SACM                                                  D. Waltermire, Ed.
Internet-Draft                                                      NIST
Intended status: Standards Track                               K. Watson
Expires: January 9, March 13, 2017                                              DHS
                                                                 C. Kahn
                                                             L. Lorenzin
                                                       Pulse Secure, LLC
                                                                M. Cokus
                                                               D. Haynes
                                                   The MITRE Corporation
                                                            July 8,
                                                             H. Birkholz
                                                          Fraunhofer SIT
                                                       September 9, 2016

                         SACM Information Model
                  draft-ietf-sacm-information-model-06
                  draft-ietf-sacm-information-model-07

Abstract

   This document defines the Information Elements that are transported
   between SACM components and their interconnected relationships.  The
   primary purpose of the Secure Automation and Continuous Monitoring
   (SACM) Information Model is to ensure the interoperability of
   corresponding SACM data models and addresses the use cases defined by
   SACM.  The Information Elements and corresponding types are
   maintained as the IANA "SACM Information Elements" registry.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 9, March 13, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   5  12
   2.  Conventions used in this document . . . . . . . . . . . . . .   6  13
     2.1.  Requirements Language . . . . . . . . . . . . . . . . . .   6  13
     2.2.  Information Element Examples  . . . . . . . . . . . . . .   6  13
   3.  Information Elements  . . . . . . . . . . . . . . . . . . . .   6  13
     3.1.  Context of Information Elements . . . . . . . . . . . . .   6  13
     3.2.  Extensibility of Information Elements . . . . . . . . . .   7  14
   4.  Structure of Information Elements . . . . . . . . . . . . . .   7  14
     4.1.  SACM Content Elements . . . . . . . .  Information Element Naming Convention . . . . . . . . . .  10  17
     4.2.  SACM Statements . . . Content Elements . . . . . . . . . . . . . . . . . .  11  17
     4.3.  Relationships .  SACM Statements . . . . . . . . . . . . . . . . . . . . .  13  18
     4.4.  Event . . . .  Relationships . . . . . . . . . . . . . . . . . . . . . .  15  20
     4.5.  Categories  . . . . . . . . . . . . . . . . . . . . . .  Event .  16
     4.6.  Designation . . . . . . . . . . . . . . . . . . . . . . .  16
     4.7.  Privacy . .  22
     4.6.  Categories  . . . . . . . . . . . . . . . . . . . . . . .  17  23
   5.  Abstract Data Types . . . . . . . . . . . . . . . . . . . . .  17  23
     5.1.  Simple Datatypes  . . . . . . . . . . . . . . . . . . . .  17  23
       5.1.1.  IPFIX Datatypes . . . . . . . . . . . . . . . . . . .  17
       5.1.2.  ciscoTrainSoftwareVersion . . . . . . . . . . . . . .  18
       5.1.3.  rpmSoftwareVersion  . . . . . . . . . . . . . . .  23
     5.2.  Structured Datatypes  . .  18
       5.1.4.  simpleSoftwareVersion . . . . . . . . . . . . . . . .  18
     5.2.  Structured  24
       5.2.1.  List Datatypes  . . . . . . . . . . . . . . . . . .  18
       5.2.1.  List Datatypes  . . .  24
       5.2.2.  Enumeration Datatype  . . . . . . . . . . . . . . . .  18  25
   6.  Information Model Assets  . . . . . . . . . . . . . . . . . .  20  26
     6.1.  Asset . . . . . . . . . . . . . . . . . . . . . . . . . .  21  27
     6.2.  Endpoint  . . . . . . . . . . . . . . . . . . . . . . . .  21  27
     6.3.  Hardware Component  . . . . . . . . . . . . . . . . . . .  22  28
     6.4.  Software Component  . . . . . . . . . . . . . . . . . . .  22  28
       6.4.1.  Software Instance . . . . . . . . . . . . . . . . . .  23  28
     6.5.  Identity  . . . . . . . . . . . . . . . . . . . . . . . .  23  29
     6.6.  Guidance  . . . . . . . . . . . . . . . . . . . . . . . .  23  29
       6.6.1.  Internal  Collection Guidance . . . . . . . . . . . .  23 . . . . .  29
       6.6.2.  External Collection  Evaluation Guidance . . . . . . . . . . . .  24
       6.6.3.  Evaluation Guidance . . . . .  30
       6.6.3.  Classification Guidance . . . . . . . . . . . .  24 . . .  30
       6.6.4.  Retention  Storage Guidance  . . . . . . . . . . . . . . . . .  24
     6.7. .  31
       6.6.5.  Evaluation Results  . . . . . . . . . . . . . . . . . . .  24  31
   7.  Information Model Elements  . . . . . . . . . . . . . . . . .  24  31
     7.1.  hardwareSerialNumber  .  accessPrivilegeType . . . . . . . . . . . . . . . . .  25
     7.2.  interfaceName . . . .  31
     7.2.  accountName . . . . . . . . . . . . . . . . . .  25
     7.3.  interfaceIndex . . . . .  32
     7.3.  administrativeDomainType  . . . . . . . . . . . . . . . .  25  32
     7.4.  interfaceMacAddress .  addressAssociationType  . . . . . . . . . . . . . . . . . .  25  32
     7.5.  interfaceType  addressMaskValue  . . . . . . . . . . . . . . . . . . . .  32
     7.6.  addressType . .  26
     7.6.  interfaceFlags . . . . . . . . . . . . . . . . . . . . .  26  32
     7.7.  networkInterface  addressValue  . . . . . . . . . . . . . . . . . . . .  26
     7.8.  softwareIdentifier  . . .  33
     7.8.  applicationComponent  . . . . . . . . . . . . . . . .  27
     7.9.  softwareTitle . .  33
     7.9.  applicationLabel  . . . . . . . . . . . . . . . . . . . .  27  33
     7.10. softwareCreator applicationType . . . . . . . . . . . . . . . . . . . . .  27  33
     7.11. simpleSoftwareVersion . applicationManufacturer . . . . . . . . . . . . . . . . .  27  33
     7.12. rpmSoftwareVersion authenticator . . . . . . . . . . . . . . . . . . .  27 . . .  34
     7.13. ciscoTrainSoftwareVersion authenticationType  . . . . . . . . . . . . . . . .  27 . . .  34
     7.14. softwareVersion birthdate . . . . . . . . . . . . . . . . . . . . .  28
     7.15. lastUpdated . . .  34
     7.15. bytesReceived . . . . . . . . . . . . . . . . . . . .  28 . .  34
     7.16. softwareInstance bytesSent . . . . . . . . . . . . . . . . . . . .  28
     7.17. globallyUniqueIdentifier . . . .  34
     7.17. bytesSent . . . . . . . . . . . .  28
     7.18. dataOrigin . . . . . . . . . . . .  35
     7.18. certificate . . . . . . . . . . .  29
     7.19. dataSource . . . . . . . . . . . .  35
     7.19. collectionTaskType  . . . . . . . . . . .  29
     7.20. creationTimestamp . . . . . . . .  35
     7.20. confidence  . . . . . . . . . . . .  29
     7.21. collectionTimestamp . . . . . . . . . . .  35
     7.21. contentAction . . . . . . . .  29
     7.22. publicationTimestamp . . . . . . . . . . . . . .  36
     7.22. countryCode . . . .  30
     7.23. relayTimestamp . . . . . . . . . . . . . . . . . . .  36
     7.23. dataOrigin  . .  30
     7.24. storageTimestamp . . . . . . . . . . . . . . . . . . . .  30
     7.25. type .  36
     7.24. dataSource  . . . . . . . . . . . . . . . . . . . . . . .  36
     7.25. default-depth . .  30
     7.26. protocolIdentifier . . . . . . . . . . . . . . . . . . .  31
     7.27. sourceTransportPort .  36
     7.26. discoverer  . . . . . . . . . . . . . . . . . .  31
     7.28. sourceIPv4PrefixLength . . . . .  37
     7.27. emailAddress  . . . . . . . . . . . .  32
     7.29. ingressInterface . . . . . . . . . .  37
     7.28. eventType . . . . . . . . . .  32
     7.30. destinationTransportPort . . . . . . . . . . . . . .  37
     7.29. eventThreshold  . .  32
     7.31. sourceIPv6PrefixLength . . . . . . . . . . . . . . . . .  33
     7.32. sourceIPv4Prefix . .  37
     7.30. eventThresholdName  . . . . . . . . . . . . . . . . . .  33
     7.33. destinationIPv4Prefix .  37
     7.31. eventTrigger  . . . . . . . . . . . . . . . . .  33
     7.34. sourceMacAddress . . . . .  38
     7.32. eventTrigger  . . . . . . . . . . . . . . .  33
     7.35. ipVersion . . . . . . .  38
     7.33. firmwareId  . . . . . . . . . . . . . . . . .  33
     7.36. interfaceDescription . . . . . .  38
     7.34. hostName  . . . . . . . . . . . .  33
     7.37. applicationDescription . . . . . . . . . . . .  38
     7.35. interfaceLabel  . . . . .  34
     7.38. applicationId . . . . . . . . . . . . . . . .  39
     7.36. ipv6AddressSubnetMask . . . . . .  34
     7.39. applicationName . . . . . . . . . . . .  39
     7.37. ipv6AddressSubnetMaskCidrNotation . . . . . . . . .  34
     7.40. exporterIPv4Address . . .  39
     7.38. ipv6AddressValue  . . . . . . . . . . . . . . . .  34
     7.41. exporterIPv6Address . . . .  39
     7.39. ipv4AddressSubnetMask . . . . . . . . . . . . . . .  34
     7.42. portId . . .  39
     7.40. ipv4AddressSubnetMaskCidrNotation . . . . . . . . . . . .  39
     7.41. ipv4AddressValue  . . . . . . . . . .  35
     7.43. templateId . . . . . . . . . .  40
     7.42. layer2InterfaceType . . . . . . . . . . . . .  35
     7.44. collectorIPv4Address . . . . . .  40
     7.43. layer4PortAddress . . . . . . . . . . . .  35
     7.45. collectorIPv6Address . . . . . . . .  40
     7.44. layer4Protocol  . . . . . . . . . .  36
     7.46. informationElementIndex . . . . . . . . . . .  40
     7.45. locationName  . . . . . .  36
     7.47. informationElementId . . . . . . . . . . . . . . . .  40
     7.46. macAddressValue . .  36
     7.48. informationElementDataType . . . . . . . . . . . . . . .  36
     7.49. informationElementDescription . . . .  41
     7.47. methodLabel . . . . . . . . . .  37
     7.50. informationElementName . . . . . . . . . . . . .  41
     7.48. methodRepository  . . . .  37
     7.51. informationElementRangeBegin . . . . . . . . . . . . . .  38
     7.52. informationElementRangeEnd . .  41
     7.49. networkAccessLevelType  . . . . . . . . . . . . .  38
     7.53. informationElementSemantics . . . .  41
     7.50. networkId . . . . . . . . . . .  38
     7.54. informationElementUnits . . . . . . . . . . . . .  42
     7.51. networkInterfaceName  . . . .  39
     7.55. userName . . . . . . . . . . . . . .  42
     7.52. networkLayer  . . . . . . . . . .  40
     7.56. applicationCategoryName . . . . . . . . . . . .  42
     7.53. networkName . . . . .  40
     7.57. mibObjectValueInteger . . . . . . . . . . . . . . . . . .  40
     7.58. mibObjectValueOctetString  42
     7.54. organizationId  . . . . . . . . . . . . . . . .  40
     7.59. mibObjectValueOID . . . . .  42
     7.55. osComponent . . . . . . . . . . . . . . .  41
     7.60. mibObjectValueBits . . . . . . . .  43
     7.56. osLabel . . . . . . . . . . .  41
     7.61. mibObjectValueIPAddress . . . . . . . . . . . . . .  43
     7.57. osName  . . .  42
     7.62. mibObjectValueCounter . . . . . . . . . . . . . . . . . .  42
     7.63. mibObjectValueGauge . . . .  43
     7.58. osType  . . . . . . . . . . . . . . .  43
     7.64. mibObjectValueTimeTicks . . . . . . . . . .  43
     7.59. osVersion . . . . . . .  43
     7.65. mibObjectValueUnsigned . . . . . . . . . . . . . . . . .  44
     7.66. mibObjectValueTable  43
     7.60. patchId . . . . . . . . . . . . . . . . . . . . . . . . .  44
     7.67. mibObjectValueRow
     7.61. patchName . . . . . . . . . . . . . . . . . . . . . . . .  44
     7.68. mibObjectIdentifier
     7.62. personFirstName . . . . . . . . . . . . . . . . . . .  45
     7.69. mibSubIdentifier . .  44
     7.63. personLastName  . . . . . . . . . . . . . . . . . . . . .  44
     7.64. personMiddleName  . . . . . . . . . . . . . . . . . . . .  44
     7.65. phoneNumber . . . . . . . . . . . . . . . . . . . . . . .  44
     7.66. phoneNumberType . . . . . . . . . . . . . . . . . . . . .  45
     7.70. mibIndexIndicator
     7.67. privilegeName . . . . . . . . . . . . . . . . . . . . . .  45
     7.71. mibCaptureTimeSemantics
     7.68. privilegeValue  . . . . . . . . . . . . . . . . .  46
     7.72. mibContextEngineID . . . .  45
     7.69. protocol  . . . . . . . . . . . . . . .  47
     7.73. mibContextName . . . . . . . . .  45
     7.70. publicKey . . . . . . . . . . . .  48
     7.74. mibObjectName . . . . . . . . . . . .  46
     7.71. relationshipContentElementGuid  . . . . . . . . . .  48
     7.75. mibObjectDescription . . .  46
     7.72. relationshipStatementElementGuid  . . . . . . . . . . . .  46
     7.73. relationshipObjectLabel . . .  48
     7.76. mibObjectSyntax . . . . . . . . . . . . . .  46
     7.74. relationshipType  . . . . . . .  48
     7.77. mibModuleName . . . . . . . . . . . . .  46
     7.75. roleName  . . . . . . . . .  48
   8.  SACM Usage Scenario Example . . . . . . . . . . . . . . .  47
     7.76. sessionStateType  . .  49
     8.1.  Graph Model for Detection of Posture Deviation . . . . .  49
       8.1.1.  Components . . . . . . . . . . . . .  47
     7.77. statementGuid . . . . . . . .  49
       8.1.2.  Identifiers . . . . . . . . . . . . . .  47
     7.78. statementType . . . . . . .  50
       8.1.3.  Metadata . . . . . . . . . . . . . . .  47
     7.79. status  . . . . . . .  50
       8.1.4.  Relationships between Identifiers and Metadata . . .  51
     8.2.  Workflow . . . . . . . . . . . . . . .  48
     7.80. subAdministrativeDomain . . . . . . . . .  51
   9.  Acknowledgements . . . . . . . .  48
     7.81. subInterfaceLabel . . . . . . . . . . . . . .  52
     9.1.  Contributors . . . . . .  48
     7.82. superAdministrativeDomain . . . . . . . . . . . . . . . .  52
   10. IANA Considerations  48
     7.83. superInterfaceLabel . . . . . . . . . . . . . . . . . . .  49
     7.84. teAssessmentState . .  52
   11. Operational Considerations . . . . . . . . . . . . . . . . .  53
   12. Privacy Considerations .  49
     7.85. teLabel . . . . . . . . . . . . . . . . . .  53
   13. Security Considerations . . . . . . .  49
     7.86. teId  . . . . . . . . . . . .  53
   14. References . . . . . . . . . . . . . .  49
     7.87. timestampType . . . . . . . . . . .  54
     14.1.  Normative References . . . . . . . . . . .  49
     7.88. unitsReceived . . . . . . .  54
     14.2.  Informative References . . . . . . . . . . . . . . .  50
     7.89. unitsSent . .  54
   Appendix A.  Change Log . . . . . . . . . . . . . . . . . . . . .  55
     A.1.  Changes in Revision 01 .  50
     7.90. username  . . . . . . . . . . . . . . . .  55
     A.2.  Changes in Revision 02 . . . . . . . .  50
     7.91. userDirectory . . . . . . . . .  56
     A.3.  Changes in Revision 03 . . . . . . . . . . . . .  50
     7.92. userId  . . . .  56
     A.4.  Changes in Revision 04 . . . . . . . . . . . . . . . . .  57
     A.5.  Changes in Revision 05 . . . .  51
     7.93. webSite . . . . . . . . . . . . .  57
     A.6.  Changes in Revision 06 . . . . . . . . . . . .  51
     7.94. WGS84Longitude  . . . . .  57
   Authors' Addresses . . . . . . . . . . . . . . . .  51
     7.95. WGS84Latitude . . . . . . .  58

