   Some editorial cleanup

A.3.  Changes in Revision 03

   Moved Appendix A.1, Appendix A.2, and Mapping to SACM Use Cases into
   the Appendix.  Added a reference to it in Section 1

   Added the Section 4 section.  Provided notes for the type of
   information we need to add in this section.

   Added the Section 6 section.  Moved sections on Endpoint, Hardware
   Component, Software Component, Hardware Instance, and Software
   Instance there.  Provided notes for the type of information we need
   to add in this section.

   Removed the Provenance of Information Section.  SACM is not going to
   solve provenance rather give organizations enough information to
   figure it out.

   Updated references to the Endpoint Security Posture Assessment:
   Enterprise Use Cases document to reflect that it was published as an
   RFC.

   Fixed the formatting of a few figures.

   Included references to [RFC3580] where RADIUS is mentioned.

A.4.  Changes in Revision 04

   Integrated the IPFIX [RFC7012] syntax into Section 4.

   Converted many of the existing SACM Information Elements to the IPFIX
   syntax.

   Included existing IPFIX Information Elements and datatypes that could
   likely be reused for SACM in Section 7 and Section 4 respectively.





Waltermire, et al.      Expires October 29, 2017              [Page 154]

Internet-Draft           SACM Information Model               April 2017


   Removed the sections related to reports as described in
   https://github.com/sacmwg/draft-ietf-sacm-information-model/
   issues/30.

   Cleaned up other text throughout the document.

A.5.  Changes in Revision 05

   Merged proposed changes from the I-D IM into the WG IM
   (https://github.com/sacmwg/draft-ietf-sacm-information-model/
   issues/41).

   Fixed some formatting warnings.

   Removed a duplicate IE and added a few IE datatypes that were
   missing.

A.6.  Changes in Revision 06

   Clarified that the SACM statement and content-element subjects are
   conceptual and that they do not need to be explicitly defined in a
   data model as long as the necessary information is provided.

   Updated the IPFIX syntax used to define Information Elements.  There
   are still a couple of open issues that need to be resolved.

   Updated some of the Information Elements contained in Section 7 to
   use the revised IPFIX syntax.  The rest of the Information Elements
   will be converted in a later revision.

   Performed various clean-up and refactoring in Sections 6 and 7.
   Still need to go through Section 8.

   Removed appendices that were not referenced in the body of the draft.
   The text from them is still available in previous revisions of this
   document if needed.

A.7.  Changes in Revision 07

   Made various changes to the IPFIX syntax based on discussions at the
   IETF 96 Meeting.  Changes included the addition of a structure
   property to the IE specification template, the creation of an
   enumeration datatype, and the specification of an IE naming
   convention.

   Provided text to define Collection Guidance, Evaluation Guidance,
   Classification Guidance, Storage Guidance, and Evaluation Results.




Waltermire, et al.      Expires October 29, 2017              [Page 155]

Internet-Draft           SACM Information Model               April 2017


   Included additional IEs related to software, configuration, and the
   vulnerability assessment scenario.

   Added text for the IANA considerations, security considerations,
   operational considerations, and privacy considerations sections.

   Performed various other editorial changes and clean-up.

A.8.  Changes in Revision 08

   Clarified text that describes subjects and attributes.

   Clarified text that describes SACM Statements and Content Elements.

   Removed stray metadata property fields from the definitions of
   several IEs.

   Specified a syntax for defining category IEs.

   Added an anyCategory IE that represents any IE in the IM.

   Fixed several errors reported by the Travis-CI continuous integration
   service.

   Performed various other editorial changes and clean-up.

A.9.  Changes in Revision 09

   Added "derived", "authority", and "verified" to the
   collectionTaskType IE (https://github.com/sacmwg/draft-ietf-sacm-
   information-model/issues/18).

   Updated IE examples that use content-type to use statement-type
   (https://github.com/sacmwg/draft-ietf-sacm-information-model/
   issues/56).

   Added "networkZoneLocation", "layer2NetworkLocation", and
   "layer3NetworkLocation" IEs (https://github.com/sacmwg/draft-ietf-
   sacm-information-model/issues/9).

   Created a softwareClass attribute IE and added it to the
   softwareInstance subject IE.  Also, removed the os* attribute IEs
   (https://github.com/sacmwg/draft-ietf-sacm-information-model/
   issues/10).







Waltermire, et al.      Expires October 29, 2017              [Page 156]

Internet-Draft           SACM Information Model               April 2017


A.10.  Changes in Revision 10

   Added several IEs necessary for the SACM Vulnerability Assessment
   Scenario (https://github.com/sacmwg/draft-ietf-sacm-information-
   model/issues/43).

   Fixed various typos and formatting issues.

Authors' Addresses

   David Waltermire (editor)
   National Institute of Standards and Technology
   100 Bureau Drive
   Gaithersburg, Maryland  20877
   USA

   Email: david.waltermire@nist.gov


   Kim Watson
   United States Department of Homeland Security
   DHS/CS&C/FNR
   245 Murray Ln. SW, Bldg 410
   MS0613
   Washington, DC  20528
   USA

   Email: kimberly.watson@hq.dhs.gov


   Clifford Kahn
   Pulse Secure, LLC
   2700 Zanker Road, Suite 200
   San Jose, CA  95134
   USA

   Email: cliffordk@pulsesecure.net


   Lisa Lorenzin
   Pulse Secure, LLC
   2700 Zanker Road, Suite 200
   San Jose, CA  95134
   USA

   Email: llorenzin@pulsesecure.net





Waltermire, et al.      Expires October 29, 2017              [Page 157]

Internet-Draft           SACM Information Model               April 2017


   Michael Cokus
   The MITRE Corporation
   903 Enterprise Parkway, Suite 200
   Hampton, VA  23666
   USA

   Email: msc@mitre.org


   Daniel Haynes
   The MITRE Corporation
   202 Burlington Road
   Bedford, MA  01730
   USA

   Email: dhaynes@mitre.org


   Henk Birkholz
   Fraunhofer SIT
   Rheinstrasse 75
   Darmstadt  64295
   Germany

   Email: henk.birkholz@sit.fraunhofer.de


























Waltermire, et al.      Expires October 29, 2017              [Page 158]