1.  Introduction

   The . . . . . . . . . . . . . . .  51
     7.96. WGS84Altitude . . . . . . . . . . . . . . . . . . . . . .  51
     7.97. hardwareSerialNumber  . . . . . . . . . . . . . . . . . .  52
     7.98. interfaceName . . . . . . . . . . . . . . . . . . . . . .  52
     7.99. interfaceIndex  . . . . . . . . . . . . . . . . . . . . .  52
     7.100. interfaceMacAddress  . . . . . . . . . . . . . . . . . .  52
     7.101. interfaceType  . . . . . . . . . . . . . . . . . . . . .  53
     7.102. interfaceFlags . . . . . . . . . . . . . . . . . . . . .  53
     7.103. networkInterface . . . . . . . . . . . . . . . . . . . .  53
     7.104. softwareIdentifier . . . . . . . . . . . . . . . . . . .  54
     7.105. softwareTitle  . . . . . . . . . . . . . . . . . . . . .  54
     7.106. softwareCreator  . . . . . . . . . . . . . . . . . . . .  54
     7.107. simpleSoftwareVersion  . . . . . . . . . . . . . . . . .  54
     7.108. rpmSoftwareVersion . . . . . . . . . . . . . . . . . . .  54
     7.109. ciscoTrainSoftwareVersion  . . . . . . . . . . . . . . .  55
     7.110. softwareVersion  . . . . . . . . . . . . . . . . . . . .  55
     7.111. lastUpdated  . . . . . . . . . . . . . . . . . . . . . .  55
     7.112. softwareInstance . . . . . . . . . . . . . . . . . . . .  55
     7.113. globallyUniqueIdentifier . . . . . . . . . . . . . . . .  56
     7.114. dataOrigin . . . . . . . . . . . . . . . . . . . . . . .  56
     7.115. dataSource . . . . . . . . . . . . . . . . . . . . . . .  56
     7.116. creationTimestamp  . . . . . . . . . . . . . . . . . . .  56
     7.117. collectionTimestamp  . . . . . . . . . . . . . . . . . .  56
     7.118. publicationTimestamp . . . . . . . . . . . . . . . . . .  57
     7.119. relayTimestamp . . . . . . . . . . . . . . . . . . . . .  57
     7.120. storageTimestamp . . . . . . . . . . . . . . . . . . . .  57
     7.121. type . . . . . . . . . . . . . . . . . . . . . . . . . .  57
     7.122. protocolIdentifier . . . . . . . . . . . . . . . . . . .  57
     7.123. sourceTransportPort  . . . . . . . . . . . . . . . . . .  58
     7.124. sourceIPv4PrefixLength . . . . . . . . . . . . . . . . .  58
     7.125. ingressInterface . . . . . . . . . . . . . . . . . . . .  58
     7.126. destinationTransportPort . . . . . . . . . . . . . . . .  59
     7.127. sourceIPv6PrefixLength . . . . . . . . . . . . . . . . .  59
     7.128. sourceIPv4Prefix . . . . . . . . . . . . . . . . . . . .  59
     7.129. destinationIPv4Prefix  . . . . . . . . . . . . . . . . .  59
     7.130. sourceMacAddress . . . . . . . . . . . . . . . . . . . .  60
     7.131. ipVersion  . . . . . . . . . . . . . . . . . . . . . . .  60
     7.132. interfaceDescription . . . . . . . . . . . . . . . . . .  60
     7.133. applicationDescription . . . . . . . . . . . . . . . . .  60
     7.134. applicationId  . . . . . . . . . . . . . . . . . . . . .  60
     7.135. applicationName  . . . . . . . . . . . . . . . . . . . .  61
     7.136. exporterIPv4Address  . . . . . . . . . . . . . . . . . .  61
     7.137. exporterIPv6Address  . . . . . . . . . . . . . . . . . .  61
     7.138. portId . . . . . . . . . . . . . . . . . . . . . . . . .  61
     7.139. templateId . . . . . . . . . . . . . . . . . . . . . . .  61
     7.140. collectorIPv4Address . . . . . . . . . . . . . . . . . .  62
     7.141. collectorIPv6Address . . . . . . . . . . . . . . . . . .  62
     7.142. informationElementIndex  . . . . . . . . . . . . . . . .  62
     7.143. informationElementId . . . . . . . . . . . . . . . . . .  63
     7.144. informationElementDataType . . . . . . . . . . . . . . .  63
     7.145. informationElementDescription  . . . . . . . . . . . . .  63
     7.146. informationElementName . . . . . . . . . . . . . . . . .  64
     7.147. informationElementRangeBegin . . . . . . . . . . . . . .  64
     7.148. informationElementRangeEnd . . . . . . . . . . . . . . .  64
     7.149. informationElementSemantics  . . . . . . . . . . . . . .  65
     7.150. informationElementUnits  . . . . . . . . . . . . . . . .  65
     7.151. userName . . . . . . . . . . . . . . . . . . . . . . . .  66
     7.152. applicationCategoryName  . . . . . . . . . . . . . . . .  66
     7.153. mibObjectValueInteger  . . . . . . . . . . . . . . . . .  66
     7.154. mibObjectValueOctetString  . . . . . . . . . . . . . . .  67
     7.155. mibObjectValueOID  . . . . . . . . . . . . . . . . . . .  67
     7.156. mibObjectValueBits . . . . . . . . . . . . . . . . . . .  68
     7.157. mibObjectValueIPAddress  . . . . . . . . . . . . . . . .  68
     7.158. mibObjectValueCounter  . . . . . . . . . . . . . . . . .  69
     7.159. mibObjectValueGauge  . . . . . . . . . . . . . . . . . .  69
     7.160. mibObjectValueTimeTicks  . . . . . . . . . . . . . . . .  70
     7.161. mibObjectValueUnsigned . . . . . . . . . . . . . . . . .  70
     7.162. mibObjectValueTable  . . . . . . . . . . . . . . . . . .  70
     7.163. mibObjectValueRow  . . . . . . . . . . . . . . . . . . .  71
     7.164. mibObjectIdentifier  . . . . . . . . . . . . . . . . . .  71
     7.165. mibSubIdentifier . . . . . . . . . . . . . . . . . . . .  72
     7.166. mibIndexIndicator  . . . . . . . . . . . . . . . . . . .  72
     7.167. mibCaptureTimeSemantics  . . . . . . . . . . . . . . . .  73
     7.168. mibContextEngineID . . . . . . . . . . . . . . . . . . .  74
     7.169. mibContextName . . . . . . . . . . . . . . . . . . . . .  75
     7.170. mibObjectName  . . . . . . . . . . . . . . . . . . . . .  75
     7.171. mibObjectDescription . . . . . . . . . . . . . . . . . .  75
     7.172. mibObjectSyntax  . . . . . . . . . . . . . . . . . . . .  75
     7.173. mibModuleName  . . . . . . . . . . . . . . . . . . . . .  75
     7.174. interface  . . . . . . . . . . . . . . . . . . . . . . .  76
     7.175. interfaceName  . . . . . . . . . . . . . . . . . . . . .  76
     7.176. iflisteners  . . . . . . . . . . . . . . . . . . . . . .  76
     7.177. physicalProtocol . . . . . . . . . . . . . . . . . . . .  76
     7.178. hwAddress  . . . . . . . . . . . . . . . . . . . . . . .  78
     7.179. programName  . . . . . . . . . . . . . . . . . . . . . .  78
     7.180. userId . . . . . . . . . . . . . . . . . . . . . . . . .  78
     7.181. inetlisteningserver  . . . . . . . . . . . . . . . . . .  78
     7.182. transportProtocol  . . . . . . . . . . . . . . . . . . .  78
     7.183. localAddress . . . . . . . . . . . . . . . . . . . . . .  79
     7.184. localPort  . . . . . . . . . . . . . . . . . . . . . . .  79
     7.185. localFullAddress . . . . . . . . . . . . . . . . . . . .  79
     7.186. foreignAddress . . . . . . . . . . . . . . . . . . . . .  79
     7.187. foreignFullAddress . . . . . . . . . . . . . . . . . . .  79
     7.188. selinuxboolean . . . . . . . . . . . . . . . . . . . . .  80
     7.189. selinuxName  . . . . . . . . . . . . . . . . . . . . . .  80
     7.190. currentStatus  . . . . . . . . . . . . . . . . . . . . .  80
     7.191. pendingStatus  . . . . . . . . . . . . . . . . . . . . .  80
     7.192. selinuxsecuritycontext . . . . . . . . . . . . . . . . .  80
     7.193. filepath . . . . . . . . . . . . . . . . . . . . . . . .  81
     7.194. path . . . . . . . . . . . . . . . . . . . . . . . . . .  81
     7.195. filename . . . . . . . . . . . . . . . . . . . . . . . .  81
     7.196. pid  . . . . . . . . . . . . . . . . . . . . . . . . . .  81
     7.197. role . . . . . . . . . . . . . . . . . . . . . . . . . .  82
     7.198. domainType . . . . . . . . . . . . . . . . . . . . . . .  82
     7.199. lowSensitivity . . . . . . . . . . . . . . . . . . . . .  82
     7.200. lowCategory  . . . . . . . . . . . . . . . . . . . . . .  82
     7.201. highSensitivity  . . . . . . . . . . . . . . . . . . . .  82
     7.202. highCategory . . . . . . . . . . . . . . . . . . . . . .  83
     7.203. rawlowSensitivity  . . . . . . . . . . . . . . . . . . .  83
     7.204. rawlowCategory . . . . . . . . . . . . . . . . . . . . .  83
     7.205. rawhighSensitivity . . . . . . . . . . . . . . . . . . .  83
     7.206. rawhighCategory  . . . . . . . . . . . . . . . . . . . .  83
     7.207. systemdunitdependency  . . . . . . . . . . . . . . . . .  84
     7.208. unit . . . . . . . . . . . . . . . . . . . . . . . . . .  84
     7.209. dependency . . . . . . . . . . . . . . . . . . . . . . .  84
     7.210. systemdunitproperty  . . . . . . . . . . . . . . . . . .  84
     7.211. property . . . . . . . . . . . . . . . . . . . . . . . .  84
     7.212. systemdunitValue . . . . . . . . . . . . . . . . . . . .  85
     7.213. file . . . . . . . . . . . . . . . . . . . . . . . . . .  85
     7.214. fileType . . . . . . . . . . . . . . . . . . . . . . . .  85
     7.215. groupId  . . . . . . . . . . . . . . . . . . . . . . . .  85
     7.216. aTime  . . . . . . . . . . . . . . . . . . . . . . . . .  85
     7.217. changeTime . . . . . . . . . . . . . . . . . . . . . . .  86
     7.218. mTime  . . . . . . . . . . . . . . . . . . . . . . . . .  86
     7.219. size . . . . . . . . . . . . . . . . . . . . . . . . . .  86
     7.220. suid . . . . . . . . . . . . . . . . . . . . . . . . . .  86
     7.221. sgid . . . . . . . . . . . . . . . . . . . . . . . . . .  86
     7.222. sticky . . . . . . . . . . . . . . . . . . . . . . . . .  87
     7.223. hasExtendedAcl . . . . . . . . . . . . . . . . . . . . .  87
     7.224. inetd  . . . . . . . . . . . . . . . . . . . . . . . . .  87
     7.225. serverProgram  . . . . . . . . . . . . . . . . . . . . .  87
     7.226. endpointType . . . . . . . . . . . . . . . . . . . . . .  88
     7.227. execAsUser . . . . . . . . . . . . . . . . . . . . . . .  88
     7.228. waitStatus . . . . . . . . . . . . . . . . . . . . . . .  88
     7.229. inetAddr . . . . . . . . . . . . . . . . . . . . . . . .  89
     7.230. netmask  . . . . . . . . . . . . . . . . . . . . . . . .  89
     7.231. passwordInfo . . . . . . . . . . . . . . . . . . . . . .  89
     7.232. username . . . . . . . . . . . . . . . . . . . . . . . .  90
     7.233. password . . . . . . . . . . . . . . . . . . . . . . . .  90
     7.234. gcos . . . . . . . . . . . . . . . . . . . . . . . . . .  90
     7.235. homeDir  . . . . . . . . . . . . . . . . . . . . . . . .  90
     7.236. loginShell . . . . . . . . . . . . . . . . . . . . . . .  90
     7.237. lastLogin  . . . . . . . . . . . . . . . . . . . . . . .  91
     7.238. process  . . . . . . . . . . . . . . . . . . . . . . . .  91
     7.239. commandLine  . . . . . . . . . . . . . . . . . . . . . .  91
     7.240. ppid . . . . . . . . . . . . . . . . . . . . . . . . . .  91
     7.241. priority . . . . . . . . . . . . . . . . . . . . . . . .  92
     7.242. startTime  . . . . . . . . . . . . . . . . . . . . . . .  92
     7.243. routingtable . . . . . . . . . . . . . . . . . . . . . .  92
     7.244. destination  . . . . . . . . . . . . . . . . . . . . . .  92
     7.245. gateway  . . . . . . . . . . . . . . . . . . . . . . . .  92
     7.246. runlevelInfo . . . . . . . . . . . . . . . . . . . . . .  93
     7.247. runlevel . . . . . . . . . . . . . . . . . . . . . . . .  93
     7.248. start  . . . . . . . . . . . . . . . . . . . . . . . . .  93
     7.249. kill . . . . . . . . . . . . . . . . . . . . . . . . . .  93
     7.250. shadowItem . . . . . . . . . . . . . . . . . . . . . . .  93
     7.251. chgLst . . . . . . . . . . . . . . . . . . . . . . . . .  94
     7.252. chgAllow . . . . . . . . . . . . . . . . . . . . . . . .  94
     7.253. chgReq . . . . . . . . . . . . . . . . . . . . . . . . .  94
     7.254. expWarn  . . . . . . . . . . . . . . . . . . . . . . . .  94
     7.255. expInact . . . . . . . . . . . . . . . . . . . . . . . .  94
     7.256. expDate  . . . . . . . . . . . . . . . . . . . . . . . .  95
     7.257. encryptMethod  . . . . . . . . . . . . . . . . . . . . .  95
     7.258. symlink  . . . . . . . . . . . . . . . . . . . . . . . .  95
     7.259. symlinkFilepath  . . . . . . . . . . . . . . . . . . . .  95
     7.260. canonicalPath  . . . . . . . . . . . . . . . . . . . . .  96
     7.261. sysctl . . . . . . . . . . . . . . . . . . . . . . . . .  96
     7.262. kernelParameterName  . . . . . . . . . . . . . . . . . .  96
     7.263. kernelParameterValue . . . . . . . . . . . . . . . . . .  96
     7.264. uname  . . . . . . . . . . . . . . . . . . . . . . . . .  97
     7.265. machineClass . . . . . . . . . . . . . . . . . . . . . .  97
     7.266. nodeName . . . . . . . . . . . . . . . . . . . . . . . .  97
     7.267. osName . . . . . . . . . . . . . . . . . . . . . . . . .  97
     7.268. osRelease  . . . . . . . . . . . . . . . . . . . . . . .  97
     7.269. osVersion  . . . . . . . . . . . . . . . . . . . . . . .  98
     7.270. processorType  . . . . . . . . . . . . . . . . . . . . .  98
     7.271. internetService  . . . . . . . . . . . . . . . . . . . .  98
     7.272. serviceProtocol  . . . . . . . . . . . . . . . . . . . .  98
     7.273. serviceName  . . . . . . . . . . . . . . . . . . . . . .  98
     7.274. flags  . . . . . . . . . . . . . . . . . . . . . . . . .  99
     7.275. noAccess . . . . . . . . . . . . . . . . . . . . . . . .  99
     7.276. onlyFrom . . . . . . . . . . . . . . . . . . . . . . . .  99
     7.277. port . . . . . . . . . . . . . . . . . . . . . . . . . .  99
     7.278. server . . . . . . . . . . . . . . . . . . . . . . . . .  99
     7.279. serverArguments  . . . . . . . . . . . . . . . . . . . . 100
     7.280. socketType . . . . . . . . . . . . . . . . . . . . . . . 100
     7.281. registeredServiceType  . . . . . . . . . . . . . . . . . 100
     7.282. wait . . . . . . . . . . . . . . . . . . . . . . . . . . 101
     7.283. disabled . . . . . . . . . . . . . . . . . . . . . . . . 101
     7.284. windowsView  . . . . . . . . . . . . . . . . . . . . . . 101
     7.285. fileauditedpermissions . . . . . . . . . . . . . . . . . 101
     7.286. trusteeName  . . . . . . . . . . . . . . . . . . . . . . 102
     7.287. auditStandardDelete  . . . . . . . . . . . . . . . . . . 102
     7.288. auditStandardReadControl . . . . . . . . . . . . . . . . 103
     7.289. auditStandardWriteDac  . . . . . . . . . . . . . . . . . 103
     7.290. auditStandardWriteOwner  . . . . . . . . . . . . . . . . 104
     7.291. auditStandardSynchronize . . . . . . . . . . . . . . . . 104
     7.292. auditAccessSystemSecurity  . . . . . . . . . . . . . . . 105
     7.293. auditGenericRead . . . . . . . . . . . . . . . . . . . . 105
     7.294. auditGenericWrite  . . . . . . . . . . . . . . . . . . . 106
     7.295. auditGenericExecute  . . . . . . . . . . . . . . . . . . 106
     7.296. auditGenericAll  . . . . . . . . . . . . . . . . . . . . 107
     7.297. auditFileReadData  . . . . . . . . . . . . . . . . . . . 107
     7.298. auditFileWriteData . . . . . . . . . . . . . . . . . . . 108
     7.299. auditFileAppendData  . . . . . . . . . . . . . . . . . . 108
     7.300. auditFileReadEa  . . . . . . . . . . . . . . . . . . . . 109
     7.301. auditFileWriteEa . . . . . . . . . . . . . . . . . . . . 109
     7.302. auditFileExecute . . . . . . . . . . . . . . . . . . . . 110
     7.303. auditFileDeleteChild . . . . . . . . . . . . . . . . . . 110
     7.304. auditFileReadAttributes  . . . . . . . . . . . . . . . . 111
     7.305. auditFileWriteAttributes . . . . . . . . . . . . . . . . 111
     7.306. fileeffectiverights  . . . . . . . . . . . . . . . . . . 112
     7.307. standardDelete . . . . . . . . . . . . . . . . . . . . . 112
     7.308. standardReadControl  . . . . . . . . . . . . . . . . . . 113
     7.309. standardWriteDac . . . . . . . . . . . . . . . . . . . . 113
     7.310. standardWriteOwner . . . . . . . . . . . . . . . . . . . 113
     7.311. standardSynchronize  . . . . . . . . . . . . . . . . . . 113
     7.312. accessSystemSecurity . . . . . . . . . . . . . . . . . . 113
     7.313. genericRead  . . . . . . . . . . . . . . . . . . . . . . 114
     7.314. genericWrite . . . . . . . . . . . . . . . . . . . . . . 114
     7.315. genericExecute . . . . . . . . . . . . . . . . . . . . . 114
     7.316. genericAll . . . . . . . . . . . . . . . . . . . . . . . 114
     7.317. fileReadData . . . . . . . . . . . . . . . . . . . . . . 114
     7.318. fileWriteData  . . . . . . . . . . . . . . . . . . . . . 114
     7.319. fileAppendData . . . . . . . . . . . . . . . . . . . . . 115
     7.320. fileReadEa . . . . . . . . . . . . . . . . . . . . . . . 115
     7.321. fileWriteEa  . . . . . . . . . . . . . . . . . . . . . . 115
     7.322. fileExecute  . . . . . . . . . . . . . . . . . . . . . . 115
     7.323. fileDeleteChild  . . . . . . . . . . . . . . . . . . . . 115
     7.324. fileReadAttributes . . . . . . . . . . . . . . . . . . . 116
     7.325. fileWriteAttributes  . . . . . . . . . . . . . . . . . . 116
     7.326. groupInfo  . . . . . . . . . . . . . . . . . . . . . . . 116
     7.327. group  . . . . . . . . . . . . . . . . . . . . . . . . . 116
     7.328. user . . . . . . . . . . . . . . . . . . . . . . . . . . 117
     7.329. subgroup . . . . . . . . . . . . . . . . . . . . . . . . 117
     7.330. groupSidInfo . . . . . . . . . . . . . . . . . . . . . . 117
     7.331. userSidInfo  . . . . . . . . . . . . . . . . . . . . . . 117
     7.332. userSid  . . . . . . . . . . . . . . . . . . . . . . . . 117
     7.333. subgroupSid  . . . . . . . . . . . . . . . . . . . . . . 118
     7.334. lockoutpolicy  . . . . . . . . . . . . . . . . . . . . . 118
     7.335. forceLogoff  . . . . . . . . . . . . . . . . . . . . . . 118
     7.336. lockoutDuration  . . . . . . . . . . . . . . . . . . . . 118
     7.337. lockoutObservationWindow . . . . . . . . . . . . . . . . 119
     7.338. lockoutThreshold . . . . . . . . . . . . . . . . . . . . 119
     7.339. passwordpolicy . . . . . . . . . . . . . . . . . . . . . 119
     7.340. maxPasswdAge . . . . . . . . . . . . . . . . . . . . . . 119
     7.341. minPasswdAge . . . . . . . . . . . . . . . . . . . . . . 120
     7.342. minPasswdLen . . . . . . . . . . . . . . . . . . . . . . 120
     7.343. passwordHistLen  . . . . . . . . . . . . . . . . . . . . 120
     7.344. passwordComplexity . . . . . . . . . . . . . . . . . . . 120
     7.345. reversibleEncryption . . . . . . . . . . . . . . . . . . 120
     7.346. portInfo . . . . . . . . . . . . . . . . . . . . . . . . 121
     7.347. foreignPort  . . . . . . . . . . . . . . . . . . . . . . 121
     7.348. printereffectiverights . . . . . . . . . . . . . . . . . 121
     7.349. printerName  . . . . . . . . . . . . . . . . . . . . . . 122
     7.350. printerAccessAdminister  . . . . . . . . . . . . . . . . 122
     7.351. printerAccessUse . . . . . . . . . . . . . . . . . . . . 122
     7.352. jobAccessAdminister  . . . . . . . . . . . . . . . . . . 122
     7.353. jobAccessRead  . . . . . . . . . . . . . . . . . . . . . 122
     7.354. registry . . . . . . . . . . . . . . . . . . . . . . . . 122
     7.355. hive . . . . . . . . . . . . . . . . . . . . . . . . . . 123
     7.356. registryKey  . . . . . . . . . . . . . . . . . . . . . . 123
     7.357. registryKeyName  . . . . . . . . . . . . . . . . . . . . 124
     7.358. lastWriteTime  . . . . . . . . . . . . . . . . . . . . . 124
     7.359. registryKeyType  . . . . . . . . . . . . . . . . . . . . 124
     7.360. registryKeyValue . . . . . . . . . . . . . . . . . . . . 125
     7.361. regkeyauditedpermissions . . . . . . . . . . . . . . . . 126
     7.362. auditKeyQueryValue . . . . . . . . . . . . . . . . . . . 127
     7.363. auditKeySetValue . . . . . . . . . . . . . . . . . . . . 127
     7.364. auditKeyCreateSubKey . . . . . . . . . . . . . . . . . . 128
     7.365. auditKeyEnumerateSubKeys . . . . . . . . . . . . . . . . 128
     7.366. auditKeyNotify . . . . . . . . . . . . . . . . . . . . . 129
     7.367. auditKeyCreateLink . . . . . . . . . . . . . . . . . . . 129
     7.368. auditKeyWow6464Key . . . . . . . . . . . . . . . . . . . 130
     7.369. auditKeyWow6432Key . . . . . . . . . . . . . . . . . . . 130
     7.370. auditKeyWow64Res . . . . . . . . . . . . . . . . . . . . 131
     7.371. regkeyeffectiverights  . . . . . . . . . . . . . . . . . 131
     7.372. keyQueryValue  . . . . . . . . . . . . . . . . . . . . . 132
     7.373. keySetValue  . . . . . . . . . . . . . . . . . . . . . . 132
     7.374. keyCreateSubKey  . . . . . . . . . . . . . . . . . . . . 132
     7.375. keyEnumerateSubKeys  . . . . . . . . . . . . . . . . . . 133
     7.376. keyNotify  . . . . . . . . . . . . . . . . . . . . . . . 133
     7.377. keyCreateLink  . . . . . . . . . . . . . . . . . . . . . 133
     7.378. keyWow6464Key  . . . . . . . . . . . . . . . . . . . . . 133
     7.379. keyWow6432Key  . . . . . . . . . . . . . . . . . . . . . 133
     7.380. keyWow64Res  . . . . . . . . . . . . . . . . . . . . . . 133
     7.381. service  . . . . . . . . . . . . . . . . . . . . . . . . 134
     7.382. displayName  . . . . . . . . . . . . . . . . . . . . . . 134
     7.383. description  . . . . . . . . . . . . . . . . . . . . . . 134
     7.384. serviceType  . . . . . . . . . . . . . . . . . . . . . . 134
     7.385. startType  . . . . . . . . . . . . . . . . . . . . . . . 135
     7.386. currentState . . . . . . . . . . . . . . . . . . . . . . 136
     7.387. controlsAccepted . . . . . . . . . . . . . . . . . . . . 137
     7.388. startName  . . . . . . . . . . . . . . . . . . . . . . . 139
     7.389. serviceFlag  . . . . . . . . . . . . . . . . . . . . . . 139
     7.390. dependencies . . . . . . . . . . . . . . . . . . . . . . 139
     7.391. serviceeffectiverights . . . . . . . . . . . . . . . . . 139
     7.392. trusteeSid . . . . . . . . . . . . . . . . . . . . . . . 140
     7.393. serviceQueryConf . . . . . . . . . . . . . . . . . . . . 140
     7.394. serviceChangeConf  . . . . . . . . . . . . . . . . . . . 140
     7.395. serviceQueryStat . . . . . . . . . . . . . . . . . . . . 140
     7.396. serviceEnumDependents  . . . . . . . . . . . . . . . . . 140
     7.397. serviceStart . . . . . . . . . . . . . . . . . . . . . . 141
     7.398. serviceStop  . . . . . . . . . . . . . . . . . . . . . . 141
     7.399. servicePause . . . . . . . . . . . . . . . . . . . . . . 141
     7.400. serviceInterrogate . . . . . . . . . . . . . . . . . . . 141
     7.401. serviceUserDefined . . . . . . . . . . . . . . . . . . . 141
     7.402. sharedresourceauditedpermissions . . . . . . . . . . . . 142
     7.403. netname  . . . . . . . . . . . . . . . . . . . . . . . . 142
     7.404. sharedresourceeffectiverights  . . . . . . . . . . . . . 142
     7.405. user . . . . . . . . . . . . . . . . . . . . . . . . . . 143
     7.406. enabled  . . . . . . . . . . . . . . . . . . . . . . . . 143
     7.407. lastLogon  . . . . . . . . . . . . . . . . . . . . . . . 143
     7.408. groupSid . . . . . . . . . . . . . . . . . . . . . . . . 143
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . 143
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . 144
   10. Security Considerations . . . . . . . . . . . . . . . . . . . 144
   11. Operational Considerations  . . . . . . . . . . . . . . . . . 145
     11.1.  Endpoint Designation . . . . . . . . . . . . . . . . . . 145
     11.2.  Timestamp Accuracy . . . . . . . . . . . . . . . . . . . 146
   12. Privacy Considerations  . . . . . . . . . . . . . . . . . . . 147
   13. References  . . . . . . . . . . . . . . . . . . . . . . . . . 147
     13.1.  Normative References . . . . . . . . . . . . . . . . . . 147
     13.2.  Informative References . . . . . . . . . . . . . . . . . 148
   Appendix A.  Change Log . . . . . . . . . . . . . . . . . . . . . 149
     A.1.  Changes in Revision 01  . . . . . . . . . . . . . . . . . 149
     A.2.  Changes in Revision 02  . . . . . . . . . . . . . . . . . 150
     A.3.  Changes in Revision 03  . . . . . . . . . . . . . . . . . 150
     A.4.  Changes in Revision 04  . . . . . . . . . . . . . . . . . 151
     A.5.  Changes in Revision 05  . . . . . . . . . . . . . . . . . 151
     A.6.  Changes in Revision 06  . . . . . . . . . . . . . . . . . 151
     A.7.  Changes in Revision 07  . . . . . . . . . . . . . . . . . 152
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . 152

1.  Introduction

   The SACM Information Model (IM) serves multiple purposes:

   o  to ensure interoperability between SACM data models that are used
      as transport encodings,

   o  to provide a standardized set of Information Elements - the SACM
      Vocabulary - to enable the exchange of content vital to automated
      security posture assessment, and

   o  to enable secure information sharing in a scalable and extensible
      fashion in order to support the tasks conducted by SACM
      components.

   A complete set of requirements imposed on the IM can be found in
   [I-D.ietf-sacm-requirements].  The SACM IM is intended to be used for
   standardized data exchange between SACM components (data in motion).
   Nevertheless, the Information Elements (IE) and their relationships
   defined in this document can be leveraged to create and align
   corresponding data models for data at rest.

   The information model expresses, for example, target endpoint (TE)
   attributes, guidance, and evaluation results.  The corresponding
   Information Elements are consumed and produced by SACM components as
   they carry out tasks.

   The primary tasks that this information model supports (on data,
   control, and management plane) are:

   o  TE Discovery

   o  TE Characterization

   o  TE Classification

   o  Collection

   o  Evaluation

   o  Information Sharing

   o  SACM Component Discovery

   o  SACM Component Authentication

   o  SACM Component Authorization
   o  SACM Component Registration

   These tasks are defined in [I-D.ietf-sacm-terminology].

2.  Conventions used in this document

2.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

2.2.  Information Element Examples

   The notation used to define the SACM Information Elements (IEs) is
   based on a customized version of the IPFIX information model syntax
   [RFC7012] which is described in Figure 2.  However, there are several
   examples presented throughout the document that use a simplified
   pseudo-code to illustrate the basic structure.  It should be noted
   that while they include actual names of subjects and attributes as
   well as values, they are not intended to influence how corresponding
   SACM IEs should be defined in Section 7.  The examples are provided
   for demonstration purposes only.

3.  Information Elements

   The IEs defined in this document comprise the building blocks by
   which all SACM content is composed.  They are consumed and provided
   by SACM components on the data plane.  Every Information Element has
   a unique label: its name.  Every type of IE defined by the SACM IM is
   registered as a type at the IANA registry.  The Integer Index of the
   IANA SMI number tables can be used by SACM data models.

3.1.  Context of Information Elements

   The IEs in this information model represent information related to
   assets in the following areas (based on the use cases described in
   [RFC7632]):

   o  Endpoint Management

   o  Software Inventory Management

   o  Hardware Inventory Management

   o  Configuration Management

   o  Vulnerability Management

3.2.  Extensibility of Information Elements

   A SACM data model based on this information model MAY include
   additional information elements that are not defined here.  The
   labels of additional Information Elements included in different SACM
   data models MUST NOT conflict with the labels of the Information
   Elements defined by this information model, and the names of
   additional Information Elements MUST NOT conflict with each other or
   across multiple data models.  In order to avoid naming conflicts, the
   labels of additional IEs SHOULD be prefixed to avoid collisions
   across extensions.  The prefix MUST include an organizational
   identifier and therefore, for example, MAY be an IANA enterprise
   number, a (partial) name space URI, or an organization name
   abbreviation.

4.  Structure of Information Elements

   There are two basic types of IEs:

   o  Attributes: an instance of an attribute type is the simplest IE
      structure comprised of a unique attribute name and an attribute
      value.

   o  Subjects: a subject is a richer structure that has a unique
      subject name and one or more attributes or subjects.  In essence,
      instances of a subject type are defined (and differentiated) by
      the attribute values and subjects associated with it.

         hostname = "arbutus"

         coordinates = (
         latitude = N27.99619,
         longitude = E86.92761
         )

          Figure 1: Example instance of an attribute and subject.

   In general, every piece of information that enables security posture
   assessment or further enriches the quality of the assessment process
   can be associated with metadata.  In the SACM IM, metadata is
   represented by specific subjects and is bundled with other attributes
   or subjects to provide additional information about them.  The IM
   explicitly defines two kinds of metadata:

   o  Metadata focusing on the data origin (the SACM component that
      provides the information to the SACM domain)

   o  Metadata focusing on the data source (the target endpoint that is
      assessed)

   Metadata can also include relationships that refer to other
   associated IEs (or SACM content in general) by using referencing
   labels that have to be included in the metadata of the associated IE.

   Subjects can be nested and the SACM IM allows for circular or
   recursive nesting.  The association of IEs via nesting results in a
   tree-like structure wherein subjects compose the root and
   intermediary nodes and attributes the leaves of the tree.  This
   semantic structure does not impose a specific structure on SACM data
   models regarding data in motion or data repository schemata for data
   at rest.

   The SACM IM provides two conceptual top-level subjects that are used
   to ensure a homogeneous structure for SACM content and its associated
   metadata: SACM statements and SACM content-elements.  Every set of
   IEs that is provided by a SACM component must provide the information
   contained in these two subjects although it is up to the implementer
   whether or not the subjects are explicitly defined in a data model.

   The notation the SACM IM is defined in is based on a modified version
   of the IP Information Flow Export (IPFIX) Information Model syntax
   described in Section 2.1 of [RFC7012].  The customized syntax used by
   the SACM IM is defined below in Figure 2.

       elementId (required):    The numeric identifier of the
                                Information Element. It is used
                                for the compact identification
                                of an Information Element. If
                                this identifier is used without
                                an enterpriseID, then the
                                elementId must be unique, and
                                the description of allowed values
                                is administrated by IANA. The
                                value "TBD" may be used during
                                development of the information
                                model until an elementId is
                                assigned by IANA and filled
                                in at publication time.

       enterpriseId (optional): Enterprises may wish to define
                                Information Elements without
                                registering them with IANA, for
                                example, for enterprise-internal
                                purposes.  For such Information
                                Elements, the elementId is
                                not sufficient when used
                                outside the enterprise. If
                                specifications of enterprise-
                                specific Information Elements
                                are made public and/or if
                                enterprise-specific identifiers
                                are used by SACM components
                                outside the enterprise, then the
                                enterprise-specific identifier
                                MUST be made globally unique by
                                combining it with an enterprise
                                identifier.  Valid values for the
                                enterpriseId are defined by IANA
                                as Structure of Management
                                Information (SMI) network management
                                private enterprise numbers.

       name (required):         A unique and meaningful name for
                                the Information Element.

       dataType (required):     There are two kinds of datatypes:
                                simple and structured. Attributes are
                                defined using simple datatypes
                                and subjects are defined using
                                structured datatypes. The contents of
                                the datatype field will be either
                                a reference to one of the simple
                                datatypes listed in Section
                                5.1, or the specification of
                                structured datatype as defined in
                                Section 5.2.

       status (required):       The status of the specification
                                of the Information Element.
                                Allowed values are "current" and
                                "deprecated". All newly defined
                                Information Elements have "current"
                                status. The process for moving
                                Information Elements to the
                                "deprecated" status is TBD.

       description (required): Describes the meaning of the
                               Information Element, how it is
                               derived, conditions for its use,
                               etc.

       structure (optional):   A parsable property that provides
                               details about the definition of
                               structured Information Elements as
                               described in Section 5.2.

       references (optional):  Identifies other RFCs or documents
                               outside the IETF which provide
                               additional information or context
                               about the Information Element.

           Figure 2: Information Element Specification Template

4.1.  Information Element Naming Convention

   SACM Information Elements must adhere to the following naming
   conventions.

   o  Names SHOULD be descriptive

   o  Names MUST be unique within the SACM registry.  Enterprise-
      specific names SHOULD be prefixed with a Private Enterprise Number
      [PEN].

   o  Names MUST start with lowercase letters unless it begins with a
      Private Enterprise Number

   o  Composed names MUST use capital letters for the first letter of
      each part

4.2.  SACM Content Elements

   Every piece of information that is provided by a SACM component is
   always associated with a set of metadata, for example, the timestamp
   at which this set of information was produced (e.g. by a collection
   task) or what target endpoint this set of information is about (e.g.
   the data-source or a target endpoint identifier, respectively).  The
   subject that associates content IE with content-metadata IE is called
   a content-element.  Content metadata can also include relationships
   that express associations with other content-elements.

               content-element = (
                 content-metadata = (
                   collection-timestamp = 146193322,
                   data-source = fb02e551-7101-4e68-8dec-1fde6bd10981
                 ),
                 hostname = "arbutus",
                 coordinates = (
                 latitude = N27.99619,
                 longitude = E86.92761
                 )
               )

   Figure 3: Example set of IEs associated with a timestamp and a target
                              endpoint label.

4.3.  SACM Statements

   One or more SACM content elements are bundled in a SACM statement.
   In contrast to content-metadata, statement-metadata focuses on the
   providing SACM component instead of the target endpoint that the
   content is about.  The only content-specific metadata included in the
   SACM statement is the content-type IE.  Therefore, multiple content-
   elements that share the same statement metadata and are of the same
   content-type can be included in a single SACM statement.  A SACM
   statement functions similar to an envelope or a header.  Its purpose
   is to enable the tracking of the origin of data inside a SACM domain
   and more importantly to enable the mitigation of conflicting
   information that may originate from different SACM components.  How a
   consuming SACM component actually deals with conflicting information
   is out-of-scope of the SACM IM.  Semantically, the term statement
   implies that the SACM content provided by a SACM component might not
   be correct in every context, but rather is the result of a best-
   effort to produce correct information.

               sacm-statement = (
                 statement-metadata = (
                   publish-timestamp = 1461934031,
                   data-origin = 24e67957-3d31-4878-8892-da2b35e121c2,
                   content-type = observation
                 ),
                 content-element = (
                   content-metadata = (
                     collection-timestamp = 146193322,
                     data-source = fb02e551-7101-4e68-8dec-1fde6bd10981
                   ),
                   hostname = "arbutus"
                 )
               )

      Figure 4: Example of a simple SACM statement including a single
                             content-element.

               sacm-statement = (
                 statement-metadata = (
                   publish-timestamp = 1461934031,
                   data-origin = 24e67957-3d31-4878-8892-da2b35e121c2
                   content-type = observation
                 ),
                 content-element = (
                   content-metadata = (
                     collection-timestamp = 146193322,
                     data-source = fb02e551-7101-4e68-8dec-1fde6bd10981
                   ),
                   coordinates = (
                     latitude = N27.99619,
                     longitude = E86.92761
                   )
                 )
               )

               sacm-statement = (
                 statement-metadata = (
                   publish-timestamp = 1461934744,
                   data-origin = e42885a1-0270-44e9-bb5c-865cf6bd4800,
                   content-type = observation
                 ),
                 content-element = (
                   content-metadata = (
                     collection-timestamp = 146193821,
                     te-label = fb02e551-7101-4e68-8dec-1fde6bd10981
                   ),
                   coordinates = (
                     latitude = N16.67622,
                     longitude = E141.55321
                   )
                 )
               )

       Figure 5: Example of conflicting information originating from
                        different SACM components.

4.4.  Relationships

   An IE can be associated with another IE, e.g. a user-name attribute
   can be associated with a content-authorization subject.  These
   references are expressed via the relationships subject, which can be
   included in a corresponding content-metadata subject.  The
   relationships subject includes a list of one or more references.  The
   SACM IM does not enforce a SACM domain to use unique identifiers as
   references.  Therefore, there are at least two ways to reference
   another

   o  The value of a reference represents a specific content-label that
      is unique in a SACM domain (and has to be included in the
      corresponding content-element metadata in order to be referenced),
      or

   o  The reference is a subject that includes an appropriate number of
      IEs in order to identify the referenced content-element by its
      actual content.

   It is recommended to provide unique identifiers in a SACM domain and
   the SACM IM provides a corresponding naming-convention as a reference
   in Section 4.1.  The alternative highlighted above summarizes a valid
   approach that does not require unique identifiers and is similar to
   the approach of referencing target endpoints via identifying
   attributes included in a characterization record.

               content-element = (
                 content-metadata = (
                   collection-timestamp = 1461934031,
                   te-label =
                   fb02e551-7101-4e68-8dec-1fde6bd10981
                   relationships = (
                     associated-with-user-account =
                     f3d70ef4-7e18-42af-a894-8955ba87c95d
                   )
                 ),
                 hostname = "arbutus"
               )

               content-element = (
                 content-metadata = (
                   content-label = f3d70ef4-7e18-42af-a894-8955ba87c95d
                 ),
                 user-account = (
                   username = romeo
                   authentication = local
                 )
               )

    Figure 6: Example instance of a content-element subject associated
              with another subject via its content metadata.

4.5.  Event

   Event subjects provide a structure to represent the change of IE
   values that was detected by a collection task at a specific point of
   time.  It is mandatory to include the new values and the collection
   timestamp in an event subject and it is recommended to include the
   past values and a collection timestamp that were replaced by the new
   IE values.  Every event can also be associated with a subject-
   specific event-timestamp and a lastseen-timestamp that might differ
   from the corresponding collection-timestamps.  If these are omitted
   the collection-timestamp that is included in the content-metadata
   subject is used instead.

           sacm-statement = (
             statement-metadata = (
               publish-timestamp = 1461934031,
               data-origin = 24e67957-3d31-4878-8892-da2b35e121c2,
               content-type = event
             ),
             event = (
               event-attributes = (
                 event-name = "host-name change",
                 content-element = (
                   content-metadata = (
                   collection-timestamp = 146193322,
                   data-source =
                     fb02e551-7101-4e68-8dec-1fde6bd10981,
                     event-component = past-state
                  ),
                  hostname = "arbutus"
                 ),
                 content-element = (
                   content-metadata = (
                     collection-timestamp = 146195723,
                     data-source =
                     fb02e551-7101-4e68-8dec-1fde6bd10981,
                     event-component = current-state
                   ),
                   hostname = "lilac"
                 )
               )
             )

        Figure 7: Example of a SACM statement containing an event.

4.6.  Categories

   Categories are special IEs that enable to refer to multiple types of
   IE via just one name.  Therefore, they are similar to a type-choice.
   A prominent example of a category is network-address.  Network-
   address is a category that every kind of network address is
   associated with, e.g. mac-address, ipv4-address, ipv6-address, or
   typed-network-address.  If a subject includes network-address as one
   of its components, any of the category members are valid to be used
   in its place.

   Another prominent example is EndpointIdentifier.  Some IEs can be
   used to identify (and over time re-recognize) target endpoints -
   those are associated with the category endpoint-identifier.

5.  Abstract Data Types

   This section describes the set of valid abstract data types that can
   be used for the specification of the SACM Information Elements in
   Section 7.  SACM currently supports two classes of datatypes that can
   be used to define Information Elements.

   o  Simple: Datatypes that are atomic and are used to define the type
      of data represented by an attribute Information Element.

   o  Structured: Datatypes that can be used to define the type of data
      represented by a subject Information Element.

   Note that further abstract data types may be specified by future
   extensions of the SACM information model.

5.1.  Simple Datatypes

5.1.1.  IPFIX Datatypes

   To facilitate the use of existing work, SACM supports the following
   abstract data types defined in Section 3 of [RFC7012].

   o  unsigned8, unsigned16, unsigned32, unsigned64

   o  signed8, signed16, signed32, signed64

   o  float32, float64

   o  boolean

   o  macAddress
   o  octetArray

   o  string

   o  dateTimeSeconds, dateTimeMilliseconds, dateTimeMicroseconds,
      dateTimeNanoSeconds

   o  ipv4Address, ipv6Address

5.2.  Structured Datatypes

5.2.1.  List Datatypes

   SACM defines the following abstract list data types that are used to
   represent the structured data associated with subjects.

   o  list: indicates that the Information Element order is not
      significant but MAY be preserved.

   o  orderedList: indicates that Information Element order is
      significant and MUST be preserved.

   The notation for defining a SACM structured datatype is based on
   regular expressions, which are composed of the keywords "list" or
   "orderedList" and an Information Element expression.  IE expressions
   use some of the regular expression syntax and operators, but the
   terms in the expression are the names of defined Information Elements
   instead of character classes.  The syntax for defining list and
   orderedList datatypes is described below, using BNF:

       <list-def> -> ("list"|"orderedList") "(" <ie-expression> ")"

       <ie-expression> -> <ie-name> <cardinality>?
                          ( ("," | "|") <ie-name> <cardinality>?)*

       <cardinality> -> "*" | "+" | "?" |
                        ( "(" <non-neg-int> ("," <non-neg-int>)? ")" )

               Figure 8: Syntax for Defining List Datatypes

   As seen above, multiple occurences of an Information Element may be
   present in a structured datatype.  The cardinality of an Information
   Element within a structured Information Element definition is defined
   by the following operators:

       * - zero or more occurrences

       + - one or more occurrences

       ? - zero or one occurrence

      (m,n) - between m and n occurrences

         Figure 9: Specifying Cardinality for Structured Datatypes

   The absence of a cardinality operator implies one mandatory
   occurrence of the Information Element.

   Below is an example of a structured Information Element definition.

   personInfo = list(firstName, middleNames?, lastName)
   firstName = string
   middleNames = orderedList(middleName+)
   middleName = string
   lastName = string

   As an example, consider the name "John Ronald Reuel Tolkien".
   Below are instances of this name, structured according to the
   personInfo definition.

   personInfo = (firstName="John", middleNames(middleName="Ronald",
                 middleName="Reuel"), lastName="Tolkien")

   personInfo = (middleNames(middleName="Ronald", middleName=" Reuel"),
                 lastName="Tolkien", firstName="John")

   The instance below is not legal with respect to the definition
   of personInfo because the order in middleNames is not preserved.

   personInfo = (firstName="John", middleNames(middleName=" Reuel",
                 middleName="Ronald"), lastName="Tolkien")

         Figure 10: Example of Defining a Structured List Datatype

5.2.2.  Enumeration Datatype

   SACM defines the following abstract enumeration datatype that is used
   to represent the restriction of an attribute value to a set of
   values.

   name, hex-value, description
   <enumeration-def> -> -> <name> ";" <hex-value> ";" <description>
   <name> -> [0-9a-zA-Z]+
   <hex-value> -> 0x[0-9a-fA-F]+
   <description> -> [0-9a-zA-Z\.\,]+

          Figure 11: Syntax for Defining an Enumeration Datatype

   Below is an example of a structured Information Element definition
   for an enumeration.

                               Red    ; 0x1  ; The color is red.
                               Orange ; 0x2  ; The color is orange.
                               Yellow ; 0x3  ; The color is yellow.
                               Green  ; 0x4  ; The color is green.
                               ...

     Figure 12: Example of Defining a Structured Enumeration Datatype

6.  Information Model Assets

   In order to represent the Information Elements related to the areas
   listed in Section 3.1, the information model defines the information
   needs (or metadata about those information needs) related to
   following types of assets which are defined in
   [I-D.ietf-sacm-terminology] (and included below for convenience)
   which are of interest to SACM.  Specifically:

   o  Endpoint

   o  Software Component

   o  Hardware Component

   o  Identity

   o  Guidance

   o  Evaluation Results

   The following figure shows the make up of an Endpoint asset which
   contains zero or more hardware components and zero or more software
   components each of which may have zero or more instances running an
   endpoint at any given time as well as zero or more identities that
   act on behalf of the endpoint when interfacing with other endpoints,
   tools, or services.  An endpoint may also contain other endpoints in
   the case of a virtualized environment.

           +---------+*______in>_______*+-----+
           |Hardware |                  |!   !|
           |Component|   +---------+    |!   !|
           +---------+   |Software |in> |!   !|
                         |Component|____|!   !|
                         +---------+*  *|!   !|
                             1|         |!   !|
                             *|         |     |       +----------+
                         +---------+    |End- |*_____*| Identity |
                         |Software |in> |point| acts  +----------+
                         |Instance |____|     | for>
                         +---------+*  1|!   !|
                                        |!   !|
                                        |!   !|
                                        |!   !|
                                        |!   !|____
                                        |!   !|0..1|
                                        +-----+    |
                                           |*      |
                                           |_______|
                                              in>

                      Figure 13: Model of an Endpoint

6.1.  Asset

   As defined in [RFC4949], an asset is a system resource that is (a)
   required to be protected by an information system's security policy,
   (b) intended to be protected by a countermeasure, or (c) required for
   a system's mission.

   In the scope of SACM, an asset can be composed of other assets.
   Examples of Assets include: Endpoints, Software, Guidance, or
   Identity.  Furthermore, an asset is not necessarily owned by an
   organization.

6.2.  Endpoint

   From [RFC5209], an endpoint is any computing device that can be
   connected to a network.  Such devices normally are associated with a
   particular link layer address before joining the network and
   potentially an IP address once on the network.  This includes:
   laptops, desktops, servers, cell phones, or any device that may have
   an IP address.

   To further clarify, an endpoint is any physical or virtual device
   that may have a network address.  Note that, network infrastructure
   devices (e.g. switches, routers, firewalls), which fit the
   definition, are also considered to be endpoints within this document.

   Physical endpoints are always composites that are composed of
   hardware components and software components.  Virtual endpoints are
   composed entirely of software components and rely on software
   components that provide functions equivalent to hardware components.

   The SACM architecture differentiates two essential categories of
   endpoints: Endpoints whose security posture is intended to be
   assessed (target endpoints) and endpoints that are specifically
   excluded from endpoint posture assessment (excluded endpoints).

6.3.  Hardware Component

   Hardware components are the distinguishable physical components that
   compose an endpoint.  The composition of an endpoint can be changed
   over time by adding or removing hardware components.  In essence,
   every physical endpoint is potentially a composite of multiple
   hardware components, typically resulting in a hierarchical
   composition of hardware components.  The composition of hardware
   components is based on interconnects provided by specific hardware
   types (e.g.  mainboard is a hardware type that provides local busses
   as an interconnect).  In general, a hardware component can be
   distinguished by its serial number.

   Examples of a hardware components include: motherboards, network
   interfaces, graphics cards, hard drives, etc.

6.4.  Software Component

   A software package installed on an endpoint (including the operating
   system) as well as a unique serial number if present (e.g. a text
   editor associated with a unique license key).

   It should be noted that this includes both benign and harmful
   software packages.  Examples of benign software components include:
   applications, patches, operating system kernel, boot loader,
   firmware, code embedded on a webpage, etc.  Examples of malicious
   software components include: malware, trojans, viruses, etc.

6.4.1.  Software Instance

   A running instance of the software component (e.g. on a multi-user
   system, one logged-in user has one instance of a text editor running
   and another logged-in user has another instance of the same text
   editor running, or on a single-user system, a user could have
   multiple independent instances of the same text editor running).

6.5.  Identity

   Any mechanism that can be used to identify an asset during an
   authentication process.  Examples include usernames, user and device
   certificates, etc.  Note, that this is different than the identity of
   assets in the context of designation as described in Section 11.1.

6.6.  Guidance

   Guidance is input instructions to processes and tasks, such as
   collection or evaluation.  Guidance influences the behavior of a SACM
   component and is considered content of the management plane.
   Guidance can be manually or automatically generated or provided.
   Typically, the tasks that provide guidance to SACM components have a
   low-frequency and tend to be sporadic.  A prominent example of
   guidance are target endpoint profiles,but guidance can have many
   forms, including:

      Configuration, e.g. a SACM component's name, or a CMDB's IPv6
      address.

      Profiles, e.g. a set of expected states for network behavior
      associated with target endpoints employed by specific users.

      Policies, e.g. an interval to refresh the registration of a SACM
      component, or a list of required capabilities for SACM components
      in a specific location.

6.6.1.  Collection Guidance

   A collector may need guidance to govern what it collects and when.
   Collection Guidance provides instructions for a Collector that
   specifies which endpoint attributes to collect, when to collect them,
   and how to collect them.  Collection Guidance is composed of Target
   Endpoint Attribute Guidance, Frequency Guidance, and Method Guidance.

   o  Target Endpoint Attribute Guidance: Set of endpoint attributes
      that are supposed to be collected from a target endpoint.  The
      definition of the set of endpoint attributes is typically based on
      an endpoint characterization record.

   o  Frequency Guidance: Specifies when endpoint attributes are to be
      collected.

   o  Method Guidance: Indicates how endpoint attributes are to be
      collected.

6.6.2.  Evaluation Guidance

   An evaluator typically needs guidance to govern what it considers to
   be a good or bad security posture.  Evaluation Guidance provides
   instructions for an Evaluator that specifies which endpoint
   attributes to evaluate, the desired state of those endpoint
   attributes, and any special requirements that enable an Evaluator to
   determine if the endpoint attributes can be used in the evaluation
   (e.g. freshness of data, how it was collected, etc.).  Evaluation
   Guidance is composed of Target Endpoint Attribute Guidance, Expected
   Endpoint Attribute Value Guidance, and Frequency Guidance.

   o  Target Endpoint Attribute Guidance: Set of target endpoint
      attributes that are supposed to be used in an evaluation as well
      as any requirements on the endpoint attributes.  The definition of
      the set of endpoint attributes is typically based on an endpoint
      characterization record.

   o  Expected Endpoint Attribute Value Guidance: The expected values of
      the endpoint attributes described in the Target Endpoint Attribute
      Guidance.

   o  Frequency Guidance: Specifies when endpoint attributes are to be
      evaluated.

   o  Method Guidance: Indicates how endpoint attributes are to be
      collected.

6.6.3.  Classification Guidance

   A SACM Component carrying out the Target Endpoint Classification Task
   may need guidance on how to classify an endpoint.  Specifically, how
   to associate endpoint classes with a specific target endpoint
   characterization record.  Target Endpoint Classes function as
   guidance for collection, evaluation, remediation and security posture
   assessment in general.  Classification Guidance is composed of Target
   Endpoint Attribute Guidance and Class Guidance.

   o  Target Endpoint Attribute Guidance: Set of target endpoint
      attributes that are supposed to be used to identify the endpoint
      characterization record.

   o  Class Guidance: A list of target endpoint classes that are to be
      associated with the identified target endpoint characterization
      record.

6.6.4.  Storage Guidance

   An SACM Component typically needs guidance to govern what information
   it should store and where.  Storage Guidance provides instructions
   for a SACM Component that specifies which security automation
   information should be stored, for how long, and on which endpoint.
   Storage Guidance is composed of Target Endpoint Attribute Guidance,
   Expected Security Automation Information Guidance, and Retention
   Guidance.

   o  Target Endpoint Attribute Guidance: Set of target endpoint
      attributes that are supposed to be used to identify the endpoint
      where the security automation information is to be stored.

   o  Expected Security Automation Information Guidance: The security
      automation information that is expected to be stored (guidance,
      collected posture attributes, results, etc.).

   o  Retention Guidance: Specifies how long the security automation
      information should be stored.

6.6.5.  Evaluation Results

   Evaluation Results are the output of comparing the actual state of an
   endpoint against the expected state of an endpoint.  In addition to
   the actual results of the comparison, Evaluation Results should
   include the Evaluation Guidance and actual target endpoint attributes
   values used to perform the evaluation.

7.  Information Model Elements

   This section defines the specific Information Elements and
   relationships that will be implemented by data models and transported
   between SACM Components.

7.1.  accessPrivilegeType

               elementId: TBD
               name: accessPrivilegeType
               dataType: string
               status: current
               description: A set of types that represent access
               privileges (read, write, none, etc.).

7.2.  accountName

               elementId: TBD
               name: accountName
               dataType: string
               status: current
               description: A label that uniquely identifies an account
               that can require some form of (user) authentication to
               access.

7.3.  administrativeDomainType

               elementId: TBD
               name: accessPrivilegeType
               dataType: string
               status: current
               description: A label the is supposed to uniquely
               identify an administrative domain.

7.4.  addressAssociationType

               elementId: TBD
               name: accessPrivilegeType
               dataType: string
               status: current
               description: A label the is supposed to uniquely
               identify an administrative domain.

7.5.  addressMaskValue

               elementId: TBD
               name: addressMaskValue
               dataType: string
               status: current
               description: A value that expresses a generic address
               subnetting bitmask.

7.6.  addressType

               elementId: TBD
               name: addressType
               dataType: string
               status: current
               description: A set of types that specifies the type
               of address that is expressed in an address subject
               (e.g. ethernet, modbus, zigbee).

7.7.  addressValue

               elementId: TBD
               name: addressValue
               dataType: string
               status: current
               description: A value that expresses a generic network
                            address.

7.8.  applicationComponent

               elementId: TBD
               name: applicationComponent
               dataType: string
               status: current
               description: A label that references a "sub"-application
               that is part of the application (e.g. an add-on, a
               cipher-suite, a library).

7.9.  applicationLabel

               elementId: TBD
               name: applicationLabel
               dataType: string
               status: current
               description: A label that is supposed to uniquely
               reference an application.

7.10.  applicationType

               elementId: TBD
               name: applicationType
               dataType: string
               status: current
               description: A set of types (FIXME maybe a finite set
               is not realistic here - value not enumerator?) that
               identifies the type of (user-space) application
               (e.g. text-editor, policy-editor, service-client,
               service-server, calender, rouge-like RPG).

7.11.  applicationManufacturer

               elementId: TBD
               name: applicationManufacturer
               dataType: string
               status: current
               description: The name of the vendor that created the
               application.

7.12.  authenticator

               elementId: TBD
               name: authenticator
               dataType: string
               status: current
               description: A label that references a SACM component
               that can authenticate target endpoints (can be used in
               a target-endpoint subject to express that the target
               endpoint was authenticated by that SACM component.

7.13.  authenticationType

               elementId: TBD
               name: authenticationType
               dataType: string
               status: current
               description: A set of types that expresses which type
               of authentication was used to enable a network
               interaction/connection.

7.14.  birthdate

            elementId: TBD
            name: birthdate
            dataType: string
            status: current
            description: A label for the registered day of birth
            of a natural person (e.g. the date of birth of a person
            as an ISO date string).
            references: http://rs.tdwg.org/ontology/voc/Person#birthdate

7.15.  bytesReceived

               elementId: TBD
               name: bytesReceived
               dataType: string
               status: current
               description: A value that represents a number of octets
               received on a network interface.

7.16.  bytesSent
               elementId: TBD
               name: bytesSent
               dataType: string
               status: current
               description: A value that represents the number of
               octets received on a network interface.

7.17.  bytesSent

               elementId: TBD
               name: bytesSent
               dataType: string
               status: current
               description: A value that represents the number of
               octets sent on a network interface.

7.18.  certificate

               elementId: TBD
               name: certificate
               dataType: string
               status: current
               description: A value that expresses a certificate that
               can be collected from a target endpoint.

7.19.  collectionTaskType

               elementId: TBD
               name: collectionTaskType
               dataType: string
               status: current
               description: A set of types that defines how collected
               SACM content was acquired (e.g. network-observation,
               remote-acquisition, self-reported).

7.20.  confidence

            elementId: TBD
            name: confidence
            dataType: string
            status: current
            description: A representation of the subjective probability
            that the assessed value is correct. If no confidence value
            is given, it is assumed that the confidence is 1. Acceptable
            values are between 0 and 1.

7.21.  contentAction

               elementId: TBD
               name: contentAction
               dataType: string
               status: current
               description: A set of types that express a type of
               action (e.g. add, delete, update). It can be associated,
               for instance, with an event subject or with a network
               observation.

7.22.  countryCode

               elementId: TBD
               name: countryCode
               dataType: string
               status: current
               description: A set of types according to ISO 3166-1.

7.23.  dataOrigin

               elementId: TBD
               name: dataOrigin
               dataType: string
               status: current
               description: A label that uniquely identifies a SACM
               component in and across SACM domains.

7.24.  dataSource

               elementId: TBD
               name: dataSource
               dataType: string
               status: current
               description: A label that is supposed to uniquely
               identify the data source (e.g. a target endpoint or
               sensor) that provided an initial endpoint attribute
               record.

7.25.  default-depth

               elementId: TBD
               name: default-depth
               dataType: string
               status: current
               description: A value that expresses how often a circular
               reference of subject is allowed to repeat, or how deep
               a recursive nesting may occur, respectively.

7.26.  discoverer

               elementId: TBD
               name: contentAction
               dataType: string
               status: current
               description: A label that refers to the SACM component
               that discovered a target endpoint (can be used in a
               target-endpoint subject to express, for example, that
               the target endpoint was authenticated by that SACM
               component).

7.27.  emailAddress

               elementId: TBD
               name: countryCode
               dataType: string
               status: current
               description: A value that expresses an email-address.

7.28.  eventType

               elementId: TBD
               name: eventType
               dataType: string
               status: current
               description: a set of types that define the categories
               of an event (e.g. access-level-change,
               change-of-priviledge, change-of-authorization,
               environmental-event, or provisioning-event).

7.29.  eventThreshold

               elementId: TBD
               name: eventThreshold
               dataType: string
               status: current
               description: if applicable, a value that can be
               included in an event subject to indicate what numeric
               threshold value was crossed to trigger that event.

7.30.  eventThresholdName
               elementId: TBD
               name: eventThresholdName
               dataType: string
               status: current
               description: If an event is created due to a crossed
               threshold, the threshold might have a name associated
               with it that can be expressed via this value.

7.31.  eventTrigger

               elementId: TBD
               name: eventTrigger
               dataType: string
               status: current
               description: This value is used to express more
               complex trigger conditions that may cause the creation
               of an event.

7.32.  eventTrigger

               elementId: TBD
               name: eventTrigger
               dataType: string
               status: current
               description: This value is used to express more
               complex trigger conditions that may cause the creation
               of an event.

7.33.  firmwareId

               elementId: TBD
               name: firmwareId
               dataType: string
               status: current
               description: A label that represents the BIOS or
               firmware ID of a specific target endpoint.

7.34.  hostName

               elementId: TBD
               name: hostName
               dataType: string
               status: current
               description: A label typically associated with an
               endpoint, but, not always intended to be unique given
               scope.

7.35.  interfaceLabel

               elementId: TBD
               name: interfaceLabel
               dataType: string
               status: current
               description: A unique label that can be used to
                            reference a network interface.

7.36.  ipv6AddressSubnetMask

               elementId: TBD
               name: ipv6AddressSubnetMask
               dataType: string
               status: current
               description: An IPv6 subnet bitmask.

7.37.  ipv6AddressSubnetMaskCidrNotation

               elementId: TBD
               name: ipv6AddressSubnetMaskCidrNotation
               dataType: string
               status: current
               description: An IPv6 subnet bitmask in CIDR notation.

7.38.  ipv6AddressValue

               elementId: TBD
               name: ipv6AddressValue
               dataType: ipv6Address
               status: current
               description: An IPv6 subnet bitmask in CIDR notation.
               a network interface.

7.39.  ipv4AddressSubnetMask

               elementId: TBD
               name: ipv4AddressSubnetMask
               dataType: string
               status: current
               description: An IPv4 subnet bitmask.

7.40.  ipv4AddressSubnetMaskCidrNotation
               elementId: TBD
               name: ipv4AddressSubnetMaskCidrNotation
               dataType: string
               status: current
               description: An IPv4 subnet bitmask in CIDR notation.

7.41.  ipv4AddressValue

               elementId: TBD
               name: ipv4AddressValue
               dataType: ipv4Address
               status: current
               description: An IPv4 address value.

7.42.  layer2InterfaceType

               elementId: TBD
               name: layer2InterfaceType
               dataType: string
               status: current
               description: A set of types referenced by IANA ifType.

7.43.  layer4PortAddress

               elementId: TBD
               name: layer4PortAddress
               dataType: unsigned32
               status: current
               description: A layer 4 port address
               typically associated with TCP and UDP
               protocols.

7.44.  layer4Protocol

               elementId: TBD
               name: layer4Protocol
               dataType: string
               status: current
               description: A set of types that express a layer 4
               protocol (e.g. UDP or TCP).

7.45.  locationName
               elementId: TBD
               name: locationName
               dataType: string
               status: current
               description: A value that represents a named region of
                            physical space.

7.46.  macAddressValue

               elementId: TBD
               name: macAddressValue
               dataType: string
               status: current
               description: A value that expresses an Ethernet address.

7.47.  methodLabel

               elementId: TBD
               name: methodLabel
               dataType: string
               status: current
               description: A label that references a specific method
               registered and used in a SACM domain (e.g. method to
               match and re-identify target endpoints via identifying
               attributes).

7.48.  methodRepository

               elementId: TBD
               name: methodRepository
               dataType: string
               status: current
               description: A label that references a SACM component
               methods can be registered at and that can provide
               guidance in the form of registered methods to other
               SACM components.

7.49.  networkAccessLevelType

               elementId: TBD
               name: networkAccessLevelType
               dataType: string
               status: current
               description: A set of types that expresses categories
               of network access-levels (e.g. block, quarantine, etc.).

7.50.  networkId

               elementId: TBD
               name: networkId
               dataType: string
               status: current
               description: Most networks such as AS, OSBF domains,
               or VLANs can have an ID.

7.51.  networkInterfaceName

              elementId: TBD
              name: networkInterfaceName
              dataType: string
              status: current
              description: A label that uniquely identifies an interface
              associated with a distinguishable endpoint.

7.52.  networkLayer

               elementId: TBD
               name: networkLayer
               dataType: string
               status: current
               description: A set of layers that expresses the specific
               network layer an interface operates on.

7.53.  networkName

            elementId: TBD
            name: networkName
            dataType: string
            status: current
            description: A label that is associated with a network.
            Some networks, for example, effetive layer2-broadcast-domains
            are difficult to "grasp" and therefore quite difficult to name.

7.54.  organizationId

               elementId: TBD
               name: organizationId
               dataType: string
               status: current
               description: A label that uniquely identifies an
                            organization via a PEN.

7.55.  osComponent

               elementId: TBD
               name: osComponent
               dataType: string
               status: current
               description: A label that references a "sub-component"
               that is part of the operating system (e.g. a kernel
               module, microcode, or ACPI table).

7.56.  osLabel

               elementId: TBD
               name: osLabel
               dataType: string
               status: current
               description: A label that references a specific version
               of an operating system, including patches and hotfixes.

7.57.  osName

               elementId: TBD
               name: osName
               dataType: string
               status: current
               description: The name of an operating system.

7.58.  osType

               elementId: TBD
               name: osType
               dataType: string
               status: current
               description: A set of types that identifies the type
               of an operating system (e.g. real-time,
               security-enhanced, consumer, server).

7.59.  osVersion

               elementId: TBD
               name: osVersion
               dataType: string
               status: current
               description: A value that represents the version of
               an operating-system.

7.60.  patchId

               elementId: TBD
               name: patchId
               dataType: string
               status: current
               description: A label the uniquely identifies a specific
                            software patch.

7.61.  patchName

               elementId: TBD
               name: osVersion
               dataType: string
               status: current
               description: The vendor's name of a software patch.

7.62.  personFirstName

               elementId: TBD
               name: patchId
               dataType: string
               status: current
               description: The first name of a natural person.

7.63.  personLastName

               elementId: TBD
               name: personLastName
               dataType: string
               status: current
               description: The last name of a natural person.

7.64.  personMiddleName

               elementId: TBD
               name: personMiddleName
               dataType: string
               status: current
               description: The middle name of a natural person.

7.65.  phoneNumber
             elementId: TBD
             name: phoneNumber
             dataType: string
             status: current
             description: A label that expresses the U.S. national
             phone number (e.g. pattern value="((\d{3}) )?\d{3}-\d{4}").

7.66.  phoneNumberType

               elementId: TBD
               name: phoneNumberType
               dataType: string
               status: current
               description: A set of types that express the type of
               a phone number (e.g. DSN, Fax, Home, Mobile, Pager,
               Secure, Unsecure, Work, Other).

7.67.  privilegeName

               elementId: TBD
               name: privilegeName
               dataType: string
               status: current
               description: The attribute name of the privilege
               represented as an AVP.

7.68.  privilegeValue

               elementId: TBD
               name: privilegeValue
               dataType: string
               status: current
               description: The value content of the privilege
               represented as an AVP.

7.69.  protocol

               elementId: TBD
               name: protocol
               dataType: string
               status: current
               description: A set of types that defines specific
               protocols above layer 4 (e.g. http, https, dns, ipp,
               or unknown).

7.70.  publicKey

               elementId: TBD
               name: publicKey
               dataType: string
               status: current
               description: The value of a public key (regardless of its
               method of creation, crypto-system, or signature scheme)
               that can be collected from a target endpoint.

7.71.  relationshipContentElementGuid

               elementId: TBD
               name: relationshipContentElementGuid
               dataType: string
               status: current
               description: A reference to a specific content element
               used in a relationship subject.

7.72.  relationshipStatementElementGuid

               elementId: TBD
               name: relationshipStatementElementGuid
               dataType: string
               status: current
               description: A reference to a specific SACM statement
               used in a relationship subject.

7.73.  relationshipObjectLabel

             elementId: TBD
             name: relationshipObjectLabel
             dataType: string
             status: current
             description: A reference to a specific label used in
             content (e.g. a te-label or a user-id). This
             reference is typically used if matching content
             attribute can be done efficiantly and can also be
             included in addition to a relationship-content-element-guid
             reference.

7.74.  relationshipType
            elementId: TBD
            name: relationshipType
            dataType: string
            status: current
            description: A set of types that is in every instance
            of a relationship subject to highlight what kind of
            relationship exists between the subject the relationship
            is included in (e.g. associated_with_user,
            applies_to_session, seen_on_interface, associated_with_flow,
            contains_virtual_device).

7.75.  roleName

               elementId: TBD
               name: roleName
               dataType: string
               status: current
               description: A label that references a collection of
               privileges assigned to a specific entity (identity?
               FIXME).

7.76.  sessionStateType

               elementId: TBD
               name: sessionStateType
               dataType: string
               status: current
               description: A set of types a discernible session (an
               ongoing network interaction) can be in (e.g.
               Authenticating, Authenticated, Postured, Started,
               Disconnected).

7.77.  statementGuid

               elementId: TBD
               name: statementGuid
               dataType: string
               status: current
               description: A label that expresses a global unique
               ID referencing a specific SACM statement that was
               produced by a SACM component.

7.78.  statementType
               elementId: TBD
               name: statementType
               dataType: string
               status: current
               description: A set of types that define the type of
               content that is included in a SACM statement (e.g.
               Observation, DirectoryContent, Correlation, Assessment,
               Guidance).

7.79.  status

               elementId: TBD
               name: status
               dataType: string
               status: current
               description: A set of types that defines possible
               result values for a finding in general (e.g. true,
               false, error, unknown, not applicable, not evaluated).

7.80.  subAdministrativeDomain

               elementId: TBD
               name: subAdministrativeDomain
               dataType: string
               status: current
               description: A label for related child domains an
               administrative domain can be composed of (used in the
               subject administrative-domain)

7.81.  subInterfaceLabel

               elementId: TBD
               name: subInterfaceLabel
               dataType: string
               status: current
               description: A unique label a sub network interface
               (e.g. a tagged vlan on a trunk) can be referenced
               with.

7.82.  superAdministrativeDomain

               elementId: TBD
               name: superAdministrativeDomain
               dataType: string
               status: current
               description: a label for related parent domains an
                            administrative domain is part of (used
                            in the subject s.administrative-domain).

7.83.  superInterfaceLabel

               elementId: TBD
               name: superInterfaceLabel
               dataType: string
               status: current
               description: a unique label a super network interface
                            (e.g. a physical interface a tunnel
                            interface terminates on) can be referenced
                            with.

7.84.  teAssessmentState

               elementId: TBD
               name: teAssessmentState
               dataType: string
               status: current
               description: a set of types that defines the state of
                            assessment of a target-endpoint (e.g.
                            in-discovery, discovered, in-classification,
                            classified, in-assessment, assessed).

7.85.  teLabel

               elementId: TBD
               name: teLabel
               dataType: string
               status: current
               description: an identifying label created from a set
                            of identifying attributes used to reference
                            a specific target endpoint.

7.86.  teId

               elementId: TBD
               name: teId
               dataType: string
               status: current
               description: an identifying label that is created
                            randomly, is supposed to be unique, and
                            used to reference a specific target
                            endpoint.

7.87.  timestampType
               elementId: TBD
               name: timestampType
               dataType: string
               status: current
               description: a set of types that express what type of
                            action or event happened at that point
                            of time (e.g. discovered, classified,
                            collected, published). Can be included in
                            a generic s.timestamp subject.

7.88.  unitsReceived

               elementId: TBD
               name: unitsReceived
               dataType: string
               status: current
               description: a value that represents a number of units
                            (e.g. frames, packets, cells or segments)
                            received on a network interface.

7.89.  unitsSent

               elementId: TBD
               name: unitsSent
               dataType: string
               status: current
               description: a value that represents a number of units
                            (e.g. frames, packets, cells or segments)
                            sent on a network interface.

7.90.  username

               elementId: TBD
               name: username
               dataType: string
               status: current
               description: a part of the credentials required to
               access an account that can be collected from a target
               endpoint.

7.91.  userDirectory
               elementId: TBD
               name: userDirectory
               dataType: string
               status: current
               description: a label that identifies a specific type
               of user-directory (e.g. ldap, active-directory,
               local-user).

7.92.  userId

               elementId: TBD
               name: userId
               dataType: string
               status: current
               description: a label that references a specific user
               known in a SACM domain.

7.93.  webSite

               elementId: TBD
               name: webSite
               dataType: string
               status: current
               description: a URI that references a web-site.

7.94.  WGS84Longitude

               elementId: TBD
               name: WGS84Longitude
               dataType: float
               status: current
               description: a label that represents WGS 84 rev 2004
               longitude.

7.95.  WGS84Latitude

               elementId: TBD
               name: WGS84Latitude
               dataType: float
               status: current
               description: a label that represents WGS 84 rev 2004
               latitude.

7.96.  WGS84Altitude
               elementId: TBD
               name: WGS84Altitude
               dataType: float
               status: current
               description: a label that represents WGS 84 rev 2004
               altitude.

7.97.  hardwareSerialNumber

   elementId: TBD
   name: hardwareSerialNumber
   dataType: string
   status: current
   description: A globally unique identifier for a particular
                piece of hardware assigned by the vendor.

7.98.  interfaceName

   elementId: TBD
   name: interfaceName
   dataType: string
   status: current
   description: A short name uniquely describing an interface,
                eg "Eth1/0". See [RFC2863] for the definition
                of the ifName object.

7.99.  interfaceIndex

   elementId: TBD
   name: interfaceIndex
   dataType: unsigned32
   status: current
   description: The index of an interface installed on an endpoint.
                The value matches the value of managed object
                'ifIndex' as defined in [RFC2863]. Note that ifIndex
                values are not assigned statically to an interface
                and that the interfaces may be renumbered every time
                the device's management system is re-initialized,
                as specified in [RFC2863].

7.100.  interfaceMacAddress

   elementId: TBD
   name: interfaceMacAddress
   dataType: macAddress
   status: current
   description: The IEEE 802 MAC address associated with a network
                interface on an endpoint.

7.101.  interfaceType

   elementId: TBD
   name: interfaceType
   dataType: unsigned32
   status: current
   description: The type of a network interface. The value matches
                the value of managed object 'ifType' as defined in
                [IANA registry ianaiftype-mib].

7.102.  interfaceFlags

elementId: TBD
name: interfaceFlags
dataType: unsigned16
status: current
description: This information element specifies the flags
             associated with a network interface. Possible
             values include:
structure: Up                  ; 0x1   ; Interface is up.
           Broadcast           ; 0x2   ; Broadcast address valid.
           Debug               ; 0x4   ; Turn on debugging.
           Loopback            ; 0x8   ; Is a loopback net.
           Point-to-point      ; 0x10  ; Interface is point-to-point link.
           No trailers         ; 0x20  ; Avoid use of trailers.
           Resources allocated ; 0x40  ; Resources allocated.
           No ARP              ; 0x80  ; No address resolution protocol.
           Receive all         ; 0x100 ; Receive all packets.

7.103.  networkInterface

   elementId: TBD
   name: networkInterface
   dataType: orderedList
   status: current
   description: Information about a network interface
                installed on an endpoint. The
                following high-level digram
                describes the structure of
                networkInterface information
                element.
   structure: orderedList(interfaceName, interfaceIndex, macAddress,
                          ifType, flags)

7.104.  softwareIdentifier

   elementId: TBD
   name: softwareIdentifier
   dataType: string
   status: current
   description: A globally unique identifier for a particular
                software application.

7.105.  softwareTitle

   elementId: TBD
   name: softwareTitle
   dataType: string
   status: current
   description: The title of the software application.

7.106.  softwareCreator

   elementId: TBD
   name: softwareCreator
   dataType: string
   status: current
   description: The software developer (e.g., vendor or author).

7.107.  simpleSoftwareVersion

   elementId: TBD
   name: simpleSoftwareVersion
   dataType: string
   status: current
   description: The version string for a software application that
                conforms to the format of a list of hierarchical
                non-negative integers separated by a single character
                delimiter format.

7.108.  rpmSoftwareVersion

   elementId: TBD
   name: rpmSoftwareVersion
   dataType: string
   status: current
   description: The version string for a software application that
                conforms to the EPOCH:VERSION-RELEASE format.

7.109.  ciscoTrainSoftwareVersion

   elementId: TBD
   name: ciscoTrainSoftwareVersion
   dataType: string
   status: current
   description: The version string for a software application that
                conforms to the Cisco IOS Train string format.

7.110.  softwareVersion

   elementId: TBD
   name: softwareVerison
   dataType: list
   status: current
   description: The version of the software application. Software
                applications may be versioned using a number of
                schemas. The following high-level digram describes
                the structure of the softwareVersion information
                element.
   structure: list(simpleSoftwareVersion | rpmSoftwareVersion |
                   ciscoTrainSoftwareVersion)

7.111.  lastUpdated

   elementId: TBD
   name: lastUpdated
   dataType: dateTimeSeconds
   status: current
   description: The date and time when the software instance
                was last updated on the system (e.g., new
                version instlalled or patch applied)

7.112.  softwareInstance

   elementId: TBD
   name: softwareInstance
   dataType: orderedList
   status: current
   description: Information about an instance of software
                installed on an endpoint. The following
                high-level digram describes the structure of
                softwareInstance information element.
   structure: orderedList(softwareIdentifier, title, creator,
                          softwareVersion, lastUpdated)

7.113.  globallyUniqueIdentifier

   elementId: TBD
   name: globallyUniqueIdentifier
   dataType: unsigned8
   status: current
   metadata: true
   description: TODO.

7.114.  dataOrigin

   elementId: TBD
   name: dataOrigin
   dataType: string
   status: current
   metadata: true
   description: The origin of the data.

7.115.  dataSource

   elementId: TBD
   name: dataSource
   dataType: string
   status: current
   metadata: true
   description: The source of the data.

7.116.  creationTimestamp

   elementId: TBD
   name: creationTimestamp
   dataType: dateTimeSeconds
   status: current
   metadata: true
   description: The date and time when the posture
                information was created by a SACM Component.

7.117.  collectionTimestamp

   elementId: TBD
   name: collectionTimestamp
   dataType: dateTimeSeconds
   status: current
   metadata: true
   description: The date and time when the posture
                information was collected or observed by a SACM
                Component.

7.118.  publicationTimestamp

   elementId: TBD
   name: publicationTimestamp
   dataType: dateTimeSeconds
   status: current
   metadata: true
   description: The date and time when the posture
                information was published.

7.119.  relayTimestamp

   elementId: TBD
   name: relayTimestamp
   dataType: dateTimeSeconds
   status: current
   metadata: true
   description: The date and time when the posture
                information was relayed to another SACM Component.

7.120.  storageTimestamp

   elementId: TBD
   name: storageTimestamp
   dataType: dateTimeSeconds
   status: current
   metadata: true
   description: The date and time when the posture
                information was stored in a Repository.

7.121.  type

   elementId: TBD
   name: type
   dataType: enumeration
   status: current
   metadata: true
   description: The type of data model use to represent
                some set of endpoint information. The following
                table lists the set of data models supported by SACM.
   structure: TBD

7.122.  protocolIdentifier
   elementId: TBD
   name: protocolIdentifier
   dataType: unsigned8
   status: current
   description: The value of the protocol number in the IP packet
                header. The protocol number identifies the IP packet
                payload type. Protocol numbers are defined in the
                IANA Protocol Numbers registry.

                In Internet Protocol version 4 (IPv4), this is
                carried in the Protocol field.  In Internet Protocol
                version 6 (IPv6), this is carried in the Next Header
                field in the last extension header of the packet.

7.123.  sourceTransportPort

   elementId: TBD
   name: sourceTransportPort
   dataType: unsigned16
   status: current
   description: The source port identifier in the transport header.
                For the transport protocols UDP, TCP, and SCTP, this
                is the source port number given in the respective
                header.  This field MAY also be used for future
                transport protocols that have 16-bit source port
                identifiers.

7.124.  sourceIPv4PrefixLength

   elementId: TBD
   name: sourceIPv4PrefixLength
   dataType: unsigned8
   status: current
   description: The number of contiguous bits that are relevant in
                the sourceIPv4Prefix Information Element.

7.125.  ingressInterface
   elementId: TBD
   name: ingressInterface
   dataType: unsigned32
   status: current
   description: The index of the IP interface where packets of this
                Flow are being received.  The value matches the
                value of managed object 'ifIndex' as defined in
                [RFC2863]. Note that ifIndex values are not assigned
                statically to an interface and that the interfaces
                may be renumbered every time the device's management
                system is re-initialized, as specified in [RFC2863].

7.126.  destinationTransportPort

   elementId: TBD
   name: destinationTransportPort
   dataType: unsigned16
   status: current
   description: The destination port identifier in the transport
                header. For the transport protocols UDP, TCP, and
                SCTP, this is the destination port number given in
                the respective header. This field MAY also be used
                for future transport protocols that have 16-bit
                destination port identifiers.

7.127.  sourceIPv6PrefixLength

   elementId: TBD
   name: sourceIPv6PrefixLength
   dataType: unsigned8
   status: current
   description: The number of contiguous bits that are relevant in
                the sourceIPv6Prefix Information Element.

7.128.  sourceIPv4Prefix

   elementId: TBD
   name: sourceIPv4Prefix
   dataType: ipv4Address
   status: current
   description: IPv4 source address prefix.

7.129.  destinationIPv4Prefix
   elementId: TBD
   name: destinationIPv4Prefix
   dataType: ipv4Address
   status: current
   description: IPv4 destination address prefix.

7.130.  sourceMacAddress

   elementId: TBD
   name: sourceMacAddress
   dataType: macAddress
   status: current
   description: The IEEE 802 source MAC address field.

7.131.  ipVersion

   elementId: TBD
   name: ipVersion
   dataType: unsigned8
   status: current
   description: The IP version field in the IP packet header.

7.132.  interfaceDescription

   elementId: TBD
   name: interfaceDescription
   dataType: string
   status: current
   description: The description of an interface, eg "FastEthernet
                1/0" or "ISP
   connection".

7.133.  applicationDescription

   elementId: TBD
   name: applicationDescription
   dataType: string
   status: current
   description: Specifies the description of an application.

7.134.  applicationId

   elementId: TBD
   name: applicationId
   dataType: octetArray
   status: current
   description: Specifies an Application ID per [RFC6759].

7.135.  applicationName

   elementId: TBD
   name: applicationName
   dataType: string
   status: current
   description: Specifies the name of an application.

7.136.  exporterIPv4Address

   elementId: TBD
   name: exporterIPv4Address
   dataType: ipv4Address
   status: current
   description: The IPv4 address used by the Exporting Process.
                This is used by the Collector to identify the
                Exporter in cases where the identity of the Exporter
                may have been obscured by the use of a proxy.

7.137.  exporterIPv6Address

   elementId: TBD
   name: exporterIPv6Address
   dataType: ipv6Address
   status: current
   description: The IPv6 address used by the Exporting Process.
                This is used by the Collector to identify the
                Exporter in cases where the identity of the
                Exporter may have been obscured by the use of a
                proxy.

7.138.  portId

   elementId: TBD
   name: portId
   dataType: unsigned32
   status: current
   description: An identifier of a line port that is unique per
                IPFIX Device hosting an Observation Point.
                Typically, this Information Element is used for
                limiting the scope of other Information Elements.

7.139.  templateId
   elementId: TBD
   name: templateId
   dataType: unsigned16
   status: current
   description: An identifier of a Template that is locally unique
                within a combination of a Transport session and an
                Observation Domain.

                Template IDs 0-255 are reserved for Template Sets,
                Options Template Sets, and other reserved Sets yet
                to be created. Template IDs of Data Sets are
                numbered from 256 to 65535.

                Typically, this Information Element is used for
                limiting the scope of other Information Elements.
                Note that after a re-start of the Exporting Process
                Template identifiers may be re-assigned.

7.140.  collectorIPv4Address

   elementId: TBD
   name: collectorIPv4Address
   dataType: ipv4Address
   status: current
   description: An IPv4 address to which the Exporting Process sends
                Flow information.

7.141.  collectorIPv6Address

   elementId: TBD
   name: collectorIPv6Address
   dataType: ipv6Address
   status: current
   description: An IPv6 address to which the Exporting Process sends
                Flow information.

7.142.  informationElementIndex

   elementId: TBD
   name: informationElementIndex
   dataType: unsigned16
   status: current
   description: A zero-based index of an Information Element
                referenced by informationElementId within a Template
                referenced by templateId; used to disambiguate
                scope for templates containing multiple identical
                Information Elements.

7.143.  informationElementId

   elementId: TBD
   name: informationElementId
   dataType: unsigned16
   status: current
   description: This Information Element contains the ID of another
                Information Element.

7.144.  informationElementDataType

   elementId: TBD
   name: informationElementDataType
   dataType: unsigned8
   status: current
   description: A description of the abstract data type of an IPFIX
                information element.These are taken from the
                abstract data types defined in section 3.1 of the
                IPFIX Information Model [RFC5102]; see that section
                for more information on the types described in the
                informationElementDataType sub-registry.

                These types are registered in the IANA IPFIX
                Information Element Data Type subregistry.  This
                subregistry is intended to assign numbers for type
                names, not to provide a mechanism for adding data
                types to the IPFIX Protocol, and as such requires a
                Standards Action [RFC5226] to modify.

7.145.  informationElementDescription
   elementId: TBD
   name: informationElementDescription
   dataType: string
   status: current
   description: A UTF-8 [RFC3629] encoded Unicode string containing
                a human-readable description of an Information
                Element.  The content of the
                informationElementDescription MAY be annotated with
                one or more language tags [RFC4646], encoded
                in-line [RFC2482] within the UTF-8 string, in order
                to specify the language in which the description is
                written.  Description text in multiple languages MAY
                tag each section with its own language tag; in this
                case, the description information in each language
                SHOULD have equivalent meaning.  In the absence of
                any language tag, the "i-default" [RFC2277] language
                SHOULD be assumed.  See the Security Considerations
                section for notes on string handling for Information
                Element type records.

7.146.  informationElementName

   elementId: TBD
   name: informationElementName
   dataType: string
   status: current
   description: A UTF-8 [RFC3629] encoded Unicode string containing
                the name of an Information Element, intended as a
                simple identifier.  See the Security Considerations
                section for notes on string handling for Information
                Element type records.

7.147.  informationElementRangeBegin

   elementId: TBD
   name: informationElementRangeBegin
   dataType: unsigned64
   status: current
   description: Contains the inclusive low end of the range of
                acceptable values for an Information Element.

7.148.  informationElementRangeEnd
   elementId: TBD
   name: informationElementRangeEnd
   dataType: unsigned64
   status: current
   description: Contains the inclusive high end of the range of
                acceptable values for an Information Element.

7.149.  informationElementSemantics

   elementId: TBD
   name: informationElementSemantics
   dataType: unsigned8
   status: current
   description: A description of the semantics of an IPFIX
                Information Element.  These are taken from the data
                type semantics defined in section 3.2 of the IPFIX
                Information Model [RFC5102]; see that section for
                more information on the types defined in the
                informationElementSemantics sub-registry.  This
                field may take the values in Table ; the special
                value 0x00 (default) is used to note that no
                semantics apply to the field; it cannot be
                manipulated by a Collecting Process or File Reader
                that does not understand it a priori.

                These semantics are registered in the IANA IPFIX
                Information Element Semantics subregistry.  This
                subregistry is intended to assign numbers for
                semantics names, not to provide a mechanism for
                adding semantics to the IPFIX Protocol, and as such
                requires a Standards Action [RFC5226] to modify.

7.150.  informationElementUnits
   elementId: TBD
   name: informationElementUnits
   dataType: unsigned16
   status: current
   description: A description of the units of an IPFIX Information
                Element.  These correspond to the units implicitly
                defined in the Information Element definitions in
                section 5 of the IPFIX Information Model [RFC5102];
                see that section for more information on the types
                described in the informationElementsUnits
                sub-registry. This field may take the values in
                Table 3 below; the special value 0x00 (none) is
                used to note that the field is unitless.

                These types are registered in the IANA IPFIX
                Information Element Units subregistry; new types
                may be added on a First Come First Served [RFC5226]
                basis.

7.151.  userName

   elementId: TBD
   name: userName
   dataType: string
   status: current
   description: User name associated with the flow.

7.152.  applicationCategoryName

   elementId: TBD
   name: applicationCategoryName
   dataType: string
   status: current
   description: An attribute that provides a first level
                categorization for each Application ID.

7.153.  mibObjectValueInteger
   elementId: TBD
   name: mibObjectValueInteger
   dataType: signed64
   status: current
   description: An IPFIX Information Element which denotes that the
                integer value of a MIB object will be exported.
                The MIB Object Identifier ("mibObjectIdentifier")
                for this field MUST be exported in a MIB Field
                Option or via another means.  This Information
                Element is used for MIB objects with the Base
                Syntax of Integer32 and INTEGER with IPFIX Reduced
                Size Encoding used as required. The value is
                encoded as per the standard IPFIX Abstract Data Type
                of signed64.

7.154.  mibObjectValueOctetString

   elementId: TBD
   name: mibObjectValueOctetString
   dataType: octetArray
   status: current
   description: An IPFIX Information Element which denotes that an
                Octet String or Opaque value of a MIB object will
                be exported. The MIB Object Identifier
                ("mibObjectIdentifier") for this field MUST be
                exported in a MIB Field Option or via another means.
                This Information Element is used for MIB objects
                with the Base Syntax of OCTET STRING and Opaque. The
                value is encoded as per the standard IPFIX Abstract
                Data Type of octetArray.

7.155.  mibObjectValueOID
   elementId: TBD
   name: mibObjectValueOID
   dataType: octetArray
   status: current
   description: An IPFIX Information Element which denotes that an
                Object Identifier or OID value of a MIB object will
                be exported. The MIB Object Identifier
                ("mibObjectIdentifier") for this field MUST be
                exported in a MIB Field Option or via another means.
                This Information Element is used for MIB objects
                with the Base Syntax of OBJECT IDENTIFIER.  Note -
                In this case the "mibObjectIdentifier" will define
                which MIB object is being exported while the value
                contained in this Information Element will be an
                OID as a value.  The mibObjectValueOID Information
                Element is encoded as ASN.1/BER [BER] in an
                octetArray.

7.156.  mibObjectValueBits

   elementId: TBD
   name: mibObjectValueBits
   dataType: octetArray
   status: current
   description: An IPFIX Information Element which denotes that a
                set of Enumerated flags or bits from a MIB object
                will be exported. The MIB Object Identifier
                ("mibObjectIdentifier") for this field MUST be
                exported in a MIB Field Option or via another means.
                This Information Element is used for MIB objects
                with the Base Syntax of BITS.  The flags or bits are
                encoded as per the standard IPFIX Abstract Data Type
                of octetArray, with sufficient length to accommodate
                the required number of bits.  If the number of bits
                is not an integer multiple of octets then the most
                significant bits at end of the octetArray MUST be
                set to zero.

7.157.  mibObjectValueIPAddress
   elementId: TBD
   name: mibObjectValueIPAddress
   dataType: ipv4Address
   status: current
   description: An IPFIX Information Element which denotes that the
                IPv4 Address of a MIB object will be exported.  The
                MIB Object Identifier ("mibObjectIdentifier") for
                this field MUST be exported in a MIB Field Option
                or via another means.  This Information Element is
                used for MIB objects with the Base Syntax of
                IPaddress. The value is encoded as per the standard
                IPFIX Abstract Data Type of ipv4Address.

7.158.  mibObjectValueCounter

   elementId: TBD
   name: mibObjectValueCounter
   dataType: unsigned64
   status: current
   description: An IPFIX Information Element which denotes that the
                counter value of a MIB object will be exported.
                The MIB Object Identifier ("mibObjectIdentifier")
                for this field MUST be exported in a MIB Field
                Option or via another means.  This Information
                Element is used for MIB objects with the Base
                Syntax of Counter32 or Counter64 with IPFIX Reduced
                Size Encoding used as required. The value is encoded
                as per the standard IPFIX Abstract Data Type
                of unsigned64.

7.159.  mibObjectValueGauge

   elementId: TBD
   name: mibObjectValueGauge
   dataType: unsigned32
   status: current
   description: An IPFIX Information Element which denotes that the
                Gauge value of a MIB object will be exported.  The
                MIB Object Identifier ("mibObjectIdentifier") for
                this field MUST be exported in a MIB Field Option
                or via another means.  This Information Element is
                used for MIB objects with the Base Syntax of Gauge32.
                The value is encoded as per the standard IPFIX
                Abstract Data Type of unsigned64.  This value will
                represent a non-negative integer, which may increase
                or decrease, but shall never exceed a maximum
                value, nor fall below a minimum value.

7.160.  mibObjectValueTimeTicks

   elementId: TBD
   name: mibObjectValueTimeTicks
   dataType: unsigned32
   status: current
   description: An IPFIX Information Element which denotes that the
                TimeTicks value of a MIB object will be exported.
                The MIB Object Identifier ("mibObjectIdentifier")
                for this field MUST be exported in a MIB Field
                Option or via another means.  This Information
                Element is used for MIB objects with the Base
                Syntax of TimeTicks. The value is encoded as per
                the standard IPFIX Abstract Data Type of unsigned32.

7.161.  mibObjectValueUnsigned

   elementId: TBD
   name: mibObjectValueUnsigned
   dataType: unsigned64
   status: current
   description: An IPFIX Information Element which denotes that an
                unsigned integer value of a MIB object will be
                exported.  The MIB Object Identifier
                ("mibObjectIdentifier") for this field MUST be
                exported in a MIB Field Option or via another means.
                This Information Element is used for MIB objects
                with the Base Syntax of unsigned64 with IPFIX
                Reduced Size Encoding used as required. The value is
                encoded as per the standard IPFIX Abstract Data Type
                of unsigned64.

7.162.  mibObjectValueTable
   elementId: TBD
   name: mibObjectValueTable
   dataType: orderedList
   status: current
   description: An IPFIX Information Element which denotes that a
                complete or partial conceptual table will be
                exported.  The MIB Object Identifier
                ("mibObjectIdentifier") for this field MUST be
                exported in a MIB Field Option or via another means.
                This Information Element is used for MIB objects
                with a SYNTAX of SEQUENCE.  This is encoded as a
                subTemplateList of mibObjectValue Information
                Elements.  The template specified in the
                subTemplateList MUST be an Options Template and
                MUST include all the Objects listed in the INDEX
                clause as Scope Fields.
   structure:   orderedList(mibObjectValueRow+)

7.163.  mibObjectValueRow

   elementId: TBD
   name: mibObjectValueRow
   dataType: orderedList
   status: current
   description: An IPFIX Information Element which denotes that a
                single row of a conceptual table will be exported.
                The MIB Object Identifier ("mibObjectIdentifier")
                for this field MUST be exported in a MIB Field
                Option or via another means.  This Information
                Element is used for MIB objects with a SYNTAX of
                SEQUENCE.  This is encoded as a subTemplateList of
                mibObjectValue Information Elements.  The
                subTemplateList exported MUST contain exactly one
                row (i.e., one instance of the subtemplate).  The
                template specified in the subTemplateList MUST be
                an Options Template and MUST include all the
                Objects listed in the INDEX clause as Scope Fields.
   structure:   orderedList(mibObjectValue+)

7.164.  mibObjectIdentifier
   elementId: TBD
   name: mibObjectIdentifier
   dataType: octetArray
   status: current
   description: An IPFIX Information Element which denotes that a
                MIB Object Identifier (MIB OID) is exported in the
                (Options) Template Record.  The mibObjectIdentifier
                Information Model (IM) serves Element contains the OID assigned to
                the MIB Object Type Definition encoded as
                ASN.1/BER [BER].

7.165.  mibSubIdentifier

   elementId: TBD
   name: mibSubIdentifier
   dataType: unsigned32
   status: current
   description: A non-negative sub-identifier of an Object
                Identifier (OID).

7.166.  mibIndexIndicator
   elementId: TBD
   name: mibIndexIndicator
   dataType: unsigned64
   status: current
   description: This set of bit fields is used for marking the
                Information Elements of a Data Record that serve as
                INDEX MIB objects for an indexed Columnar MIB
                object.  Each bit represents an Information Element
                in the Data Record with the n-th bit representing
                the n-th Information Element.  A bit set to value 1
                indicates that the corresponding Information Element
                is an index of the Columnar Object represented by
                the mibFieldValue.  A bit set to value 0 indicates
                that this is not the case.

                If the Data Record contains more than 64
                Information Elements, the corresponding Template
                SHOULD be designed such that all INDEX
                Fields are among the first 64 Information Elements,
                because the mibIndexIndicator only contains 64 bits.
                If the Data Record contains less than 64
                Information Elements, then the extra bits in the
                mibIndexIndicator for which no corresponding
                Information Element exists MUST have the value 0,
                and must be disregarded by the Collector.  This
                Information Element may be exported with
                IPFIX Reduced Size Encoding.

7.167.  mibCaptureTimeSemantics
   elementId: TBD
   name: mibCaptureTimeSemantics
   dataType: unsigned8
   status: current
   description: Indicates when in the lifetime of the flow the MIB
                value was retrieved from the MIB for a
                mibObjectIdentifier.  This is used to indicate if
                the value exported was collected from the MIB
                closer to flow creation or flow export time and
                will refer to the Timestamp fields included in the
                same record.  This field SHOULD be used when
                exporting a mibObjectValue that specifies counters
                or statistics.

                If the MIB value was sampled by SNMP prior to the
                IPFIX Metering Process or Exporting Process
                retrieving the value (i.e., the data is already
                stale) and it's important to know the exact sampling
                time, then an additional observationTime* element
                should be paired with the OID using structured data.
                Similarly, if different mibCaptureTimeSemantics
                apply to different mibObject elements within the
                Data Record, then individual mibCaptureTimeSemantics
                should be paired with each OID using structured data.

                Values:
                0.  undefined
                1.  begin - The value for the MIB object is captured
                from the MIB when the Flow is first observed
                2.  end - The value for the MIB object is captured
                from the MIB when the Flow ends
                3.  export - The value for the MIB object is
                captured from the MIB at export time
                4.  average - The value for the MIB object is an
                average of multiple purposes:

   o captures from the MIB over the
                observed life of the Flow

7.168.  mibContextEngineID

   elementId: TBD
   name: mibContextEngineID
   dataType: octetArray
   status: current
   description: A mibContextEngineID that specifies the SNMP engine
                ID for a MIB field being exported over IPFIX.
                Definition as per [RFC3411] section 3.3.

7.169.  mibContextName

   elementId: TBD
   name: mibContextName
   dataType: string
   status: current
   description: This Information Element denotes that a MIB Context
                Name is specified for a MIB field being exported
                over IPFIX. Reference [RFC3411] section 3.3.

7.170.  mibObjectName

   elementId: TBD
   name: mibObjectName
   dataType: string
   status: current
   description: The name (called a descriptor in [RFC2578]
                of an object type definition.

7.171.  mibObjectDescription

   elementId: TBD
   name: mibObjectDescription
   dataType: string
   status: current
   description: The value of the DESCRIPTION clause of an MIB object
                type definition.

7.172.  mibObjectSyntax

   elementId: TBD
   name: mibObjectSyntax
   dataType: string
   status: current
   description: The value of the SYNTAX clause of an MIB object type
                definition, which may include a Textual Convention
                or Subtyping. See [RFC2578].

7.173.  mibModuleName

   elementId: TBD
   name: mibModuleName
   dataType: string
   status: current
   description: The textual name of the MIB module that defines a MIB
                Object.

7.174.  interface

   elementId: TBD
   name: interface
   dataType: list
   structure: list (InterfaceName, hwAddress, inetAddr, netmask)
   status: current
   description: Represents an interface and its configuration
   options.

7.175.  interfaceName

   elementId: TBD
   name: interfaceName
   dataType: string
   status: current
   description: The interface
         name.

7.176.  iflisteners

   elementId: TBD
   name: iflisteners
   dataType: list
   structure: list (interfaceName, physicalProtocol, hwAddress,
         programName, pid, userId)
   status: current
   description: Stores the results of checking for applications that
   are bound to an ethernet interface on the system.

7.177.  physicalProtocol

   elementId: TBD
   name: physicalProtocol
   dataType: enumeration
   structure:
   ETH_P_LOOP ; 0x1 ; Ethernet loopback packet.
   ETH_P_PUP ; 0x2 ; Xerox PUP packet.
   ETH_P_PUPAT ; 0x3 ; Xerox PUP Address Transport packet.
   ETH_P_IP ; 0x4 ; Internet protocol packet.
   ETH_P_X25 ; 0x5 ; CCITT X.25 packet.
   ETH_P_ARP ; 0x6 ; Address resolution packet.
   ETH_P_BPQ ; 0x7 ; G8BPQ AX.25 ethernet packet.
   ETH_P_IEEEPUP ; 0x8 ; Xerox IEEE802.3 PUP packet.
   ETH_P_IEEEPUPAT ; 0x9 ; Xerox IEEE802.3 PUP address transport
                           packet.
   ETH_P_DEC ; 0xA ; DEC assigned protocol.
   ETH_P_DNA_DL ; 0xB ; DEC DNA Dump/Load.

   ETH_P_DNA_RC ; 0xC ; DEC DNA Remote Console.
   ETH_P_DNA_RT ; 0xD ; DEC DNA Routing.
   ETH_P_LAT ; 0xE ; DEC LAT.
   ETH_P_DIAG ; 0xF ; DEC Diagnostics.
   ETH_P_CUST ; 0x10 ; DEC Customer use.
   ETH_P_SCA ; 0x11 ; DEC Systems Comms Arch.
   ETH_P_RARP ; 0x12 ; Reverse address resolution packet.
   ETH_P_ATALK ; 0x13 ; Appletalk DDP.
   ETH_P_AARP ; 0x14 ; Appletalk AARP.
   ETH_P_8021Q ; 0x15 ; 802.1Q VLAN Extended Header.
   ETH_P_IPX ; 0x16 ; IPX over DIX.
   ETH_P_IPV6 ; 0x17 ; IPv6 over bluebook.
   ETH_P_SLOW ; 0x18 ; Slow Protocol. See 802.3ad 43B.
   ETH_P_WCCP ; 0x19 ; Web-cache coordination protocol.
   ETH_P_PPP_DISC ; 0x1A ; PPPoE discovery messages.
   ETH_P_PPP_SES ; 0x1B ; PPPoE session messages.
   ETH_P_MPLS_UC ; 0x1C ; MPLS Unicast traffic.
   ETH_P_MPLS_MC ; 0x1D ; MPLS Multicast traffic.
   ETH_P_ATMMPOA ; 0x1E ; MultiProtocol Over ATM.
   ETH_P_ATMFATE ; 0x1F ; Frame-based ATM Transport over Ethernet.
   ETH_P_AOE ; 0x20 ; ATA over Ethernet.
   ETH_P_TIPC ; 0x21 ; TIPC.
   ETH_P_802_3 ; 0x22 ; Dummy type for 802.3 frames.
   ETH_P_AX25 ; 0x23 ; Dummy protocol id for AX.25.
   ETH_P_ALL ; 0x24 ; Every packet.
   ETH_P_802_2 ; 0x25 ; 802.2 frames.
   ETH_P_SNAP ; 0x26 ; Internal only.
   ETH_P_DDCMP ; 0x27 ; DEC DDCMP: Internal only
   ETH_P_WAN_PPP ; 0x28 ; Dummy type for WAN PPP frames.
   ETH_P_PPP_MP ; 0x29 ; Dummy type for PPP MP frames.
   ETH_P_PPPTALK ; 0x2A ; Dummy type for Atalk over PPP.
   ETH_P_LOCALTALK ; 0x2B ; Localtalk pseudo type.
   ETH_P_TR_802_2 ; 0x2C ; 802.2 frames.
   ETH_P_MOBITEX ; 0x2D ; Mobitex.
   ETH_P_CONTROL ; 0x2E ; Card specific control frames.
   ETH_P_IRDA ; 0x2F ; Linux-IrDA.
   ETH_P_ECONET ; 0x30 ; Acorn Econet.
   ETH_P_HDLC ; 0x31 ; HDLC frames.
   ETH_P_ARCNET ; 0x32 ; 1A for ArcNet.
                ; 0x33 ; The empty string value is permitted here
                to ensure interoperability between SACM data models that are allow for detailed error reporting.
   status: current
   description: The physical layer protocol used
      as transport encodings,

   o  to provide a standardized set by the AF_PACKET
   socket.

7.178.  hwAddress

   elementId: TBD
   name: hwAddress
   dataType: string
   status: current
   description: The hardware address associated
         with the interface.

7.179.  programName

   elementId: TBD
   name: programName
   dataType: string
   status: current
   description: The name of Information Elements - the SACM
      Vocabulary - to enable communicating
         program.

7.180.  userId

   elementId: TBD
   name: userId
   dataType: integer
   status: current
   description: The numeric user id.

7.181.  inetlisteningserver

   elementId: TBD
   name: inetlisteningserver
   dataType: list
   structure: list (transportProtocol, localAddress,
         localPort, localFullAddress, programName, foreignAddress,
         foreignPort, foreignFullAddress, pid, userId)
   status:
         current
   description: Stores the exchange results of content vital to automated
      security posture assessment, and

   o  to enable secure information sharing in checking for network servers
   currently active on a scalable and extensible
      fashion in order system. It holds information pertaining to support
   a specific protocol-address-port combination.

7.182.  transportProtocol

   elementId: TBD
   name: transportProtocol
   dataType: string
   status: current
   description: The transport-layer
         protocol (tcp or udp).

7.183.  localAddress

   elementId: TBD
   name: localAddress
   dataType: ipAddress
   status: current
   description: This is the tasks conducted by SACM
      components.

   A complete set of requirements imposed IP address being listened to. Note that
   the IP address can be IPv4 or IPv6.

7.184.  localPort

   elementId: TBD
   name: localPort
   dataType: integer
   status: current
   description: This is the TCP or UDP port
         being listened to.

7.185.  localFullAddress

   elementId: TBD
   name: localFullAddress
   dataType: string
   status: current
   description: The IP address and network port on which the IM program
   listens, including the local address and the local port. Note
   that the IP address can be found in
   [I-D.ietf-sacm-requirements]. IPv4 or IPv6.

7.186.  foreignAddress

   elementId: TBD
   name: foreignAddress
   dataType: ipAddresss
   status: current
   description: The SACM IM IP address with which the program is intended to be used for
   standardized data exchange between SACM components (data in motion).
   Nevertheless,
   communicating, or with which it will communicate. Note that the Information Elements (IE) and their relationships
   defined in this document
   IP address can be leveraged to create and align
   corresponding data models for data at rest. IPv4 or IPv6.

7.187.  foreignFullAddress

   elementId: TBD
   name: foreignFullAddress
   dataType: ipAddresss
   status: current
   description: The information model expresses, for example, target endpoint (TE)
   attributes, guidance, IP address and evaluation results.  The corresponding
   Information Elements are consumed network port to which the program
   is communicating or will accept communications from, including
   the foreign address and produced by SACM components as
   they carry out tasks.

   The primary tasks foreign port. Note that this information model supports (on data,
   control, and management plane) are:

   o  TE Discovery

   o  TE Characterization

   o  TE Classification

   o  Collection

   o  Evaluation

   o  Information Sharing
   o  SACM Component Discovery

   o  SACM Component Authentication

   o  SACM Component Authorization

   o  SACM Component Registration

   These tasks are defined in [I-D.ietf-sacm-terminology].

2.  Conventions used in this document

2.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to the IP address
   can be interpreted as described in RFC 2119 [RFC2119].

2.2.  Information Element Examples IPv4 or IPv6.

7.188.  selinuxboolean

   elementId: TBD
   name: selinuxboolean
   dataType: list
   structure: list (selinuxName, currentStatus,
         pendingStatus)
   status: current
   description: Describes the current and pending status of a
   SELinux boolean.

7.189.  selinuxName

   elementId: TBD
   name: selinuxName
   dataType: string
   status: current
   description: The notation used to define name of the SACM Information Elements (IEs) is
   based on a customized version SELinux
         boolean.

7.190.  currentStatus

   elementId: TBD
   name: currentStatus
   dataType: boolean
   status: current
   description: Indicates current state of
         the IPFIX information model syntax
   [RFC7012] which is described in Figure 2.  However, there are several
   examples presented throughout specified SELinux boolean.

7.191.  pendingStatus

   elementId: TBD
   name: pendingStatus
   dataType: boolean
   status: current
   description: Indicates the document that use a simplified
   pseudo-code to illustrate pending
         state of the basic structure.  It should be noted
   that while they include actual names specified SELinux boolean.

7.192.  selinuxsecuritycontext
   elementId: TBD
   name: selinuxsecuritycontext
   dataType: list
   structure: list (filepath, path, filename, pid,
         username, role, domainType, lowSensitivity, lowCategory,
         highSensitivity, highCategory, rawlowSensitivity,
         rawlowCategory, rawhighSensitivity, rawhighCategory)
   status: current
   description: Describes the SELinux security
         context of subjects and attributes as
   well as values, they are not intended to influence how corresponding
   SACM IEs should be defined in Section 7.  The examples are provided
   for demonstration purposes only.

3.  Information Elements

   The IEs defined in this document comprise a file or process on the building blocks by
   which all SACM content is composed.  They are consumed and provided
   by SACM components local system.

7.193.  filepath

   elementId: TBD
   name: filepath
   dataType: string
   status: current
   description: Specifies the absolute path for a file on the data plane.  Every Information Element has
   machine. A directory cannot be specified as a unique label: its name.  Every type filepath.

7.194.  path

   elementId: TBD
   name: path
   dataType: string
   status: current
   description: Specifies the directory component of IE defined by
         the SACM IM is
   registered as absolute path to a type at file on the IANA registry. machine.

7.195.  filename

   elementId: TBD
   name: filename
   dataType: string
   status: current
   description: The Integer Index name of the
   IANA SMI number tables can be used by SACM data models.

3.1.  Context of Information Elements

   The IEs in this information model represent information related file.

7.196.  pid

   elementId: TBD
   name: pid
   dataType: integer
   status: current
   description: The process ID of the
         process.

7.197.  role

   elementId: TBD
   name: role
   dataType: string
   status: current
   description: Specifies the types that a process
         may transition to
   assets (domain transitions).

7.198.  domainType

   elementId: TBD
   name: domainType
   dataType: string
   status: current
   description: Specifies the domain in which the following areas (based on file is accessible
   or the use cases described domain in
   [RFC7632]):

   o  Endpoint Management

   o  Software Inventory Management
   o  Hardware Inventory Management

   o  Configuration Management

   o  Vulnerability Management

3.2.  Extensibility which a process executes.

7.199.  lowSensitivity

   elementId: TBD
   name: lowSensitivity
   dataType: string
   status: current
   description: Specifies the current sensitivity of Information Elements

   A SACM data model based on this information model MAY include
   additional information elements that are not defined here.  The
   labels a file or
   process.

7.200.  lowCategory

   elementId: TBD
   name: lowCategory
   dataType: string
   status: current
   description: Specifies the set of additional Information Elements included in different SACM
   data models MUST NOT conflict
         categories associated with the labels of low sensitivity.

7.201.  highSensitivity

   elementId: TBD
   name: highSensitivity
   dataType: string
   status: current
   description: Specifies the Information
   Elements defined by this information model, and maximum
         range for a file or the names clearance for a process.

7.202.  highCategory

   elementId: TBD
   name: highCategory
   dataType: string
   status: current
   description: Specifies the set of
   additional Information Elements MUST NOT conflict
         categories associated with each other the high sensitivity.

7.203.  rawlowSensitivity

   elementId: TBD
   name: rawlowSensitivity
   dataType: string
   status: current
   description: Specifies the current sensitivity of a file or
   across multiple data models.  In order to avoid naming conflicts,
   process but in its raw context.

7.204.  rawlowCategory

   elementId: TBD
   name: rawlowCategory
   dataType: string
   status: current
   description: Specifies the
   labels set of additional IEs SHOULD be prefixed to avoid collisions
   across extensions.  The prefix MUST include an organizational
   identifier and therefore, categories associated with the
   low sensitivity but in its raw context.

7.205.  rawhighSensitivity

   elementId: TBD
   name: rawhighSensitivity
   dataType: string
   status: current
   description: Specifies the maximum range for example, MAY be an IANA enterprise
   number, a (partial) name space URI, file or an organization name
   abbreviation.

4.  Structure the
   clearance for a process but in its raw context.

7.206.  rawhighCategory

   elementId: TBD
   name: rawhighCategory
   dataType: string
   status: current
   description: Specifies the set of Information Elements

   There are two basic types categories associated with the
   high sensitivity but in its raw context.

7.207.  systemdunitdependency

   elementId: TBD
   name: systemdunitdependency
   dataType: list
   structure: list (unit, dependency)
   status: current

   description: Stores the dependencies of IEs:

   o  Attributes: an instance the systemd
   unit.

7.208.  unit

   elementId: TBD
   name: unit
   dataType: string
   status: current
   description: Refers to the full systemd unit name, which has a
   form of an attribute type "$name.$type". For example "cupsd.service". This name is
   usually also the simplest IE
      structure comprised filename of a unique attribute the unit configuration file.

7.209.  dependency

   elementId: TBD
   name: dependency
   dataType: string
   status: current
   description: Refers to the name and an attribute
      value.

   o  Subjects: a subject is of a richer structure unit that has was confirmed to
   be a unique
      subject name and one or more attributes or subjects.  In essence,
      instances dependency of a subject type are defined (and differentiated) by the attribute values given unit.

7.210.  systemdunitproperty

   elementId: TBD
   name: systemdunitproperty
   dataType: list
   structure: list (unit, property, systemdunitValue)

   status: current
   description: Stores the properties and subjects values of a systemd unit.

7.211.  property

   elementId: TBD
   name: property
   dataType: string
   status: current
   description: The property associated with it.

         hostname = "arbutus"

         coordinates = (
         latitude = N27.99619,
         longitude = E86.92761
         )

          Figure 1: Example instance of an attribute and subject.

   In general, every piece of information that enables security posture
   assessment or further enriches the quality a
         systemd unit.

7.212.  systemdunitValue

   elementId: TBD
   name: systemdunitValue
   dataType: string
   status: current
   description: The value of the assessment process
   can property associated with a systemd
   unit. Exactly one value shall be used for all property types
   except dbus arrays - each array element shall be represented by
   one value.

7.213.  file

   elementId: TBD
   name: file
   dataType: list
   structure: list (filepath, path, filename, fileType, userId,
   aTime, changeTime, mTime, size)
   status: current
   description: The metadata associated with metadata.  In a file on the SACM IM, metadata is
   represented by specific subjects and is bundled with other attributes
   or subjects to provide additional information about them. endpoint.

7.214.  fileType

   elementId: TBD
   name: fileType
   dataType: string
   status: current
   description: The IM
   explicitly defines two kinds file's type (e.g., regular file (regular),
   directory, named pipe (fifo), symbolic link, socket or block
   special.)

7.215.  groupId

   elementId: TBD
   name: groupId
   dataType: integer
   status: current
   description: The group owner of metadata:

   o  Metadata focusing on the data origin (the SACM component file, by
         group number.

7.216.  aTime

   elementId: TBD
   name: aTime
   dataType: timeStamp
   status: current
   description: The time that
      provides the information file was last
         accessed.

7.217.  changeTime

   elementId: TBD
   name: changeTime
   dataType: timeStamp
   status: current
   description: The time of the last change
         to the SACM domain)

   o  Metadata focusing on file's inode.

7.218.  mTime

   elementId: TBD
   name: mTime
   dataType: timeStamp
   status: current
   description: The time of the data source (the target endpoint that is
      assessed)

   Metadata can also include relationships that refer to other
   associated IEs (or SACM content in general) by using referencing
   labels that have last change to be included
         the file's contents.

7.219.  size

   elementId: TBD
   name: size
   dataType: integer
   status: current
   description: This is the size of the file in
         bytes.

7.220.  suid

   elementId: TBD
   name: suid
   dataType: boolean
   status: current
   description: Indicates whether the metadata program runs with the uid
   (thus privileges) of the associated IE.

   Subjects file's owner, rather than the calling
   user.

7.221.  sgid

   elementId: TBD
   name: sgid
   dataType: boolean
   status: current
   description: Indicates whether the program runs with the gid
   (thus privileges) of the file's group owner, rather than the
   calling user's group.

7.222.  sticky

   elementId: TBD
   name: sticky
   dataType: boolean
   status: current
   description: Indicates whether users can be nested delete each other's
   files in this directory, when said directory is writable by
   those users.

7.223.  hasExtendedAcl

   elementId: TBD
   name: hasExtendedAcl
   dataType: boolean
   status: current
   description: Indicates whether the file or directory hasACL
   permissions applied to it. If a system supports ACLs and the SACM IM allows for circular
   file or
   recursive nesting.  The association directory doesn't have an ACL, or it matches the standard
   UNIX permissions, the entity will have a status of IEs via nesting results in 'exists' and
   a
   tree-like structure wherein subjects compose value of 'false'. If the root and
   intermediary nodes system supports ACLs and attributes the leaves of the tree.  This
   semantic structure does not impose a specific structure on SACM data
   models regarding data in motion file or data repository schemata for data
   at rest.

   The SACM IM provides two conceptual top-level subjects that are used
   to ensure
   directory has an ACL, the entity will have a homogeneous structure for SACM content and its associated
   metadata: SACM statements status of 'exists'
   and SACM content-elements.  Every set a value of
   IEs that is provided by 'true'. Lastly, if a SACM component must provide system doesn't support ACLs,
   the entity will have a status of 'does not exist'.

7.224.  inetd

   elementId: TBD
   name: inetd
   dataType: list
   structure: list (serviceProtocol, serviceName, serverProgram,
         serverArguments, endpointType, execAsUser, waitStatus)
   status: current
   description: Holds information
   contained in these two subjects although it is up associated
         with different Internet services.

7.225.  serverProgram

   elementId: TBD
   name: serverProgram
   dataType: string
   status: current
   description: Either the pathname of a server program to be
   invoked by inetd to perform the implementer
   whether requested service, or not the subjects are explicitly defined in value
   internal if inetd itself provides the service.

7.226.  endpointType

   elementId: TBD
   name: endpointType
   dataType: enumeration
   structure:
   stream ; 0x1 ; The stream value is used to describe a data model. stream
   socket.
   dgram ; 0x2 ; The notation the SACM IM dgram value is defined in used to describe a datagram
   socket.
   raw ; 0x3 ; The raw value is based on used to describe a modified version
   of the IP Information Flow Export (IPFIX) Information Model syntax
   described in Section 2.1 of [RFC7012]. raw socket.
   seqpacket ; 0x4 ; The customized syntax seqpacket value is used by
   the SACM IM to describe a
   sequenced packet socket.
   tli ; 0x5 ; The tli value is defined below in Figure 2.

       elementId (required): used to describe all TLI endpoints.
   sunrpc_tcp ; 0x6 ; The numeric identifier of the
                                Information Element. It sunrpc_tcp value is used to describe all
   SUNRPC TCP endpoints.
   sunrpc_udp ; 0x7 ; The sunrpc_udp value is used to describe all
   SUNRPC UDP endpoints.
    ; 0x8 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: The endpoint type (aka, socket type) associated with
   the compact identification service.

7.227.  execAsUser

   elementId: TBD
   name: execAsUser
   dataType: string
   status: current
   description: The user id of an Information Element. If
                                this identifier is used without
                                an enterpriseID, then the
                                elementId must be unique, and user the description of allowed values
                                is administrated by IANA.
         server program should run under.

7.228.  waitStatus
   elementId: TBD
   name: waitStatus
   dataType: enumeration
   structure: wait ; 0x1 ; The value "TBD" may be used during
                                development of 'wait' specifies that the information
                                model until an elementId
   server that is
                                assigned invoked by IANA and filled
                                in at publication time.

       enterpriseId (optional): Enterprises may wish to define
                                Information Elements without
                                registering them inetd will take over the listening
   socket associated with IANA, the service, and once launched, inetd will
   wait for
                                example, that server to exit, if ever, before it resumes
   listening for enterprise-internal
                                purposes.  For such Information
                                Elements, new service requests.

   nowait ; 0x2 ; The value of 'nowait' specifies that the elementId server
   that is
                                not sufficient when used
                                outside the enterprise. If
                                specifications of enterprise-
                                specific Information Elements
                                are made public and/or if
                                enterprise-specific identifiers
                                are used invoked by SACM components
                                outside the enterprise, then inetd will not wait for any existing server
   to finish before taking over the
                                enterprise-specific identifier
                                MUST be made globally unique by
                                combining it listening socket associated with an enterprise
                                identifier.  Valid values for
   the
                                enterpriseId are defined by IANA
                                as Structure of Management
                                Information (SMI) network management
                                private enterprise numbers.

       name (required):         A unique and meaningful name service.

   ; 0x3 ; The empty string value is permitted here to allow for
                                the Information Element.

       dataType (required):     There are two kinds of datatypes:
                                simple and structured. Attributes are
                                defined using simple datatypes
   detailed error reporting.
   status: current
   description: Specifies whether the server that is invoked by
   inetd will take over the listening socket associated with the
   service, and subjects whether once launched, inetd will wait for that
   server to exit, if ever, before it resumes listening for new
   service requests. The legal values are defined using
                                structured datatypes. "wait" or "nowait".

7.229.  inetAddr

   elementId: TBD
   name: inetAddr
   dataType: ipAddress
   status: current
   description: The contents IP address of the datatype field will be either
                                a reference to one of specific interface. Note that
   the simple
                                datatypes listed in Section
                                5.1, IP address can be IPv4 or IPv6.

7.230.  netmask

   elementId: TBD
   name: netmask
   dataType: ipAddress
   status: current
   description: The bitmask used to calculate
         the specification of
                                structured datatype as defined in
                                Section 5.2.

       status (required): interface's IP network.

7.231.  passwordInfo
   elementId: TBD
   name: passwordInfo
   dataType: list
   structure: list (username, password, userId, groupId, gcos,
         homeDir, loginShell, lastLogin)
   status: current
   description: Describes user account information for a
         system.

7.232.  username

   elementId: TBD
   name: username
   dataType: string
   status: current
   description: The status name of the specification user.

7.233.  password

   elementId: TBD
   name: password
   dataType: string
   status: current
   description: The encrypted version of the Information Element.
                                Allowed values are "current" and
                                "deprecated". All newly defined
                                Information Elements have "current"
                                status.
         user's password.

7.234.  gcos

   elementId: TBD
   name: gcos
   dataType: string
   status: current
   description:

7.235.  homeDir

   elementId: TBD
   name: homeDir
   dataType: string
   status: current
   description: The user's home
         directory.

7.236.  loginShell
   elementId: TBD
   name: loginShell
   dataType: string
   status: current
   description: The user's shell
         program.

7.237.  lastLogin

   elementId: TBD
   name: lastLogin
   dataType: integer
   status: current
   description: The date and time when the
         last login occurred.

7.238.  process for moving

   elementId: TBD
   name: process
   dataType: list
   structure: list (commandLine, pid, ppid, priority, startTime)

   status: current
   description: Information Elements about a process running on an endpoint.

7.239.  commandLine

   elementId: TBD
   name: commandLine
   dataType: string
   status: current
   description: The string used to start the
                                "deprecated" status is TBD.

       description (required): Describes
         process. This includes any parameters that are part of the
         command line.

7.240.  ppid

   elementId: TBD
   name: ppid
   dataType: integer
   status: current
   description: The process ID of the process's
         parent process.

7.241.  priority

   elementId: TBD
   name: priority
   dataType: integer
   status: current
   description: The scheduling priority with
         which the meaning process runs.

7.242.  startTime

   elementId: TBD
   name: startTime
   dataType: string
   status: current
   description: The time of day the
                               Information Element, how it is
                               derived, conditions for its use,
                               etc.

                               For Information Elements that
                               represent process
         started.

7.243.  routingtable

   elementId: TBD
   name: routingtable
   dataType: list
   structure: list (destination, gateway, flags, please include
                               a
         interfaceName)
   status: current
   description: Holds information about an individual routing table that lists each flag value
                               (hexadecimal) and description. The
                               following is
   entry found in a template for that system's primary routing table.

                               +-------+-----------------------+
                               | Value | Description           |
                               +-------+-----------------------+
                               |       |                       |
                               +-------+-----------------------+

       references (optional):  Identifies other RFCs or documents
                               outside

7.244.  destination

   elementId: TBD
   name: destination
   dataType: ipaddress
   status: current
   description: The destination IP address
         prefix of the IETF which provide
                               additional information or context
                               about routing table entry.

7.245.  gateway

   elementId: TBD
   name: gateway
   dataType: ipaddress
   status: current
   description: The gateway of the specified
         routing table entry.

7.246.  runlevelInfo

   elementId: TBD
   name: runlevelInfo
   dataType: list
   structure: list (serviceName, runlevel, start, kill)

   status: current
   description: Information Element.

           Figure 2: Information Element Specification Template

4.1.  SACM Content Elements

   Every piece about the start or kill state of information that is provided by a SACM component is
   always
   specified service at a given runlevel.

7.247.  runlevel

   elementId: TBD
   name: runlevel
   dataType: string
   status: current
   description: Specifies the system runlevel
         associated with a set of metadata, for example, service.

7.248.  start

   elementId: TBD
   name: start
   dataType: boolean
   status: current
   description: Specifies whether the timestamp service is
         scheduled to start at which this set of information was produced (e.g. by a collection
   task) or what target endpoint this set of information the runlevel.

7.249.  kill

   elementId: TBD
   name: kill
   dataType: boolean
   status: current
   description: Specifies whether the service is about (e.g.
         scheduled to be killed at the data-source or a target endpoint identifier, respectively). runlevel.

7.250.  shadowItem

   elementId: TBD
   name: shadowItem
   dataType: list
   structure: list (username, password, chgLst, chgAllow,
         chgReq, expWarn, expInact, expDate, flags, encryptMethod)
   status: current
   description:

7.251.  chgLst

   elementId: TBD
   name: chgLst
   dataType: timeStamp
   status: current
   description: The
   subject that associates content IE with content-metadata IE is called date of the last password
         change.

7.252.  chgAllow

   elementId: TBD
   name: chgAllow
   dataType: integer
   status: current
   description: Specifies how often in days a content-element.  Content metadata
         user may change their password. It can also include relationships
   that express associations with other content-elements.

               content-element = (
                 content-metadata = (
                   collection-timestamp = 146193322,
                   data-source = fb02e551-7101-4e68-8dec-1fde6bd10981
                 ),
                 hostname = "arbutus",
                 coordinates = (
                 latitude = N27.99619,
                 longitude = E86.92761
                 )
               )

   Figure 3: Example set be thought of
         as the minimum age of IEs associated with a timestamp and password.

7.253.  chgReq

   elementId: TBD
   name: chgReq
   dataType: integer
   status: current
   description: Describes how long a target
                              endpoint label.

4.2.  SACM Statements

   One or more SACM content elements are bundled in user can
         keep a SACM statement.
   In contrast to content-metadata, statement-metatdata focuses on password before the
   providing SACM component instead of system forces her to change it.

7.254.  expWarn

   elementId: TBD
   name: expWarn
   dataType: integer
   status: current
   description: Describes how long before
         password expiration the target endpoint that system begins warning the
   content is about.  The only content-specific metadata included in user.

7.255.  expInact

   elementId: TBD
   name: expInact
   dataType: integer
   status: current
   description: Describes how many days of
         account inactivity the
   SACM statement is system will wait after a password
         expires before locking the content-type IE.  Therefore, multiple content-
   elements that share account.

7.256.  expDate

   elementId: TBD
   name: expDate
   dataType: timeStamp
   status: current
   description: Specifies when will the same statement metadata and are of
         account's password expire.

7.257.  encryptMethod

   elementId: TBD
   name: encryptMethod
   dataType: enumeration
   structure: DES ; 0x1 ; The DES method corresponds to the same
   content-type can be included in a single SACM statement.  A SACM
   statement functions similar (none)
   prefix.
         BSDi ; 0x2 ; The BSDi method corresponds to an envelope BSDi modified
         DES or a header.  Its purpose
   is the '_' prefix.
         MD5 ; 0x3 ; The MD5 method corresponds to enable MD5 for Linux/BSD
         or the tracking of $1$ prefix.
         Blowfish ; 0x4 ; The Blowfish method corresponds to Blowfish
         (OpenBSD) or the origin of data inside a SACM domain
   and more importantly $2$ or $2a$ prefixes.
         Sun MD5 ; 0x5 ; The Sun MD5 method corresponds to enable the mitigation of conflicting
   information that my originate from different SACM components.  How a
   consuming SACM component actually deals with conflicting information
   is out-of-scope of the SACM IM.  Semantically, $md5$
         prefix.
         SHA-256 ; 0x6 ; The SHA-256 method corresponds to the term statement
   implies that $5$
         prefix.
         SHA-512 ; 0x7 ; The SHA-512 method corresponds to the SACM content provided by a SACM component might not
   be correct in every context, but rather $6$
         prefix. ; 0x8 ; The empty string value is the result of an best-
   effort permitted here to produce correct information.

               sacm-statement = (
                 statement-metadata = (
                   publish-timestamp = 1461934031,
                   data-origin = 24e67957-3d31-4878-8892-da2b35e121c2,
                   content-type = observation
                 ),
                 content-element = (
                   content-metadata = (
                     collection-timestamp = 146193322,
                     data-source = fb02e551-7101-4e68-8dec-1fde6bd10981
                   ),
                   hostname = "arbutus"
                 )
               )

      Figure 4: Example of a simple SACM statement including a single
                             content-element.

               sacm-statement = (
                 statement-metadata = (
                   publish-timestamp = 1461934031,
                   data-origin = 24e67957-3d31-4878-8892-da2b35e121c2
                   content-type = observation
                 ),
                 content-element = (
                   content-metadata = (
                     collection-timestamp = 146193322,
                     data-source = fb02e551-7101-4e68-8dec-1fde6bd10981
                   ),
                   coordinates = (
                     latitude = N27.99619,
                     longitude = E86.92761
                   )
                 )
               )

               sacm-statement = (
                 statement-metadata = (
                   publish-timestamp = 1461934744,
                   data-origin = e42885a1-0270-44e9-bb5c-865cf6bd4800,
                   content-type = observation
                 ),
                 content-element = (
                   content-metadata = (
                     collection-timestamp = 146193821,
                     te-label = fb02e551-7101-4e68-8dec-1fde6bd10981
                   ),
                   coordinates = (
                     latitude = N16.67622,
                     longitude = E141.55321
                   )
                 )
               )

       Figure 5: Example of conflicting information originating from
                        different SACM components.

4.3.  Relationships

   An IE can be associated with another IE, e.g. a user-name attribute
   can be
         allow for empty elements associated with a content-authorization subject.  These
   references are expressed via variable references.
   status: current
   description: Describes method that is used for hashing
         passwords.

7.258.  symlink

   elementId: TBD
   name: symlink
   dataType: list
   structure: list (symlinkFilepath, canonicalPath)
   status: current

   description: Identifies the relationships subject, which can be
   included in result generated for a corresponding content-metadata subject.  The
   relationships symlink.

7.259.  symlinkFilepath
   elementId: TBD
   name: symlinkFilepath
   dataType: string
   status: current
   description: Specifies the filepath to
         the subject includes a list symbolic link file.

7.260.  canonicalPath

   elementId: TBD
   name: canonicalPath
   dataType: string
   status: current
   description: Specifies the canonical
         path for the target of one or more references.  The
   SACM IM does not enforce the symbolic link file specified by
         the filepath.

7.261.  sysctl

   elementId: TBD
   name: sysctl
   dataType: list
   structure: list (kernelParameterName, kernelParameterValue+,
         uname, machineClass, nodeName, osName, osRelease,
         osVersion, processorType)
   status: current
   description: Stores
         information retrieved from the local system about a SACM domain to use unique identifiers as
   references.  Therefore, there are at least two ways to reference
   another content-element:

   o kernel
         parameter and its respective value(s).

7.262.  kernelParameterName

   elementId: TBD
   name: kernelParameterName
   dataType: string
   status: current
   description: The value name of a reference represents a specific content-label kernel
         parameter that was collected from the local system.

7.263.  kernelParameterValue

   elementId: TBD
   name: kernelParameterValue
   dataType: string
   status: current
   description: The current value(s)
         for the specified kernel parameter on the local system.

7.264.  uname

   elementId: TBD
   name: uname
   dataType: list
   structure: list (machineClass, nodeName, osName, osRelease,
         osVersion, processorType)
   status: current
   description: Information about the hardware the machine is unique in a SACM domain (and has to be included in running
         on.

7.265.  machineClass

   elementId: TBD
   name: machineClass
   dataType: string
   status: current
   description: Specifies the machine
         hardware name.

7.266.  nodeName

   elementId: TBD
   name: nodeName
   dataType: string
   status: current
   description: Specifies the host
         name.

7.267.  osName

   elementId: TBD
   name: osName
   dataType: string
   status: current
   description: Specifies the operating system
         name.

7.268.  osRelease

   elementId: TBD
   name: osRelease
   dataType: string
   status: current
   description: Specifies the build
         version.

7.269.  osVersion

   elementId: TBD
   name: osVersion
   dataType: string
   status: current
   description: Specifies the operating system
         version.

7.270.  processorType

   elementId: TBD
   name: processorType
   dataType: string
   status: current
   description: Specifies the processor
         type.

7.271.  internetService

   elementId: TBD
   name: internetService
   dataType: list
   structure: list (serviceProtocol, serviceName, flags,
         noAccess, onlyFrom, port, server, serverArguments,
         socketType, registeredServiceType, user, wait, disabled)

   status: current
   description: Holds information associated with Internet services.

7.272.  serviceProtocol

   elementId: TBD
   name: serviceProtocol
   dataType: string
   status: current
   description: Specifies the
      corresponding content-element metadata in order to be referenced),
      or

   o  The reference is a subject protocol
         that includes an appropriate number is used by the service.

7.273.  serviceName

   elementId: TBD
   name: serviceName
   dataType: string
   status: current
   description: Specifies the name of
      IEs in order the
         service.

7.274.  flags

   elementId: TBD
   name: flags
   dataType: string
   status: current
   description: Specifies miscellaneous settings
         associated with the service with executing a program.

7.275.  noAccess

   elementId: TBD
   name: noAccess
   dataType: string
   status: current
   description: Specifies the remote hosts to identify
         which the referenced content-element by its
      actual content.

   It service is recommended unavailable.

7.276.  onlyFrom

   elementId: TBD
   name: onlyFrom
   dataType: ipAddress
   status: current
   description: Specifies the remote hosts to provide unique identifiers in a SACM domain and
         which the SACM IM provides a corresponding naming-convention as a reference
   in section FIXME. service is available.

7.277.  port

   elementId: TBD
   name: port
   dataType: integer
   status: current
   description: The alternative highlighted above summarizes a
   valid approach port entity specifies the port
         used by the service.

7.278.  server

   elementId: TBD
   name: server
   dataType: string
   status: current
   description: Specifies the executable that does not require unique identifiers and is
   similar
         used to launch the approach of referencing target endpoints via
   identifying attributes included in a characterization record (FIXME
   REF arch).

               content-element = (
                 content-metadata = (
                   collection-timestamp = 1461934031,
                   te-label =
                   fb02e551-7101-4e68-8dec-1fde6bd10981
                   relationships = (
                     associated-with-user-account =
                     f3d70ef4-7e18-42af-a894-8955ba87c95d
                   )
                 ),
                 hostname = "arbutus"
               )

               content-element = (
                 content-metadata = (
                   content-label = f3d70ef4-7e18-42af-a894-8955ba87c95d
                 ),
                 user-account = (
                   username = romeo
                   authentication = local
                 )
               )

    Figure 6: Example instance of a content-element subject associated
              with another subject via its content metadata.

4.4.  Event

   Event subjects provide a structure service.

7.279.  serverArguments

   elementId: TBD
   name: serverArguments
   dataType: string
   status: current
   description: Specifies the arguments
         that are passed to represent the change executable when launching the service.

7.280.  socketType

   elementId: TBD
   name: socketType
   dataType: string
   status: current
   description: Specifies the type of IE
   values socket
         that was detected by a collection task at a specific point of
   time.  It is mandatory to include used by the new service. Possible values include: stream,
         dgram, raw, or seqpacket.

7.281.  registeredServiceType

   elementId: TBD
   name: registeredServiceType
   dataType: enumeration
   structure: INTERNAL ; 0x1 ; The INTERNAL type is used to describe
   services like echo, chargen, and the collection
   timestamp others whose functionality is
   supplied by xinetd itself.
         RPC ; 0x2 ; The RPC type is used to describe services that
         use remote procedure call ala NFS.
         UNLISTED ; 0x3 ; The UNLISTED type is used to describe
         services that aren't listed in an event subject and it /etc/protocols or /etc/rpc.
         TCPMUX ; 0x4 ; The TCPMUX type is recommended used to include the
   past values and a collection timestamp describe services
         that were replaced by the new
   IE values.  Every event can also be associated with a subject-
   specific event-timestamp and a lastseen-timestamp conform to RFC 1078. This type indiciates that might differ
   from the corresponding collection-timestamps.  If these are omitted the collection-timestamp that service
         is included in responsible for handling the content-metadata
   subject protocol handshake.
         TCPMUXPLUS ; 0x5 ; The TCPMUXPLUS type is used instead.

           sacm-statement = (
             statement-metadata = (
               publish-timestamp = 1461934031,
               data-origin = 24e67957-3d31-4878-8892-da2b35e121c2,
               content-type = event
             ),
             event = (
               event-attributes = (
                 event-name = "host-name change",
                 content-element = (
                   content-metadata = (
                   collection-timestamp = 146193322,
                   data-source =
                     fb02e551-7101-4e68-8dec-1fde6bd10981,
                     event-component = past-state
                  ),
                  hostname = "arbutus"
                 ),
                 content-element = (
                   content-metadata = (
                     collection-timestamp = 146195723,
                     data-source =
                     fb02e551-7101-4e68-8dec-1fde6bd10981,
                     event-component = current-state
                   ),
                   hostname = "lilac"
                 )
               )
             )

        Figure 7: Example of a SACM statement containing an event.

4.5.  Categories

   Categories are special IEs that enable to refer describe
         services that conform to multiple types of
   IE via just one name.  Therefore, they are similar RFC 1078. This type indicates that
         xinetd is responsible for handling the protocol
         handshake.
         ; 0x6 ; The empty string value is permitted here to a type-choice.
   A prominent example allow
         for detailed error reporting.
   status: current

   description: Specifies the type of a category is network-address.  Network-
   address internet service.

7.282.  wait

   elementId: TBD
   name: wait
   dataType: boolean
   status: current
   description: Specifies whether or not the service is a category single-threaded
   or multi-threaded and whether or not xinetd accepts the connection
   or the service accepts the connection. A value of 'true' indicates
   that every kind the service is single-threaded and the service will accept the
   connection. A value of network address 'false' indicates that the service is
   associated with, e.g. mac-address, ipv4-address, ipv6-address, multi-
   threaded and xinetd will accept the connection.

7.283.  disabled

   elementId: TBD
   name: disabled
   dataType: boolean
   status: current
   description: Specifies whether or
   typed-network-address.  If a subject includes network-address as one not the
         service is disabled. A value of its components, any 'true' indicates that the
         service is disabled and will not start. A value of
         'false' indicates that the category members are valid to be used
   in its place.

   Another prominent example service is EndpointIdentifier.  Some IEs can be
   used not disabled.

7.284.  windowsView

   elementId: TBD
   name: windowsView
   dataType: enumeration
   structure: 32_bit ; 0x1 ; Indicates the 32_bit windows view.
   64_bit ; 0x2 ; Indicates the 64_bit windows view.
   ; 0x3 ; The empty string value is permitted here to identify (and over time re-recognize) target endpoints -
   those are allow for
   empty elements associated with error conditions.
   status: current
   description: Indicates from which
         view (32-bit or 64-bit), the category endpoint-identifier.

4.6.  Designation

   TODO: In information was collected.
         A value of '32_bit' indicates the IETF, there are privacy concerns with respect Item was collected from
         the 32-bit view. A value of '64-bit' indicates the Item
         was collected from the 64-bit view.

7.285.  fileauditedpermissions
   elementId: TBD
   name: fileauditedpermissions
   dataType: list
   structure: list (filepath, path, filename,
         trusteeSid, trusteeName, auditStandardDelete,
         auditStandardReadControl, auditStandardWriteDac,
         auditStandardWriteOwner, auditStandardSynchronize,
         auditAccessSystemSecurity, auditGenericRead, auditGenericWrite,
         auditGenericExecute, auditGenericAll, auditFileReadData,
         auditFileWriteData, auditFileAppendData, auditFileReadEa,
         auditFileWriteEa, auditFileExecute, auditFileDeleteChild,
         auditFileReadAttributes, auditFileWriteAttributes,
         windowsView)
   status: current
   description: Stores the audited access rights of a file that a
   system access control list (SACL) structure grants to
   endpoint identity and monitoring.  As a result, specified
   trustee. The trustee's audited access rights are determined checking
   all access control entries (ACEs) in the SACL.

7.286.  trusteeName

   elementId: TBD
   name: trusteeName
   dataType: string
   status: current
   description: Specifies the Endpoint ID
   Design Team proposes that "endpoint identity" be changed to "endpoint
   designation".  Designation attributes trustee name. A
         trustee can be a user, group, or program (such as a Windows
         service).

7.287.  auditStandardDelete
   elementId: TBD
   name: auditStandardDelete
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to correlate
   endpoints, information about endpoints, events, etc.  NOTE:
   Designation attributes are just those that are mandatory-to-
   implement.  In practice, organizations may need to select additional
   attributes beyond the mandatory-to-implement attributes to
   successfully identify an endpoint perform audits on their network.  Operational and
   privacy concerns will be covered in Operational Considerations and
   Privacy Considerations sections respectively.  A proposal outlining
   various all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for representing designation attributes/objects in the IPFIX syntax specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is being discussed used to
   perform audits on the mailing list.  See IM
   issue #39 at https://github.com/sacmwg/draft-ietf-sacm-information-
   model/issues/39 for more information.  Also, consider inserting table
   that discusses the various properties all successful occurrences of designation attributes and
   include it in this section the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to help others determine whether or not a
   new Information Element should be considered a designation attribute.
   Lastly, explain how designation attributes can be used.  For example,
   letting a consumer identify an endpoint, for two purposes:

   o  To tell whether two endpoint attribute assertions concern perform audits on all successful and unsuccessful
   occurrences of the same
      endpoint

   o  To respond specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to compliance measurements, allow for example by reporting,
      remediating, and quarantining (SACM does not specify these
      responses, but SACM exists
   detailed error reporting.
   status: current
   description: The right to enable them.)

4.7.  Privacy

   TODO: In delete the IETF, there are privacy concerns with respect to
   endpoint identity and monitoring.  As a result, it was proposed that
   a privacy property be included object.

7.288.  auditStandardReadControl

   elementId: TBD
   name: auditStandardReadControl
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to denote perform audits on all unsuccessful occurrences of
   specified events when a Information Element
   represents a privacy concern.  A proposal outlining various auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for representing privacy attributes/objects in the IPFIX syntax specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is
   being discussed used to
   perform audits on the mailing list.  See IM issue #39 at
   https://github.com/sacmwg/draft-ietf-sacm-information-model/issues/39
   for more information.

5.  Abstract Data Types

   This section describes the set all successful occurrences of valid abstract data types that can
   be the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: The right to read the specification of information in the SACM Information Elements object's
   security descriptor, not including the information in
   Section 7.  SACM currently supports two classes of datatypes that can
   be the SACL.

7.289.  auditStandardWriteDac
   elementId: TBD
   name: auditStandardWriteDac
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to define Information Elements.

   o  Simple: Datatypes that are atomic and are perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to define cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of data represented by an attribute Information Element.

   o  Structured: Datatypes that can be the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to define perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: The right to modify the DACL in the object's security
         descriptor.

7.290.  auditStandardWriteOwner

   elementId: TBD
   name: auditStandardWriteOwner
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of data
      represented by a subject Information Element.

   Note that further abstract data types may be
   specified by future
   extensions events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the SACM information model.

5.1.  Simple Datatypes

5.1.1.  IPFIX Datatypes

   To facilitate the use specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of existing work, SACM supports the following
   abstract data types defined specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: The right to change the owner in Section 3 the object's security
         descriptor.

7.291.  auditStandardSynchronize
   elementId: TBD
   name: auditStandardSynchronize
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of [RFC7012].

   o  unsigned8, unsigned16, unsigned32, unsigned64

   o  signed8, signed16, signed32, signed64

   o  float32, float64

   o  boolean

   o  macAddress

   o  octetArray

   o  string
   o  dateTimeSeconds, dateTimeMilliseconds, dateTimeMicroseconds,
      dateTimeNanoSeconds

   o  ipv4Address, ipv6Address

5.1.2.  ciscoTrainSoftwareVersion
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type "ciscoTrainSoftwareVersion" represents a software version
   that conforms AUDIT_NONE is used to cancel
   all auditing options for the Cisco IOS Train string format.

5.1.3.  rpmSoftwareVersion specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type "rpmSoftwareVersion" represents a software version that
   conforms AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the EPOCH:VERSION-RELEASE format.

5.1.4.  simpleSoftwareVersion specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type "simpleSoftwareVersion" represents a software version that AUDIT_SUCCESS_FAILURE
   is a hierarchical list used to perform audits on all successful and unsuccessful
   occurrences of non-negative integers separated by the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: The right to use the object for synchronization.
   This enables a single
   character delimiter.

5.2.  Structured Datatypes

5.2.1.  List Datatypes

   SACM defines thread to wait until the following abstract list data object is in the signaled
   state. Some object types that are do not support this access right.

7.292.  auditAccessSystemSecurity

   elementId: TBD
   name: auditAccessSystemSecurity
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to
   represent the structured data associated with subjects.

   o  list: indicates that the Information Element order is not
      significant but MAY be preserved.

   o  orderedList: indicates that Information Element order perform audits on all unsuccessful occurrences of
   specified events when auditing is
      significant and MUST be preserved. enabled.
   AUDIT_NONE ; 0x2 ; The notation audit type AUDIT_NONE is used to cancel
   all auditing options for defining a SACM structured datatype the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is based used to
   perform audits on
   regular expressions, which are composed all successful occurrences of the keywords "list" or
   "orderedList" specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and an Information Element expression.  IE expressions
   use some unsuccessful
   occurrences of the regular expression syntax and operators, but the
   terms in the expression are the names of defined Information Elements
   instead of character classes. specified events when auditing is enabled.
   ; 0x5 ; The syntax for defining list and
   orderedList datatypes empty string value is described below, using BNF:

       <list-def> -> ("list"|"orderedList") "(" <ie-expression> ")"

       <ie-expression> -> <ie-name> <cardinality>?
                          ( ("," | "|") <ie-name> <cardinality>?)*

       <cardinality> -> "*" | "+" | "?" |
                        ( "(" <non-neg-int> ("," <non-neg-int>)? ")" )

               Figure 8: Syntax permitted here to allow for Defining List Datatypes

   As seen above, multiple occurences of an Information Element may be
   present in
   detailed error reporting.
   status: current
   description: Indicates access to a structured datatype. system access control list (SACL).

7.293.  auditGenericRead
   elementId: TBD
   name: auditGenericRead
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The cardinality of an Information
   Element within a structured Information Element definition audit type AUDIT_FAILURE is defined
   by the following operators:

       * - zero or more occurrences

       + - one or more occurrences

       ? - zero or one occurrence

      (m,n) - between m and n occurrences

         Figure 9: Specifying Cardinality
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for Structured Datatypes the specified events.
   AUDIT_SUCCESS ; 0x3 ; The absence of a cardinality operator implies one mandatory
   occurrence audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the Information Element.

   Below specified
   events when auditing is an example enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of a structured Information Element definition.

   personInfo = list(firstName, middleNames?, lastName)
   firstName = string
   middleNames = orderedList(middleName+)
   middleName = string
   lastName = string

   As an example, consider the name "John Ronald Reuel Tolkien".
   Below are instances of this name, structured according specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to the
   personInfo definition.

   personInfo = (firstName="John", middleNames(middleName="Ronald",
                 middleName="Reuel"), lastName="Tolkien")

   personInfo = (middleNames(middleName="Ronald", middleName=" Reuel"),
                 lastName="Tolkien", firstName="John") allow for
   detailed error reporting.
   status: current
   description: Read access.

7.294.  auditGenericWrite

   elementId: TBD
   name: auditGenericWrite
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The instance below audit type AUDIT_FAILURE is not legal with respect
   used to the definition perform audits on all unsuccessful occurrences of personInfo because the order in middleNames
   specified events when auditing is not preserved.

   personInfo = (firstName="John", middleNames(middleName=" Reuel",
                 middleName="Ronald"), lastName="Tolkien")

           Figure 10: Example of Defining a Structured Datatype

6.  Information Model Assets

   In order enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to represent cancel
   all auditing options for the Information Elements related specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the areas
   listed in Section 3.1, the information model defines the information
   needs (or metadata about those information needs) related specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to
   following types perform audits on all successful and unsuccessful
   occurrences of assets which arse defined in
   [I-D.ietf-sacm-terminology] (and included below the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for convenience)
   which are of interest
   detailed error reporting.
   status: current
   description: Write access.

7.295.  auditGenericExecute
   elementId: TBD
   name: auditGenericExecute
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to SACM.  Specifically:

   o  Endpoint

   o  Software Component

   o  Hardware Component

   o  Identity

   o  Guidance

   o  Evaluation Results perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The following figure shows audit type AUDIT_NONE is used to cancel
   all auditing options for the make up specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of an Endpoint asset which
   contains zero or more hardware components the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and zero or more software
   components each unsuccessful
   occurrences of which may have zero or more instances running an
   endpoint at any given time as well as zero or more identities that
   act the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Execute access.

7.296.  auditGenericAll

   elementId: TBD
   name: auditGenericAll
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on behalf all unsuccessful occurrences of the endpoint
   specified events when interfacing with other endpoints,
   tools, or services.  An endpoint may also contain other endpoints in auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the case of a virtualized environment.

           +---------+*______in>_______*+-----+
           |Hardware |                  |!   !|
           |Component|   +---------+    |!   !|
           +---------+   |Software |in> |!   !|
                         |Component|____|!   !|
                         +---------+*  *|!   !|
                             1|         |!   !|
                             *|         |     |       +----------+
                         +---------+    |End- |*_____*| Identity |
                         |Software |in> |point| acts  +----------+
                         |Instance |____|     | for>
                         +---------+*  1|!   !|
                                        |!   !|
                                        |!   !|
                                        |!   !|
                                        |!   !|____
                                        |!   !|0..1|
                                        +-----+    |
                                           |*      |
                                           |_______|
                                              in>

                      Figure 11: Model specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of an Endpoint

6.1.  Asset

   As defined in [RFC4949], an asset the specified
   events when auditing is a system resource that enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is (a)
   required used to be protected by an information system's security policy,
   (b) intended perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to be protected by a countermeasure, or (c) required allow for
   a system's mission.

   In the scope
   detailed error reporting.
   status: current
   description: Read, write, and execute access.

7.297.  auditFileReadData
   elementId: TBD
   name: auditFileReadData
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of SACM, an asset can be composed
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of other assets.
   Examples the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of Assets include: Endpoints, Software, Guidance, or
   Identity.  Furthermore, an asset the specified events when auditing is not necessarily owned by an
   organization.

6.2.  Endpoint

   From [RFC5209], an endpoint enabled.
   ; 0x5 ; The empty string value is any computing device that can be
   connected permitted here to a network.  Such devices normally are associated with a
   particular link layer address before joining allow for
   detailed error reporting.
   status: current
   description: Grants the network and
   potentially an IP address once on right to read data from the network.  This includes:
   laptops, desktops, servers, cell phones, or any device that may have
   an IP address.

   To further clarify, an endpoint file.

7.298.  auditFileWriteData

   elementId: TBD
   name: auditFileWriteData
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is any physical or virtual device
   that may have a network address.  Note that, network infrastructure
   devices (e.g. switches, routers, firewalls), which fit used to cancel
   all auditing options for the
   definition, are also considered specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to be endpoints within this document.

   Physical endpoints are always composites that are composed
   perform audits on all successful occurrences of
   hardware components the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and software components.  Virtual endpoints are
   composed entirely unsuccessful
   occurrences of software components and rely the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Grants the right to write data to the file.

7.299.  auditFileAppendData
   elementId: TBD
   name: auditFileAppendData
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on software
   components that provide functions equivalent all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to hardware components. cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The SACM architecture differentiates two essential categories audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of
   endpoints: Endpoints whose security posture the specified
   events when auditing is intended enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to be
   assessed (target endpoints) perform audits on all successful and endpoints that are specifically
   excluded from endpoint posture assessment (excluded endpoints).

6.3.  Hardware Component

   Hardware components are unsuccessful
   occurrences of the distinguishable physical components that
   compose an endpoint. specified events when auditing is enabled.
   ; 0x5 ; The composition of an endpoint can be changed
   over time by adding or removing hardware components.  In essence,
   every physical endpoint empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Grants the right to append data to the file.

7.300.  auditFileReadEa

   elementId: TBD
   name: auditFileReadEa
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is potentially a composite of multiple
   hardware components, typically resulting in a hierarchical
   composition
   used to perform audits on all unsuccessful occurrences of hardware components.
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The composition of hardware
   components audit type AUDIT_NONE is based used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on interconnects provided by specific hardware
   types (e.g.  mainboard all successful occurrences of the specified
   events when auditing is a hardware enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type that provides local busses
   as an interconnect).  In general, a hardware component can be
   distinguished by its serial number.

   Examples of a hardware components include: motherboards, network
   interfaces, graphics cards, hard drives, etc.

6.4.  Software Component

   A software package installed AUDIT_SUCCESS_FAILURE
   is used to perform audits on an endpoint (including the operating
   system) as well as a unique serial number if present (e.g. a text
   editor associated with a unique license key).

   It should be noted that this includes both benign all successful and harmful
   software packages.  Examples of benign software components include:
   applications, patches, operating system kernel, boot loader,
   firmware, code embedded on a webpage, etc.  Examples of malicious
   software components include: malware, trojans, viruses, etc.

6.4.1.  Software Instance

   A running instance unsuccessful
   occurrences of the software component (e.g. specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Grants the right to read extended attributes.

7.301.  auditFileWriteEa
   elementId: TBD
   name: auditFileWriteEa
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on a multi-user
   system, one logged-in user has one instance all unsuccessful occurrences of a text editor running
   and another logged-in user has another instance
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the same text
   editor running, or specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on a single-user system, a user could have
   multiple independent instances all successful and unsuccessful
   occurrences of the same text editor running).

6.5.  Identity

   TODO: Define an Asset Identity asset.  NOTE: Make sure it specified events when auditing is clear
   that this enabled.
   ; 0x5 ; The empty string value is not identity in permitted here to allow for
   detailed error reporting.
   status: current
   description: Grants the sense of what we have been saying
   endpoint identity (now designation).

   Examples right to write extended attributes.

7.302.  auditFileExecute

   elementId: TBD
   name: auditFileExecute
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of an identity include: username, user and device
   certificates, etc.

6.6.  Guidance

   TODO: Need
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to resolve cancel
   all auditing options for the forms specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of Guidance in the terminology and
   those listed as sub-sections below.

   Guidance specified
   events when auditing is input instructions enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to processes perform audits on all successful and tasks, such as
   collection or evaluation.  Guidance influences the behavior unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Grants the right to execute a SACM
   component and file.

7.303.  auditFileDeleteChild
   elementId: TBD
   name: auditFileDeleteChild
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is considered content
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the management plane.
   Guidance can be manually or automatically generated or provided.
   Typically, specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the tasks that provide guidance specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to SACM components have allow for
   detailed error reporting.
   status: current
   description: Right to delete a
   low-frequency directory and tend to be be sporadic.  A prominent example of
   guidance all the files it
   contains (its children), even if the files are target endpoint profiles, but guidance can have many
   forms, including:

      Configuration, e.g. a SACM component's name, or a CMDB's IPv6
      address.

      Profiles, e.g. a set read-only.

7.304.  auditFileReadAttributes

   elementId: TBD
   name: auditFileReadAttributes
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of expected states for network behavior
      associated with target endpoints employed by specific users.

      Policies, e.g. an interval
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to refresh cancel
   all auditing options for the registration of a SACM
      component, or a list specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of required capabilities for SACM components
      in a specific location.

6.6.1.  Internal Collection Guidance

   An internal collector may need guidance the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to govern what it collects perform audits on all successful and when.

6.6.2.  External Collection Guidance

   An external collector may need guidance unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to govern what it collects
   and when.

6.6.3.  Evaluation Guidance

   An evaluator typically needs Evaluation Guidance allow for
   detailed error reporting.
   status: current
   description: Grants the right to govern what it
   considers read file attributes.

7.305.  auditFileWriteAttributes
   elementId: TBD
   name: auditFileWriteAttributes
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to be a good or bad security posture.

6.6.4.  Retention Guidance

   A SACM deployment may retain posture attributes, events, or
   evaluation results for some time.  Retention supports ad hoc
   reporting and other use cases.

   If information perform audits on all unsuccessful occurrences of
   specified events when auditing is retained, retention guidance controls what enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is
   retained and used to cancel
   all auditing options for how long.

   If two or more pieces the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of retention guidance apply the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to a piece perform audits on all successful and unsuccessful
   occurrences of
   information, the guidance calling specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Grants the longest retention should
   take precedence.

6.7.  Evaluation Results

   Evaluation results are right to change file attributes.

7.306.  fileeffectiverights

   elementId: TBD
   name: fileeffectiverights
   dataType: list
   structure: list (filepath, path, filename,
         trusteeSid, trusteeName, standardDelete, standardReadControl,
         standardWriteDac, standardWriteOwner,
         standardSynchronize, accessSystemSecurity, genericRead,
         genericWrite, genericExecute, genericAll, fileReadData,
         fileWriteData, fileAppendData, fileReadEa, fileWriteEa,
         fileExecute, fileDeleteChild, fileReadAttributes,
         fileWriteAttributes, windowsView)
   status: current
   description: Stores the resulting values from having evaluated a
   set effective rights of posture attributes.

   An example is: a NEA file that a
         discretionary access recommendation [RFC5793].

   An evaluator may be able control list (DACL) structure grants
         to evaluate better if history is available.
   This is a use case for retaining Endpoint Attribute Assertions for a
   time.

   An Evaluation Result may be retained longer than specified trustee. The trustee's effective rights
         are determined checking all access-allowed and access-denied
         access control entries (ACEs) in the Endpoint
   Attribute Assertions from which it derives (Figure 11 does not show
   this).  In DACL.

7.307.  standardDelete

   elementId: TBD
   name: standardDelete
   dataType: boolean
   status: current
   description: The right to delete the limiting case, Endpoint Attribute Assertions are
         object.

7.308.  standardReadControl

   elementId: TBD
   name: standardReadControl
   dataType: boolean
   status: current
   description: The right to read
         the information in the object's security descriptor, not
   retained.  When an Endpoint Attribute Assertion arrives, an evaluator
   produces an Evaluation Result.  These mechanics are out of
         including the scope
   of information in the Information Model.

7.  Information Model Elements

   TODO: Define specific subjects, attributes, and metadata.  We may
   want SACL.

7.309.  standardWriteDac

   elementId: TBD
   name: standardWriteDac
   dataType: boolean
   status: current
   description: The right to consider adding small diagrams showing modify the relationships
   between each (see Lisa's notes:
   https://mailarchive.ietf.org/arch/msg/sacm/
   kWxlnboHAXD87cned9WavwPZy5w).
         DACL in the object's security descriptor.

7.310.  standardWriteOwner

   elementId: TBD
   name: standardWriteOwner
   dataType: boolean
   status: current
   description: The right to change
         the owner in the object's security descriptor.

7.311.  standardSynchronize

   elementId: TBD
   name: standardSynchronize
   dataType: boolean
   status: current
   description: The right to use the
         object for synchronization. This may be too much work, but, enables a thread to wait
         until the object is in the signaled state. Some object
         types do not
   sure yet.

7.1.  hardwareSerialNumber support this access right.

7.312.  accessSystemSecurity

   elementId: TBD
   name: hardwareSerialNumber accessSystemSecurity
   dataType: string boolean
   status: current
   description: A globally unique identifier for Indicates access to
         a particular
                piece of hardware assigned by the vendor.

7.2.  interfaceName system access control list (SACL).

7.313.  genericRead

   elementId: TBD
   name: interfaceName genericRead
   dataType: string boolean
   status: current
   description: A short name uniquely describing an interface,
                eg "Eth1/0". See [RFC2863] for the definition
                of the ifName object.

7.3.  interfaceIndex Read access.

7.314.  genericWrite

   elementId: TBD
   name: interfaceIndex genericWrite
   dataType: unsigned32 boolean
   status: current
   description: The index of an interface installed on an endpoint.
                The value matches the value of managed object
                'ifIndex' as defined in [RFC2863]. Note that ifIndex
                values are not assigned statically to an interface
                and that the interfaces may be renumbered every time
                the device's management system is re-initialized,
                as specified in [RFC2863].

7.4.  interfaceMacAddress Write access.

7.315.  genericExecute

   elementId: TBD
   name: interfaceMacAddress genericExecute
   dataType: macAddress boolean
   status: current
   description: The IEEE 802 MAC address associated with a network
                interface on an endpoint.

7.5.  interfaceType Execute access.

7.316.  genericAll

   elementId: TBD
   name: interfaceType genericAll
   dataType: unsigned32 boolean
   status: current
   description: The type of a network interface. The value matches
                the value of managed object 'ifType' as defined in
                [IANA registry ianaiftype-mib].

7.6.  interfaceFlags Read, write, and execute
         access.

7.317.  fileReadData

   elementId: TBD
   name: interfaceFlags fileReadData
   dataType: unsigned16 boolean
   status: current
   description: This information element specifies Grants the flags
                associated with a network interface. Possible
                values include:

               +-------+----------------------------------+
               | Value | Description                      |
               +-------+----------------------------------+
               | 0x1   | interface is up                  |
               | 0x2   | broadcast address valid          |
               | 0x4   | turn on debugging                |
               | 0x8   | is a loopback net                |
               | 0x10  | interface is point-to-point link |
               | 0x20  | avoid use of trailers            |
               | 0x40  | resources allocated              |
               | 0x80  | no address resolution protocol   |
               | 0x100 | receive all packets              |
               +-------+----------------------------------+

7.7.  networkInterface right to read
         data from the file

7.318.  fileWriteData
   elementId: TBD
   name: fileWriteData
   dataType: boolean
   status: current
   description: Grants the right to write
         data to the file.

7.319.  fileAppendData

   elementId: TBD
   name: networkInterface fileAppendData
   dataType: orderedList(interfaceName, interfaceIndex, macAddress,
                         ifType, flags) boolean
   status: current
   description: Information about a network interface
                installed on an endpoint. The
                following high-level digram
                describes Grants the structure of
                networkInterface information
                element.

7.8.  softwareIdentifier right to
         append data to the file.

7.320.  fileReadEa

   elementId: TBD
   name: softwareIdentifier fileReadEa
   dataType: string boolean
   status: current
   description: A globally unique identifier for a particular
                software application.

7.9.  softwareTitle Grants the right to read
         extended attributes.

7.321.  fileWriteEa

   elementId: TBD
   name: softwareTitle fileWriteEa
   dataType: string boolean
   status: current
   description: The title of Grants the software application.

7.10.  softwareCreator right to write
         extended attributes.

7.322.  fileExecute

   elementId: TBD
   name: softwareCreator fileExecute
   dataType: string boolean
   status: current
   description: The software developer (e.g., vendor or author).

7.11.  simpleSoftwareVersion Grants the right to execute
         a file.

7.323.  fileDeleteChild
   elementId: TBD
   name: simpleSoftwareVersion fileDeleteChild
   dataType: simpleVersion boolean
   status: current
   description: The version string for Right to delete a software application that
                follows
         directory and all the simple versioning scheme.

7.12.  rpmSoftwareVersion files it contains (its children),
         even if the files are read-only.

7.324.  fileReadAttributes

   elementId: TBD
   name: rpmSoftwareVersion fileReadAttributes
   dataType: rpmVersion boolean
   status: current
   description: The version string for a software application that
                follows Grants the RPM versioning scheme.

7.13.  ciscoTrainSoftwareVersion right to
         read file attributes.

7.325.  fileWriteAttributes

   elementId: TBD
   name: ciscoTrainSoftwareVersion fileWriteAttributes
   dataType: ciscoTrainVersion boolean
   status: current
   description: The version Grants the right to
         change file attributes.

7.326.  groupInfo

   elementId: TBD
   name: groupInfo
   dataType: list
   structure: list (group, username, subgroup)
   status: current
   description: Specifies the different users and subgroups, that
   directly belong to specific groups.

7.327.  group

   elementId: TBD
   name: group
   dataType: string for
   status: current
   description: Represents the name of a software application that
                follows particular
         group.

7.328.  user

   elementId: TBD
   name: user
   dataType: string
   status: current
   description: Represents the Cisco Train Release versioning scheme.

7.14.  softwareVersion name of a particular
         user.

7.329.  subgroup

   elementId: TBD
   name: softwareVerison subgroup
   dataType: list(simpleSoftwareVersion | rpmSoftwareVersion |
                  ciscoTrainSoftwareVersion) string
   status: current
   description: The version Represents the name of a
         particular subgroup in the software application. Software
                applications may be versioned using specified group.

7.330.  groupSidInfo

   elementId: TBD
   name: groupSidInfo
   dataType: list
   structure: list (groupSid, userSid, subgroupSid)
   status:
         current
   description: Specifies the different users and subgroups, that
   directly belong to specific groups
         (identified by SID).

7.331.  userSidInfo

   elementId: TBD
   name: userSidInfo
   dataType: list
   structure: list (userSid, enabled, groupSid, lastLogon)

   status: current
   description: Specifies the different groups (identified by SID)
   that a number of
                schemas. The following high-level digram describes user belongs to.

7.332.  userSid
   elementId: TBD
   name: userSid
   dataType: string
   status: current
   description: Represents the structure SID of the softwareVersion information
                element.

7.15.  lastUpdated a
         particular user.

7.333.  subgroupSid

   elementId: TBD
   name: lastUpdated subgroupSid
   dataType: dateTimeSeconds string
   status: current
   description: The date and time when Represents the software instance
                was last updated on the system (e.g., new
                version instlalled or patch applied)

7.16.  softwareInstance SID of a
         particular subgroup.

7.334.  lockoutpolicy

   elementId: TBD
   name: softwareInstance lockoutpolicy
   dataType: orderedList(softwareIdentifier, title, creator,
                         softwareVersion, lastUpdated) list
   structure: list (forceLogoff, lockoutDuration,
         lockoutObservationWindow, lockoutThreshold)
   status: current
   description: Information about an instance of software
                installed on an endpoint. The following
                high-level digram describes the structure of
                softwareInstance Specifies various attributes associated
         with lockout information element.

7.17.  globallyUniqueIdentifier for users and global groups in the
         security database.

7.335.  forceLogoff

   elementId: TBD
   name: globallyUniqueIdentifier forceLogoff
   dataType: unsigned8 integer
   status: current
   metadata: true
   description: TODO.

7.18.  dataOrigin Specifies, in seconds, the
         amount of time between the end of the valid logon time and
         the time when the user is forced to log off the
         network.

7.336.  lockoutDuration

   elementId: TBD
   name: dataOrigin lockoutDuration
   dataType: string integer
   status: current
   metadata: true
   description: The origin of the data. TODO make Specifies, in seconds,
         how long a better
                description.

7.19.  dataSource locked account remains locked before it is
         automatically unlocked.

7.337.  lockoutObservationWindow

   elementId: TBD
   name: dataSource lockoutObservationWindow
   dataType: string integer
   status: current
   metadata: true
   description: The source of Specifies the data. TODO make a better
                description.

7.20.  creationTimestamp
         maximum time, in seconds, that can elapse between any two
         failed logon attempts before lockout occurs.

7.338.  lockoutThreshold

   elementId: TBD
   name: creationTimestamp lockoutThreshold
   dataType: dateTimeSeconds integer
   status: current
   metadata: true
   description: The date and time when Specifies the posture
                information was created by a SACM Component.

7.21.  collectionTimestamp number of
         invalid password authentications that can occur before an
         account is marked "locked out."

7.339.  passwordpolicy

   elementId: TBD
   name: collectionTimestamp passwordpolicy
   dataType: dateTimeSeconds list
   structure: list (maxPasswdAge, minPasswdAge,
         minPasswdLen, passwordHistLen, passwordComplexity,
         reversibleEncryption)
   status: current
   metadata: true
   description: The date and time when the posture Specifies
         policy information was collected or observed by a SACM
                Component.

7.22.  publicationTimestamp associated with passwords.

7.340.  maxPasswdAge

   elementId: TBD
   name: publicationTimestamp maxPasswdAge
   dataType: dateTimeSeconds integer
   status: current
   metadata: true
   description: Specifies, in seconds (from
         a DWORD), the maximum allowable password age. A value of
         TIMEQ_FOREVER (max DWORD value, 4294967295) indicates
         that the password never expires. The date and time when minimum valid value
         for this element is ONE_DAY (86400). See the posture
                information was published.

7.23.  relayTimestamp
         USER_MODALS_INFO_0 structure returned by a call to
         NetUserModalsGet().

7.341.  minPasswdAge

   elementId: TBD
   name: relayTimestamp minPasswdAge
   dataType: dateTimeSeconds integer
   status: current
   metadata: true
   description: The date Specifies the minimum
         number of seconds that can elapse between the time a password
         changes and time when the posture
                information was relayed to another SACM Component.

7.24.  storageTimestamp it can be changed again. A value of
         zero indicates that no delay is required between password
         updates.

7.342.  minPasswdLen

   elementId: TBD
   name: storageTimestamp minPasswdLen
   dataType: dateTimeSeconds integer
   status: current
   metadata: true
   description: The date and time when Specifies the posture
                information was stored in a Repository.

7.25.  type minimum
         allowable password length. Valid values for this element are
         zero through PWLEN.

7.343.  passwordHistLen

   elementId: TBD
   name: type passwordHistLen
   dataType: unsigned16 integer
   status: current
   metadata: true
   description: The type Specifies the length of data model use to represent
                some set
         password history maintained. A new password cannot match any
         of endpoint information. The following
                table lists the set of data models supported by SACM.

                +-------+----------------------------------+
                | Value | Description                      |
                +-------+----------------------------------+
                | 0x00  | Data Model 1                     |
                +-------+----------------------------------+
                | 0x01  | Data Model 2                     |
                +-------+----------------------------------+
                | 0x02  | Data Model 3                     |
                +-------+----------------------------------+
                |...    | ...                              |
                +-------+----------------------------------+

7.26.  protocolIdentifier previous usrmod0_password_hist_len passwords.
         Valid values for this element are zero through DEF_MAX_PWHIST.

7.344.  passwordComplexity

   elementId: TBD
   name: protocolIdentifier passwordComplexity
   dataType: unsigned8 boolean
   status: current
   description: The value of the protocol number in the IP packet
                header. The protocol number identifies the IP packet
                payload type. Protocol numbers are defined in the
                IANA Protocol Numbers registry.

                In Internet Protocol version 4 (IPv4), this is
                carried in the Protocol field.  In Internet Protocol
                version 6 (IPv6), this is carried in the Next Header
                field in Indicates whether
         passwords must meet the last extension header of complexity requirements put forth
         by the packet.

7.27.  sourceTransportPort operating system.

7.345.  reversibleEncryption
   elementId: TBD
   name: sourceTransportPort reversibleEncryption
   dataType: unsigned16 boolean
   status: current
   description: The source port identifier in the transport header.
                For the transport protocols UDP, TCP, and SCTP, this
                is the source port number given in the respective
                header.  This field MAY also be used for future
                transport protocols that have 16-bit source port
                identifiers.

7.28.  sourceIPv4PrefixLength Indicates whether
         or not passwords are stored using reversible encryption.

7.346.  portInfo

   elementId: TBD
   name: sourceIPv4PrefixLength portInfo
   dataType: unsigned8 list
   structure: list (localAddress, localPort, transportProtocol,
         pid, foreignAddress, foreignPort)
   status: current
   description: The number of contiguous bits that are relevant in
                the sourceIPv4Prefix Information Element.

7.29.  ingressInterface about open listening ports.

7.347.  foreignPort

   elementId: TBD
   name: ingressInterface foreignPort
   dataType: unsigned32 string
   status: current
   description: The index of TCP or UDP port to which
         the IP interface where packets of this
                Flow are being received.  The value matches program communicates.

7.348.  printereffectiverights

   elementId: TBD
   name: printereffectiverights
   dataType: list
   structure: list (printerName, trusteeSid,
         standardDelete, standardReadControl, standardWriteDac,
         standardWriteOwner, standardSynchronize,
         accessSystemSecurity, genericRead, genericWrite,
         genericExecute, genericAll, printerAccessAdminister,
         printerAccessUse, jobAccessAdminister, jobAccessRead)
   status: current
   description: Stores the
                value effective rights of managed object 'ifIndex' as defined in
                [RFC2863]. Note a printer that ifIndex values are not assigned
                statically a
   discretionary access control list (DACL) structure grants to an interface and that the interfaces
                may be renumbered every time the device's management
                system is re-initialized, as a
   specified trustee. The trustee's effective rights are determined
   checking all access-allowed and access-denied access control
   entries (ACEs) in [RFC2863].

7.30.  destinationTransportPort the DACL.

7.349.  printerName

   elementId: TBD
   name: destinationTransportPort printerName
   dataType: unsigned16 string
   status: current
   description: The destination port identifier in the transport
                header. For the transport protocols UDP, TCP, and
                SCTP, this is Specifies the destination port number given in name of the respective header. This field MAY also be used
                for future transport protocols that have 16-bit
                destination port identifiers.

7.31.  sourceIPv6PrefixLength
         printer.

7.350.  printerAccessAdminister

   elementId: TBD
   name: sourceIPv6PrefixLength printerAccessAdminister
   dataType: unsigned8 boolean
   status: current
   description: The number of contiguous bits that are relevant in
                the sourceIPv6Prefix Information Element.

7.32.  sourceIPv4Prefix

7.351.  printerAccessUse

   elementId: TBD
   name: sourceIPv4Prefix printerAccessUse
   dataType: ipv4Address boolean
   status: current
   description: IPv4 source address prefix.

7.33.  destinationIPv4Prefix

7.352.  jobAccessAdminister

   elementId: TBD
   name: destinationIPv4Prefix jobAccessAdminister
   dataType: ipv4Address boolean
   status: current
   description: IPv4 destination address prefix.

7.34.  sourceMacAddress

7.353.  jobAccessRead

   elementId: TBD
   name: sourceMacAddress jobAccessRead
   dataType: macAddress boolean
   status: current
   description:

7.354.  registry
   elementId: TBD
   name: registry
   dataType: list
   structure: list (hive, key, registryKeyName, lastWriteTime,
         registryKeyType, registryKeyValue, windowsView)
   status: current
   description: Specifies information that can be
         collected about a particular registry key.

7.355.  hive

   elementId: TBD
   name: hive
   dataType: enumeration
   structure: HKEY_CLASSES_ROOT ; 0x1 ; This registry subtree
         contains information that associates file types with programs
         and configuration data for automation (e.g. COM
         objects and Visual Basic Programs).
         HKEY_CURRENT_CONFIG ; 0x2 ; This registry subtree contains
         configuration data for the current hardware profile.
         HKEY_CURRENT_USER ; 0x3 ; This registry subtree contains the
         user profile of the user that is currently logged into the
         system.
         HKEY_LOCAL_MACHINE ; 0x4 ; This registry subtree contains
         information about the local system.
         HKEY_USERS ; 0x5 ; This registry subtree contains user-specific
         data.
         ; 0x6 ; The IEEE 802 source MAC address field.

7.35.  ipVersion

   elementId: TBD
   name: ipVersion
   dataType: unsigned8 empty string value is permitted here to allow
         for detailed error reporting.
   status: current
   description: The IP version field in
         hive that the IP packet header.

7.36.  interfaceDescription registry key belongs to.

7.356.  registryKey

   elementId: TBD
   name: interfaceDescription registryKey
   dataType: string
   status: current
   description: The description Describes the registry key.
         Note that the hive portion of an interface, eg "FastEthernet
                1/0" or "ISP
   connection".

7.37.  applicationDescription the string should not be
         included, as this data can be found under the hive
         element.

7.357.  registryKeyName

   elementId: TBD
   name: applicationDescription registryKeyName
   dataType: string
   status: current
   description: Specifies Describes the description name of an application.

7.38.  applicationId a
         registry key.

7.358.  lastWriteTime

   elementId: TBD
   name: applicationId lastWriteTime
   dataType: octetArray integer
   status: current
   description: Specifies an Application ID per [RFC6759].

7.39.  applicationName The last time that the key or any of its value entries
         were modified. The value of this entity represents the
         FILETIME structure which is a 64-bit value representing the
         number of 100-nanosecond intervals since January 1, 1601
         (UTC). Last write time can be queried on any key, with hives
         being classified as a type of key. When collecting only
         information about a registry hive or key the last write time
         will be the time the key or any of its entries were modified.
         When collecting only information about a registry name the
         last write time will be the time the containing key was
         modified. Thus when collecting information about a registry
         name, the last write time does not correlate directly
         to the specified name. See the RegQueryInfoKey function
         lpftLastWriteTime.

7.359.  registryKeyType

   elementId: TBD
   name: applicationName registryKeyType
   dataType: string
   status: current
   description: Specifies the name of enumeration
   structure: reg_binary ; 0x1 ; The reg_binary type
         is used by registry keys that specify binary data in any
         form.
         reg_dword ; 0x2 ; The reg_dword type is used by
         registry keys that specify an unsigned 32-bit integer.
         reg_dword_little_endian ; 0x3 ; The reg_dword_little_endian
         type is used by registry keys that specify an unsigned 32-bit
         little-endian integer. It is designed to run on
         little-endian computer architectures.
         reg_dword_big_endian ; 0x4 ; The reg_dword_big_endian type
         is used by registry keys that specify an application.

7.40.  exporterIPv4Address

   elementId: TBD
   name: exporterIPv4Address
   dataType: ipv4Address
   status: current
   description: unsigned 32-bit
         big-endian integer. It is designed to run on big-endian
         computer architectures.

         reg_expand_sz ; 0x5 ; The IPv4 address reg_expand_sz type is used by the Exporting Process.
                This
         registry keys to specify a null-terminated
         string that contains unexpanded references to environment
         variables (for example, "%PATH%").
         reg_link ; 0x6 ; The reg_link type is used by the Collector registry
         keys for null-terminated unicode strings. It is related to identify the
                Exporter in cases where the identity
         target path of the Exporter
                may have been obscured a symbolic link created by the use
         RegCreateKeyEx function.
         reg_multi_sz ; 0x7 ; The reg_multi_sz type is used by
         registry keys that specify an array of a proxy.

7.41.  exporterIPv6Address
   elementId: TBD
   name: exporterIPv6Address
   dataType: ipv6Address
   status: current
   description: null-terminated
         strings, terminated by two null characters.
         reg_none; 0x8 ;
         The IPv6 address reg_none type is used by the Exporting Process.
                This registry keys that have no
         defined value type.
         reg_qword; 0x9 ; The reg_qword type is used by the Collector to identify the
                Exporter registry keys
         that specify an unsigned 64-bit integer.
         reg_qword_little_endian; 0xA ; The reg_qword_little_endian
         type is used by registry keys that specify an unsigned
         64-bit integer in cases where the identity of the
                Exporter may have been obscured little-endian computer architectures.
         reg_sz; 0xB ; The reg_sz type is used by the use of a
                proxy.

7.42.  portId

   elementId: TBD
   name: portId
   dataType: unsigned32
   status: current
   description: An identifier of registry keys that
         specify a line port single null-terminated string.
         reg_resource_list; 0xC ; The reg_resource_list type is used
         by registry keys that specify a resource list.
         reg_full_resource_descriptor; 0xD ; The
         reg_full_resource_descriptor type is unique per
                IPFIX Device hosting an Observation Point.
                Typically, this Information Element used by registry
         keys that specify a full resource descriptor.
         reg_resource_requirements_list; 0xE ; The
         reg_resource_requirements_list type is used by registry keys
         that specify a resource requirements list.
         ; 0xF ; The empty string value is permitted here to allow
         for
                limiting detailed error reporting.
   status: current
   description:
         Specifies the scope type of other Information Elements.

7.43.  templateId data stored by the registry key.

7.360.  registryKeyValue
   elementId: TBD
   name: templateId registryKeyValue
   dataType: unsigned16 string
   status: current
   description: An identifier Holds the actual value
         of a Template that the specified registry key. The representation of the
         value as well as the associated datatype attribute
         depends on type of data stored in the registry key. If the
         value being tested is locally unique
                within a combination of a Transport session type REG_BINARY, then the
         datatype attribute should be set to 'binary' and the data
         represented by the value entity should follow the
         xsd:hexBinary form. (each binary octet is encoded as two hex
         digits) If the value being tested is of type
         REG_DWORD, REG_QWORD, REG_DWORD_LITTLE_ENDIAN,
         REG_DWORD_BIG_ENDIAN, or REG_QWORD_LITTLE_ENDIAN then the
         datatype attribute should be set to 'int' and the value
         entity should represent the data as an
                Observation Domain.

                Template IDs 0-255 are reserved for Template Sets,
                Options Template Sets, unsigned integer.
         DWORD and other reserved Sets yet QWORD values represnt unsigned 32-bit and 64-bit
         integers, respectively. If the value being tested is of type
         REG_EXPAND_SZ, then the datatype attribute should be set to
         'string' and the pre-expanded string should be created. Template IDs
         represented by the value entity. If the value being tested
         is of Data Sets are
                numbered from 256 type REG_MULTI_SZ, then only a single string (one
         of the multiple strings) should be tested using the value
         entity with the datatype attribute set to 65535.

                Typically, this Information Element is used for
                limiting 'string'. In
         order to test multiple values, multiple OVAL registry tests
         should be used. If the scope specified registry key is of other Information Elements.
                Note that after
         type REG_SZ, then the datatype should be 'string' and the
         value entity should be a re-start copy of the Exporting Process
                Template identifiers may string. If the
         value being tested is of type REG_LINK, then the datatype
         attribute should be re-assigned.

7.44.  collectorIPv4Address
   elementId: TBD
   name: collectorIPv4Address
   dataType: ipv4Address
   status: current
   description: An IPv4 address set to which 'string' and the
         null-terminated Unicode string should be represented by the Exporting Process sends
                Flow information.

7.45.  collectorIPv6Address
         value entity.

7.361.  regkeyauditedpermissions
   elementId: TBD
   name: collectorIPv6Address regkeyauditedpermissions
   dataType: ipv6Address list
   structure: list (key, trusteeSid, trusteeName,
         standardDelete, standardReadControl, standardWriteDac,
         standardWriteOwners, tandardSynchronize,
         accessSystemSecurity, genericRead, genericWrite,
         genericExecute, genericAll, keyQueryValue, keySetValue,
         keyCreateSubKey, keyEnumerateSubKeys, keyNotify,
         keyCreateLink, keyWow6464Key, keyWow6432Key, keyWow64Res,
         windowsView)
   status: current
   description: An IPv6 address Stores the audited access rights of a registry key
   that a system access control list (SACL) structure grants to which a
   specified trustee. The trustee's audited access rights are
   determined checking all access control entries (ACEs) in the Exporting Process sends
                Flow information.

7.46.  informationElementIndex SACL.

7.362.  auditKeyQueryValue

   elementId: TBD
   name: informationElementIndex auditKeyQueryValue
   dataType: unsigned16
   status: current
   description: A zero-based index enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of an Information Element
                referenced by informationElementId within a Template
                referenced by templateId;
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to disambiguate
                scope cancel
   all auditing options for templates containing multiple identical
                Information Elements.

7.47.  informationElementId

   elementId: TBD
   name: informationElementId
   dataType: unsigned16 the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: This Information Element contains the ID of another
                Information Element.

7.48.  informationElementDataType

7.363.  auditKeySetValue
   elementId: TBD
   name: informationElementDataType auditKeySetValue
   dataType: unsigned8
   status: current
   description: A description of the abstract data enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of an IPFIX
                information element.These are taken from
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the
                abstract data types defined in section 3.1 specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the
                IPFIX Information Model [RFC5102]; see that section
                for more information specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the types described in the
                informationElementDataType sub-registry.

                These types are registered in the IANA IPFIX
                Information Element Data Type subregistry.  This
                subregistry specified events when auditing is intended enabled.
   ; 0x5 ; The empty string value is permitted here to assign numbers allow for
   detailed error reporting.
   status: current
   description:

7.364.  auditKeyCreateSubKey

   elementId: TBD
   name: auditKeyCreateSubKey
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type
                names, not AUDIT_FAILURE is
   used to provide a mechanism perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for adding data
                types the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the IPFIX Protocol, specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and as such requires a
                Standards Action [RFC5226] unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to modify.

7.49.  informationElementDescription allow for
   detailed error reporting.
   status: current
   description:

7.365.  auditKeyEnumerateSubKeys
   elementId: TBD
   name: informationElementDescription auditKeyEnumerateSubKeys
   dataType: string
   status: current
   description: A UTF-8 [RFC3629] encoded Unicode string containing
                a human-readable description of an Information
                Element. enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The content audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of the
                informationElementDescription MAY be annotated with
                one or more language tags [RFC4646], encoded
                in-line [RFC2482] within the UTF-8 string, in order
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to specify the language in which cancel
   all auditing options for the description specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is
                written.  Description text in multiple languages MAY
                tag each section with its own language tag; in this
                case, the description information in each language
                SHOULD have equivalent meaning.  In the absence used to
   perform audits on all successful occurrences of
                any language tag, the "i-default" [RFC2277] language
                SHOULD be assumed.  See the Security Considerations
                section for notes specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string handling value is permitted here to allow for Information
                Element type records.

7.50.  informationElementName
   detailed error reporting.
   status: current
   description:

7.366.  auditKeyNotify

   elementId: TBD
   name: informationElementName auditKeyNotify
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: A UTF-8 [RFC3629] encoded Unicode string containing

7.367.  auditKeyCreateLink
   elementId: TBD
   name: auditKeyCreateLink
   dataType: enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the name specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of an Information Element, intended as a
                simple identifier.  See the Security Considerations
                section for notes specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string handling value is permitted here to allow for Information
                Element type records.

7.51.  informationElementRangeBegin
   detailed error reporting.
   status: current
   description:

7.368.  auditKeyWow6464Key

   elementId: TBD
   name: informationElementRangeBegin auditKeyWow6464Key
   dataType: unsigned64 enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for
   detailed error reporting.
   status: current
   description: Contains the inclusive low end of the range of
                acceptable values for an Information Element.

7.52.  informationElementRangeEnd

7.369.  auditKeyWow6432Key
   elementId: TBD
   name: informationElementRangeEnd auditKeyWow6432Key
   dataType: unsigned64
   status: current
   description: Contains enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the inclusive high end specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the range specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of
                acceptable values the specified events when auditing is enabled.
   ; 0x5 ; The empty string value is permitted here to allow for an Information Element.

7.53.  informationElementSemantics
   detailed error reporting.
   status: current
   description:

7.370.  auditKeyWow64Res

   elementId: TBD
   name: informationElementSemantics auditKeyWow64Res
   dataType: unsigned8
   status: current
   description: A description of the semantics enumeration
   structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
   used to perform audits on all unsuccessful occurrences of an IPFIX
                Information Element.  These are taken from
   specified events when auditing is enabled.
   AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
   all auditing options for the data specified events.
   AUDIT_SUCCESS ; 0x3 ; The audit type semantics defined in section 3.2 AUDIT_SUCCESS is used to
   perform audits on all successful occurrences of the IPFIX
                Information Model [RFC5102]; see that section for
                more information specified
   events when auditing is enabled.
   AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
   is used to perform audits on all successful and unsuccessful
   occurrences of the types defined in the
                informationElementSemantics sub-registry.  This
                field may take the values in Table specified events when auditing is enabled.
   ; the special 0x5 ; The empty string value 0x00 (default) is used to note that no
                semantics apply permitted here to allow for
   detailed error reporting.
   status: current
   description:

7.371.  regkeyeffectiverights
   elementId: TBD
   name: regkeyeffectiverights
   dataType: list
   structure: list (hive, key, trusteeSid,
         trusteeName, standardDelete, standardReadControl,
         standardWriteDac, standardWriteOwner, standardSynchronize,
         accessSystemSecurity, genericRead, genericWrite,
         genericExecute, genericAll, keyQueryValue, keySetValue,
         keyCreateSubKey, keyEnumerateSubKeys, keyNotify,
         keyCreateLink, keyWow6464Key, keyWow6432Key, keyWow64Res,
         windowsView)
   status: current
   description: Stores the field; it cannot be
                manipulated by effective rights of a Collecting Process or File Reader registry key that does not understand it a priori.

                These semantics
   discretionary access control list (DACL) structure grants to a
   specified trustee. The trustee's effective rights are registered determined
   checking all access-allowed and access-denied access control
   entries (ACEs) in the IANA IPFIX
                Information Element Semantics subregistry.  This
                subregistry DACL.

7.372.  keyQueryValue

   elementId: TBD
   name: keyQueryValue
   dataType: boolean
   status: current
   description: Specifies whether or not
         permission is intended granted to assign numbers for
                semantics names, query the key's value.

7.373.  keySetValue

   elementId: TBD
   name: keySetValue
   dataType: boolean
   status: current
   description: Specifies whether or not
         permission is granted to provide a mechanism for
                adding semantics to set the IPFIX Protocol, and as such
                requires a Standards Action [RFC5226] key's value.

7.374.  keyCreateSubKey

   elementId: TBD
   name: keyCreateSubKey
   dataType: boolean
   status: current
   description: Specifies whether or not
         permission is granted to modify.

7.54.  informationElementUnits create a subkey.

7.375.  keyEnumerateSubKeys

   elementId: TBD
   name: informationElementUnits keyEnumerateSubKeys
   dataType: unsigned16 boolean
   status: current
   description: A description of the units of an IPFIX Information
                Element.  These correspond Specifies whether or
         not permission is granted to list the units implicitly
                defined in the Information Element definitions in
                section 5 of the IPFIX Information Model [RFC5102];
                see that section for more subkeys associated
         with key.

7.376.  keyNotify

   elementId: TBD
   name: keyNotify
   dataType: boolean
   status: current
   description:

7.377.  keyCreateLink

   elementId: TBD
   name: keyCreateLink
   dataType: boolean
   status: current
   description:

7.378.  keyWow6464Key

   elementId: TBD
   name: keyWow6464Key
   dataType: boolean
   status: current
   description:

7.379.  keyWow6432Key

   elementId: TBD
   name: keyWow6432Key
   dataType: boolean
   status: current
   description:

7.380.  keyWow64Res
   elementId: TBD
   name: keyWow64Res
   dataType: boolean
   status: current
   description:

7.381.  service

   elementId: TBD
   name: service
   dataType: list
   structure: list (serviceName, displayName, description,
         serviceType, tartType, currentState, controlsAccepted,
         startName, path, pid, serviceFlag, dependencies)
   status: current
   description: Stores information on the types
                described in the informationElementsUnits
                sub-registry. This field may take the values in
                Table 3 below; the special value 0x00 (none) is
                used to note about Windows services that the field is unitless.

                These types are registered in the IANA IPFIX
                Information Element Units subregistry; new types
                may be added
   present on a First Come First Served [RFC5226]
                basis.

7.55.  userName the system.

7.382.  displayName

   elementId: TBD
   name: userName displayName
   dataType: string
   status: current
   description: User name associated with Specifies the flow.

7.56.  applicationCategoryName name of the
         service as specified in administrative tools.

7.383.  description

   elementId: TBD
   name: applicationCategoryName description
   dataType: string
   status: current
   description: An attribute that provides a first level
                categorization for each Application ID.

7.57.  mibObjectValueInteger Specifies the description of
         the service.

7.384.  serviceType
   elementId: TBD
   name: mibObjectValueInteger serviceType
   dataType: signed64
   status: current
   description: An IPFIX Information Element which denotes enumeration
   structure: SERVICE_FILE_SYSTEM_DRIVER ; 0x1 ; The
         SERVICE_FILE_SYSTEM_DRIVER type means that the
                integer service is
         a file system driver. The DWORD value of that this
         corresponds to is 0x00000002.
         SERVICE_KERNEL_DRIVER ; 0x2 ; The SERVICE_KERNEL_DRIVER type
         means that the service is a MIB object will be exported. driver. The MIB Object Identifier ("mibObjectIdentifier")
                for DWORD value that
         this field MUST be exported corresponds to is 0x00000001.
         SERVICE_WIN32_OWN_PROCESS ; 0x3 ; The SERVICE_WIN32_OWN_PROCESS
         type means that the service runs in a MIB Field
                Option or via another means.  This Information
                Element its own process. The DWORD
         value that this corresponds to is used for MIB objects 0x00000010.
         SERVICE_WIN32_SHARE_PROCESS ; 0x4 ; The
         SERVICE_WIN32_SHARE_PROCESS type means that the service runs
         in a process with other services. The DWORD value that this
         corresponds to is 0x00000020.
         SERVICE_INTERACTIVE_PROCESS ; 0x5 ; The
         SERVICE_WIN32_SHARE_PROCESS type means that the Base
                Syntax of Integer32 and INTEGER service runs
         in a process with IPFIX Reduced
                Size Encoding used as required. other services. The DWORD value that this
         corresponds to is
                encoded as per 0x00000100.
         ; 0x6 ; The empty string value is permitted here to allow for
         empty elements associated with error conditions.
   status: current
   description:
         Specifies the standard IPFIX Abstract Data Type type of signed64.

7.58.  mibObjectValueOctetString the service.

7.385.  startType
   elementId: TBD
   name: mibObjectValueOctetString startType
   dataType: octetArray
   status: current
   description: An IPFIX Information Element which denotes enumeration
   structure: SERVICE_AUTO_START ; 0x1 ; The SERVICE_AUTO_START type
         means that an
                Octet String or Opaque the service is started automatically by the Service
         Control Manager (SCM) during startup. The DWORD value that
         this corresponds to is 0x00000002.
         SERVICE_BOOT_START ; 0x2 ; The SERVICE_BOOT_START type means
         that the driver service is started by the system loader. The
         DWORD value that this corresponds to is 0x00000000.
         SERVICE_DEMAND_START ; 0x3 ; The SERVICE_DEMAND_START type
         means that the service is started by the Service Control
         Manager (SCM) when StartService() is called. The DWORD value of a MIB object will
         that this corresponds to is 0x00000003.
         SERVICE_DISABLED ; 0x4 ; The SERVICE_DISABLED type means
         that the service cannot be exported. started. The MIB Object Identifier
                ("mibObjectIdentifier") for DWORD value that
         this field MUST be
                exported in a MIB Field Option or via another means.
                This Information Element corresponds to is used for MIB objects
                with 0x00000004.
         SERVICE_SYSTEM_START ; 0x5 ; The SERVICE_SYSTEM_START type
         means that the Base Syntax of OCTET STRING and Opaque. service is a device driver started by
         IoInitSystem(). The DWORD value that this corresponds to is encoded as per
         0x00000001.
         ; 0x6 ; The empty string value is permitted here to allow
         for empty elements associated with error conditions.
   status: current
   description: Specifies when the standard IPFIX Abstract
                Data Type of octetArray.

7.59.  mibObjectValueOID service should be started.

7.386.  currentState
   elementId: TBD
   name: mibObjectValueOID currentState
   dataType: octetArray
   status: current
   description: An IPFIX Information Element which denotes enumeration
   structure: SERVICE_CONTINUE_PENDING ; 0x1 ; The
         SERVICE_CONTINUE_PENDING type means that an
                Object Identifier or OID value of the service has been
         sent a MIB object will
                be exported. command to continue, however, the command has
         not yet been executed. The MIB Object Identifier
                ("mibObjectIdentifier") for DWORD value that this field MUST be
                exported in corresponds
         to is 0x00000005. SERVICE_PAUSE_PENDING ; 0x2 ; The
         SERVICE_PAUSE_PENDING type means that the service has been
         sent a MIB Field Option or via another means.
                This Information Element command to pause, however, the command has not
         yet been executed. The DWORD value that this corresponds to
         is used for MIB objects
                with 0x00000006.
         SERVICE_PAUSED ; 0x3 ; The SERVICE_PAUSED type means that
         the Base Syntax of OBJECT IDENTIFIER.  Note -
                In service is paused. The DWORD value that this case corresponds
         to is 0x00000007.
         SERVICE_RUNNING ; 0x4 ; The SERVICE_RUNNING type means that
         the "mibObjectIdentifier" will define
                which MIB object service is being exported while running. The DWORD value that this
         corresponds to is 0x00000004.
         SERVICE_START_PENDING ; 0x5 ; The SERVICE_START_PENDING type
         means that the service has been sent a command to start,
         however, the command has not yet been executed. The DWORD
         value
                contained in that this Information Element will be an
                OID as a value.  The mibObjectValueOID Information
                Element corresponds to is encoded as ASN.1/BER [BER] in an
                octetArray.

7.60.  mibObjectValueBits
   elementId: TBD
   name: mibObjectValueBits
   dataType: octetArray
   status: current
   description: An IPFIX Information Element which denotes 0x00000002.
         SERVICE_STOP_PENDING ; 0x6 ; The SERVICE_STOP_PENDING type
         means that the service
         has been sent a
                set of Enumerated flags or bits from a MIB object
                will be exported. command to stop, however, the command has
         not yet been executed. The MIB Object Identifier
                ("mibObjectIdentifier") for DWORD value that this field MUST be
                exported in a MIB Field Option or via another means.
                This Information Element
         corresponds to is used for MIB objects
                with the Base Syntax of BITS. 0x00000003.
         SERVICE_STOPPED ; 0x7 ; The flags or bits are
                encoded as per SERVICE_STOPPED type means that
         the standard IPFIX Abstract Data Type
                of octetArray, with sufficient length service is stopped. The DWORD value that this corresponds
         to accommodate
                the required number of bits.  If the number of bits is not an integer multiple of octets then 0x00000001.
         ; 0x8 ; The empty string value is permitted here to allow
         for empty elements associated with error conditions.
   status: current
   description: Specifies the most
                significant bits at end current state of
         the octetArray MUST be
                set to zero.

7.61.  mibObjectValueIPAddress service.

7.387.  controlsAccepted

 elementId: TBD
 name: mibObjectValueIPAddress controlsAccepted
 dataType: ipv4Address
   status: current
   description: An IPFIX Information Element which denotes enumeration strucutre: SERVICE_ACCEPT_NETBINDCHANGE ; 0x1 ;
       The SERVICE_ACCEPT_NETBINDCHANGE type means that the
                IPv4 Address of
       service is a MIB object will network component and can accept changes in its
       binding without being stopped or restarted. The DWORD value
       that this corresponds to is 0x00000010.
       SERVICE_ACCEPT_PARAMCHANGE ; 0x2 ; The SERVICE_ACCEPT_PARAMCHANGE
       type means that the service can re-read its
       startup parameters without being stopped or restarted. The
       DWORD value that this corresponds to is 0x00000008.
       SERVICE_ACCEPT_PAUSE_CONTINUE ; 0x3 ; The
       SERVICE_ACCEPT_PAUSE_CONTINUE type means that the service
       can be exported. paused or continued. The
                MIB Object Identifier ("mibObjectIdentifier") for DWORD value that this field MUST be exported in a MIB Field Option
                or via another means.  This Information Element
       corresponds to is
                used for MIB objects with 0x00000002.
       SERVICE_ACCEPT_PRESHUTDOWN ; 0x4 ; The
       SERVICE_ACCEPT_PRESHUTDOWN type means that the Base Syntax of
                IPaddress. service can
       receive pre-shutdown notifications. The DWORD value
       that this corresponds to is encoded as per the standard
                IPFIX Abstract Data Type of ipv4Address.

7.62.  mibObjectValueCounter
   elementId: TBD
   name: mibObjectValueCounter
   dataType: unsigned64
   status: current
   description: An IPFIX Information Element which denotes 0x00000100.
       SERVICE_ACCEPT_SHUTDOWN ; 0x5 ; The SERVICE_ACCEPT_SHUTDOWN
       type means that the
                counter service can receive shutdown notifications.
       The DWORD value of a MIB object will that this corresponds to is 0x00000004.
       SERVICE_ACCEPT_STOP ; 0x6 ; The SERVICE_ACCEPT_STOP type
       means that the service can be exported. stopped. The MIB Object Identifier ("mibObjectIdentifier")
                for DWORD value
       that this field MUST be exported in a MIB Field
                Option or via another means.  This Information
                Element corresponds to is used for MIB objects with 0x00000001.
       SERVICE_ACCEPT_HARDWAREPROFILECHANGE ; 0x7 ; The
       SERVICE_ACCEPT_HARDWAREPROFILECHANGE type means that the Base
                Syntax of Counter32 or Counter64 with IPFIX Reduced
                Size Encoding used as required.
       service can receive notifications when the system's
       hardware profile changes. The DWORD value that this
       corresponds to is encoded
                as per the standard IPFIX Abstract Data Type
                of unsigned64.

7.63.  mibObjectValueGauge

   elementId: TBD
   name: mibObjectValueGauge
   dataType: unsigned32
   status: current
   description: An IPFIX Information Element which denotes 0x00000020.
       SERVICE_ACCEPT_POWEREVENT ; 0x8 ; The SERVICE_ACCEPT_POWEREVENT
       type means that the
                Gauge value of a MIB object will be exported. service can receive notifications when the
       system's power status has changed. The
                MIB Object Identifier ("mibObjectIdentifier") for DWORD value that this field MUST be exported in a MIB Field Option
                or via another means.  This Information Element
       corresponds to is
                used for MIB objects with 0x00000040.
       SERVICE_ACCEPT_SESSIONCHANGE ; 0x9 ; The
       SERVICE_ACCEPT_SESSIONCHANGE type means that the service can
       receive notifications when the Base Syntax of Gauge32. system's session
       status has changed. The DWORD value that this corresponds
       to is encoded as per the standard IPFIX
                Abstract Data Type of unsigned64.  This value will
                represent a non-negative integer, which may increase
                or decrease, but shall never exceed a maximum
                value, nor fall below a minimum value.

7.64.  mibObjectValueTimeTicks

   elementId: TBD
   name: mibObjectValueTimeTicks
   dataType: unsigned32
   status: current
   description: An IPFIX Information Element which denotes 0x00000080.
       SERVICE_ACCEPT_TIMECHANGE ; 0xA ; The SERVICE_ACCEPT_TIMECHANGE
       type means that the
                TimeTicks value of a MIB object will be exported. service can receive notifications when
       the system time changes. The MIB Object Identifier ("mibObjectIdentifier")
                for DWORD value that this field MUST be exported in a MIB Field
                Option or via another means.  This Information
                Element corresponds
       to is used 0x00000200.
       SERVICE_ACCEPT_TRIGGEREVENT ; 0xB ; The
       SERVICE_ACCEPT_TRIGGEREVENT type means that the service can
       receive notifications when an event that the service
       has registered for MIB objects with occurs on the Base
                Syntax of TimeTicks. system. The DWORD value that
       this corresponds to is encoded as per 0x00000400.
       ; 0xC ; The empty string value is permitted here to allow
       for empty elements associated with error conditions.
 status: current

 description: Specifies the standard IPFIX Abstract Data Type of unsigned32.

7.65.  mibObjectValueUnsigned control codes that a service will
             accept and process.

7.388.  startName

   elementId: TBD
   name: mibObjectValueUnsigned startName
   dataType: unsigned64 string
   status: current
   description: An IPFIX Information Element which denotes that an
                unsigned integer value of a MIB object will be
                exported.  The MIB Object Identifier
                ("mibObjectIdentifier") for this field MUST be
                exported in a MIB Field Option or via another means.
                This Information Element is used for MIB objects
                with Specifies the Base Syntax of unsigned64 with IPFIX
                Reduced Size Encoding used as required. The value is
                encoded as per account under
         which the standard IPFIX Abstract Data Type
                of unsigned64.

7.66.  mibObjectValueTable process should run.

7.389.  serviceFlag

   elementId: TBD
   name: mibObjectValueTable serviceFlag
   dataType: orderedList boolean
   status: current
   description: An IPFIX Information Element which denotes that Specifies whether the
         service is in a
                complete system process that must always run (true)
         or partial conceptual table will be
                exported.  The MIB Object Identifier
                ("mibObjectIdentifier") for this field MUST be
                exported if the service is in a MIB Field Option non-system process or via another means.
                This Information Element is used for MIB objects
                with a SYNTAX not
         running (false).

7.390.  dependencies

   elementId: TBD
   name: dependencies
   dataType: string
   status: current
   description: Specifies the dependencies
         of SEQUENCE.  This is encoded as a
                subTemplateList this service on other services.

7.391.  serviceeffectiverights

   elementId: TBD
   name: serviceeffectiverights
   dataType: list
   structure: list (serviceName, trusteeSid,
         standardDelete, standardReadControl, standardWriteDac,
         standardWriteOwner, genericRead, genericWrite,
         genericExecute, serviceQueryConfs, erviceChangeConf,
         serviceQueryStat, serviceEnumDependents, serviceStart,
         serviceStop, servicePause, serviceInterrogate,
         serviceUserDefined)
   status: current
   description: Stores the
         effective rights of mibObjectValue Information
                Elements.  The template a service that a discretionary access
         control list (DACL) structure grants to a specified in the
                subTemplateList MUST be an Options Template and
                MUST include
         trustee. The trustee's effective rights are determined by
         checking all the Objects listed access-allowed and access-denied access
         control entries (ACEs) in the INDEX
                clause as Scope Fields.

7.67.  mibObjectValueRow DACL.

7.392.  trusteeSid

   elementId: TBD
   name: mibObjectValueRow trusteeSid
   dataType: orderedList string
   status: current
   description: An IPFIX Information Element which denotes Specifies the SID that a
                single row of a conceptual table will be exported.
                The MIB Object Identifier ("mibObjectIdentifier")
                for this field MUST be exported in a MIB Field
                Option or via another means.  This Information
                Element is used for MIB objects
         associated with a SYNTAX of
                SEQUENCE.  This is encoded user, group, system, or program (such as a subTemplateList of
                mibObjectValue Information Elements.  The
                subTemplateList exported MUST contain exactly one
                row (i.e., one instance of the subtemplate).  The
                template specified in the subTemplateList MUST be
                an Options Template and MUST include all the
                Objects listed in
         Windows service).

7.393.  serviceQueryConf

   elementId: TBD
   name: serviceQueryConf
   dataType: boolean
   status: current
   description: Specifies whether or
         not permission is granted to query the INDEX clause as Scope Fields.

7.68.  mibObjectIdentifier service configuration.

7.394.  serviceChangeConf

   elementId: TBD
   name: mibObjectIdentifier serviceChangeConf
   dataType: octetArray boolean
   status: current
   description: An IPFIX Information Element which denotes that a
                MIB Object Identifier (MIB OID) Specifies whether or
         not permission is exported in the
                (Options) Template Record.  The mibObjectIdentifier
                Information Element contains the OID assigned granted to
                the MIB Object Type Definition encoded as
                ASN.1/BER [BER].

7.69.  mibSubIdentifier change service configuration.

7.395.  serviceQueryStat

   elementId: TBD
   name: mibSubIdentifier serviceQueryStat
   dataType: unsigned32 boolean
   status: current
   description: A non-negative sub-identifier Specifies whether or
         not permission is granted to query the service control
         manager about the status of an Object
                Identifier (OID).

7.70.  mibIndexIndicator the service.

7.396.  serviceEnumDependents

   elementId: TBD
   name: mibIndexIndicator serviceEnumDependents
   dataType: unsigned64 boolean
   status: current
   description: This set of bit fields Specifies whether
         or not permission is used for marking the
                Information Elements of a Data Record that serve as
                INDEX MIB objects for an indexed Columnar MIB
                object.  Each bit represents an Information Element
                in the Data Record with the n-th bit representing
                the n-th Information Element.  A bit set granted to value 1
                indicates that the corresponding Information Element
                is query for an index enumeration of the Columnar Object represented by
                the mibFieldValue.  A bit set to value 0 indicates
                that this is not the case.

                If the Data Record contains more than 64
                Information Elements, the corresponding Template
                SHOULD be designed such that
         all INDEX
                Fields are among the first 64 Information Elements,
                because the mibIndexIndicator only contains 64 bits.
                If the Data Record contains less than 64
                Information Elements, then the extra bits in the
                mibIndexIndicator for which no corresponding
                Information Element exists MUST have services dependent on the value 0,
                and must be disregarded by service.

7.397.  serviceStart

   elementId: TBD
   name: serviceStart
   dataType: boolean
   status: current
   description: Specifies whether or not
         permission is granted to start the Collector.  This
                Information Element may be exported with
                IPFIX Reduced Size Encoding.

7.71.  mibCaptureTimeSemantics service.

7.398.  serviceStop

   elementId: TBD
   name: mibCaptureTimeSemantics serviceStop
   dataType: unsigned8 boolean
   status: current
   description: Indicates when in the lifetime of the flow the MIB
                value was retrieved from the MIB for a
                mibObjectIdentifier.  This Specifies whether or not
         permission is used granted to indicate if
                the value exported was collected from stop the MIB
                closer to flow creation service.

7.399.  servicePause

   elementId: TBD
   name: servicePause
   dataType: boolean
   status: current
   description: Specifies whether or flow export time and
                will refer not
         permission is granted to the Timestamp fields included in the
                same record.  This field SHOULD be used when
                exporting a mibObjectValue that specifies counters pause or statistics.

                If the MIB value was sampled by SNMP prior to continue the
                IPFIX Metering Process service.

7.400.  serviceInterrogate

   elementId: TBD
   name: serviceInterrogate
   dataType: boolean
   status: current
   description: Specifies whether or Exporting Process
                retrieving the value (i.e., the data not permission is already
                stale) and it's important granted to know the exact sampling
                time, then an additional observationTime* element
                should be paired with
               request the OID using structured data.
                Similarly, if different mibCaptureTimeSemantics
                apply service to different mibObject elements within the
                Data Record, then individual mibCaptureTimeSemantics
                should be paired with each OID using structured data.

                Values:
                0.  undefined
                1.  begin - The value for the MIB object is captured
                from the MIB when the Flow is first observed
                2.  end - The value for the MIB object is captured
                from the MIB when the Flow ends
                3.  export - The value for the MIB object is
                captured from the MIB at export time
                4.  average - The value for the MIB object report its status immediately.

7.401.  serviceUserDefined

   elementId: TBD
   name: serviceUserDefined
   dataType: boolean
   status: current
   description: Specifies whether or
         not permission is an
                average of multiple captures from the MIB over granted to specify a user-defined
         control code.

7.402.  sharedresourceauditedpermissions

   elementId: TBD
   name: sharedresourceauditedpermissions
   dataType: list
   structure: list (netname, trusteeSid,
         standardDelete, standardReadControl, standardWriteDac,
         standardWriteOwner, standardSynchronize,
         accessSystemSecurity, genericRead, genericWrite,
         genericExecute, genericAll)
   status: current
   description: Stores
         the
                observed life audited access rights of a shared resource that a system
         access control list (SACL) structure grants to a
         specified trustee. The trustee's audited access rights are
         determined checking all access control entries (ACEs)
         in the Flow

7.72.  mibContextEngineID SACL.

7.403.  netname

   elementId: TBD
   name: mibContextEngineID netname
   dataType: octetArray string
   status: current
   description: A mibContextEngineID that specifies Specifies the SNMP engine
                ID for name associated
         with a MIB field being exported over IPFIX.
                Definition as per [RFC3411] section 3.3.

7.73.  mibContextName particular shared resource.

7.404.  sharedresourceeffectiverights

   elementId: TBD
   name: mibContextName sharedresourceeffectiverights
   dataType: string list
   structure: list (netname, trusteeSid,
         standardDelete, standardReadControl, standardWriteDac,
         standardWriteOwner, standardSynchronize,
         accessSystemSecurity, genericRead, genericWrite,
         genericExecute, genericAll)
   status: current
   description: This Information Element denotes Stores
         the effective rights of a shared resource that a MIB Context
                Name is
         discretionary access control list (DACL) structure grants
         to a specified for trustee. The trustee's effective rights are
         determined checking all access-allowed and access-denied
         access control entries (ACEs) in the DACL.

7.405.  user

   elementId: TBD
   name: user
   dataType: list
   structure: list (username, enabled, group, lastLogon)
   status: current
   description: Specifies the groups to which a MIB field being exported
                over IPFIX. Reference [RFC3411] section 3.3.

7.74.  mibObjectName user belongs.

7.406.  enabled

   elementId: TBD
   name: mibObjectName enabled
   dataType: string boolean
   status: current
   description: Represents whether the
         particular user is enabled or not.

7.407.  lastLogon

   elementId: TBD
   name: lastLogon
   dataType: integer
   status: current
   description: The name (called a descriptor in [RFC2578]
                of an object type definition.

7.75.  mibObjectDescription date and time when the
         last logon occurred.

7.408.  groupSid

   elementId: TBD
   name: mibObjectDescription groupSid
   dataType: string
   status: current
   description: The value
   description: Represents the SID of a
         particular group. If the specified user belongs to more than
         one group, then multiple groupSid elements are
         applicable. If the specified user is not a member of a single
         group, then a single groupSid element should be
         incldued with a status of 'does not exist'. If there is an
         error determining the groups that the user belongs to,
         then a single groupSid element should be included with a
         status of 'error'.

8.  Acknowledgements

   Many of the specifications in this document have been developed in a
   public-private partnership with vendors and end-users.  The hard work
   of the SCAP community is appreciated in advancing these efforts to
   their current level of adoption.

   Over the DESCRIPTION clause course of developing the initial draft, Brant Cheikes, Matt
   Hansbury, Daniel Haynes, Scott Pope, Charles Schmidt, and Steve
   Venema have contributed text to many sections of this document.

9.  IANA Considerations

   This document specifies an MIB object
                type definition.

7.76.  mibObjectSyntax

   elementId: TBD
   name: mibObjectSyntax
   dataType: string
   status: current
   description: initial set of Information Elements for
   SACM in Section 7.  An Internet Assigned Numbers Authority (IANA)
   registry will be created and populated with the Information Elements
   in Section 7.  New assignments for SACM Information Elements will be
   administered by IANA through Expert Review [RFC2434].  The value designated
   experts MUST check the requested Information Elements for
   completeness and accuracy of the SYNTAX clause submission with respect to the
   template and requirements expressed in Section 4 and Section 4.1.
   Requests for Information Elements that duplicate the functionality of an MIB object type
                definition, which may include
   existing Information Elements SHOULD be declined.  The smallest
   available Information Element identifier SHOULD be assigned to a Textual Convention
                or Subtyping. See [RFC2578].

7.77.  mibModuleName

   elementId: TBD
   name: mibModuleName
   dataType: string
   status: current
   description: new
   Information Element.  The textual name definition of new Information Elements MUST
   be published using a well-established and persistent publication
   medium.

10.  Security Considerations

   Posture Assessments need to be performed in a safe and secure manner.
   In that regard, there are multiple aspects of security that apply to
   the MIB module communications between components as well as the capabilities
   themselves.  This information model only contains an initial listing
   of items that defines a MIB
                Object.

8. need to be considered with respect to security and will
   need to be augmented as the model continues to be developed.

   Security considerations include:

   Authentication:  Every SACM Usage Scenario Example

   TODO: this section Component and asset needs to refer out be able to wherever
           identify itself and verify the operations /
   generalized workflow content ends up

   TODO: revise identity of other SACM
           Components and assets.

   Confidentiality:  Communications between SACM Components need to eliminate graph references

   This section illustrates the proposed be
           protected from eavesdropping or unauthorized collection.
           Some communications between SACM Information Model Components and assets may
           need to be protected as
   applied well.

   Integrity:  The information exchanged between SACM Components needs
           to be protected from modification.  Some exchanges between
           assets and SACM Usage Scenario 2.2.3, Detection of Posture Deviations
   [RFC7632].  The following subsections describe Components will also have this requirement.

   Restricted Access:  Access to the elements
   (components information collected, evaluated,
           reported, and elements), graph model, stored should only be viewable and operations (sample
   workflow) required consumable
           to support the Detection of Posture Deviations
   scenario.

   The Detection of Posture Deviations scenario involves multiple
   elements interacting authenticated and authorized entities.

   Considerations with respect to accomplish the goals of the scenario.
   Figure 11 illustrates those elements along with their major
   communication paths.

8.1.  Graph Model for Detection of Posture Deviation

   The following subsections contain examples operational aspects of identifiers collection,
   evaluation, and
   metadata which would enable detection of posture deviation.  These
   lists are by no means exhaustive - many other types storage security automation information can be found
   in Section 11.

   Considerations concerning the privacy of metadata would security automation
   information can be enumerated found in a data model that fully addressed this usage
   scenario.

8.1.1.  Components Section 12.

11.  Operational Considerations

   The proposed following sections outline a series of operational considerations
   for SACM Information Model contains three components, deployments within an organization.  This section may be
   expanded to include other considerations as
   defined in the WG gains additional
   operational experience with SACM Architecture [I-D.ietf-sacm-architecture]:
   Posture Attribute Information Provider, Posture Attribute Information
   Consumer, deployments and Control Plane.

   In this example, the components are instantiated as follows:

   o  The Posture Attribute Information Provider is an endpoint security
      service which monitors the compliance state of extending the
   information model.

11.1.  Endpoint Designation

   In order to successfully carry out endpoint and
      reports any deviations for the expected posture.

   o  The Posture Attribute Information Consumer posture assessment, it is an analytics engine
      which absorbs information from around
   necessary to be able to identify the endpoints on a network and generates a
      "heat map" of which areas in track
   the network are seeing unusually high
      rates of posture deviations. changes to them over time.  Specifically, enabling SACM
   Components to:

   o  The Control Plane is a security automation broker which receives
      subscription requests from  Tell whether two endpoint attribute assertions concern the analytics engine same
      endpoint

   o  Respond to compliance measurements, for example by reporting,
      remediating, and authorizes
      access quarantining (SACM does not specify these
      responses, but SACM exists to appropriate information from the enable them).

   Ideally, every endpoint security
      service.

8.1.2.  Identifiers

   To represent would be identified by a unique identifier
   present on the elements listed above, endpoint, but, this is complicated due to different
   factors such as the set variety of identifiers might
   include (but is not limited to):

   o  Identity - a device itself, or a user operating endpoints on a device,
      categorized by type of identity (e.g. username or X.509
      certificate [RFC5280])

   o  Software asset

   o  Network Session

   o  Address - categorized by type of address (e.g.  MAC address, IP
      address, Host Identity Protocol (HIP) Host Identity Tag (HIT)
      [RFC5201], etc.)

   o  Task - categorized by type of task (e.g. internal collector,
      external collector, evaluator, or reporting task)

   o  Result - categorized by type of result (e.g. evaluation result or
      report)

   o  Guidance

8.1.3.  Metadata

   To characterize the elements listed above, network, the set ability of metadata types
   might include (but is not limited to):

   o  Authorization metadata attached
   tools to reliably access such an identity identifier, or identifer, and the ability of tools
   to correlate disparate identifiers.  As a
      link between a network session identifier and result, it is necessary for
   an identity
      identifier, or endpoint to be identified by a link between set of attributes that uniquely
   identify it on a network session identifier and network.  The set of attributes that uniquely
   identify an address identifier.

   o  Location metadata attached to a link between endpoint on a network session
      identifier and an address identifier.

   o  Event metadata attached to an address identifier or an identity
      identifier will likely vary by organization;
   however, there are a number of an endpoint, which would be made available properties to
      interested parties at the time of publication, but not stored
      long-term.  For example, consider when selecting
   identifying attributes as some are better suited for identification
   purposes than others.

   Multiplicity:  Is the attribute typically associated with a user disables required security
      software, an internal collector single
           endpoint or with multiple endpoints?  If the attribute is
           associated with a single endpoint, it is better for
           identifying an endpoint
      security service might publish guidance violation event metadata
      attached to the identity identifier of on a network.

   Persistence:  How likely is the endpoint, attribute to notify
      consumers of the change?  Does it never
           change?  Does it only change in when the endpoint state.

   o  Posture attribute metadata attached is
           reprovisioned?  Does it only change due to an identity identifier of event?  Does it
           change on an endpoint.  For example, when required security software ad-hoc and often unpredictable basis?  Does it
           constantly change?  The less likely it is not
      running, an internal collector associated with for an endpoint
      security service might publish posture attribute metadata attached to
           change over time, the identity identifier of the endpoint, better it is for identifying an
           endpoint on a network.

   Immutability:  How difficult is it to notify consumers of change the current state of attribute?  Is the endpoint.

8.1.4.  Relationships between Identifiers and Metadata

   Interaction between multiple sets of identifiers
           attribute hardware rooted and metadata lead to
   some fairly common patterns, or "constellations", of metadata.  For
   example, an authenticated-session metadata constellation might
   include never changes?  Can the
           attribute be changed by a central network session user/process with authorizations and location
   attached, and links to a user identity, an endpoint identity, a MAC
   address, an IP address, and the identity of appropriate
           access?  Can the policy server that
   authorized attribute be changed without controlled
           access.  The less likely an attribute is to change over time,
           the session, for better chance it will be usable to identify an endpoint
           over time.

   Verifiable:  Can the duration of attribute be corroborated?  Can the network session.

   These constellations may attribute be independent of each other, or one
   constellation may
           externally verified with source authentication?  Can the
           attribute be connected externally verified without source
           authentication?  Is it impossible to another.  For example, an
   authenticated-session metadata constellation may externally verify the
           attribute.  Attributes that can be created when a
   user connects an endpoint externally verified are
           more likely to the network; separately, an endpoint-
   posture metadata constellation may be created when an endpoint
   security system accurate and other collectors gather are better for identifying
           endpoints on a network.

   With that said, requiring SACM Components and publish posture
   information related end users to an endpoint.  These two constellations are not
   necessarily connected constantly
   refer to each other, but may be joined if the
   component publishing the authenticated-session metadata constellation
   is able a set of attributes to link identify an endpoint, is particularly
   burdensome.  As a result, SACM supports the network session concept of a target
   endpoint label which associates an identifier (unique to the identity
   identifier of the endpoint.

8.2.  Workflow

   The workflow for exchange of information supporting detection of
   posture deviation, using a standard publish/subscribe/query transport
   model such as available with IF-MAP [TNC-IF-MAP-SOAP-Binding] or
   XMPP-Grid [I-D.salowey-sacm-xmpp-grid], is as follows:

   1.  The analytics engine (Posture Assessment Information Consumer)
       establishes connectivity and authorization SACM
   domain) with the transport
       fabric, and subscribes set of attributes used by an organization to updates
   identify endpoints on posture deviations.

   2.  The endpoint security service (Posture Assessment Information
       Provider) requests connection to the transport fabric.

   3.  Transport fabric authenticates and establishes authorized
       privileges (e.g. privilege to publish and/or subscribe to
       security data) a network.  Once defined for the requesting components.

   4.  The endpoint security service evaluates the an endpoint, detects
       posture deviation, and publishes information on the posture
       deviation.

   5.  The transport fabric notifies
   target endpoint label can be used in place of the analytics engine, based on its
       subscription set of identifying
   attributes.

11.2.  Timestamp Accuracy

   An organization will likely have different collectors deployed across
   the new network that will be configured to collect posture deviation information.

   Other components, such attributes on
   varying frequencies (periodic, ad-hoc, event-driven, on endpoint, off
   endpoint, etc.).  Some collectors will detect changes as access control policy servers or
   remediation systems, may also consume soon as they
   occur whereas others will detect them at a later point during a
   periodic scan or when an event has triggered the collection of
   posture deviation
   information provided by attributes.  Furthermore, some changes will be detected on
   the endpoint security service.

9.  Acknowledgements

   Many and others will be observed off of the specifications in this document have been developed in endpoint.  As a
   public-private partnership with vendors and end-users.  The hard work
   result of the SCAP community is appreciated in advancing these efforts to
   their current level of adoption.

   Over differences, the course accuracy of developing the initial draft, Brant Cheikes, Matt
   Hansbury, Daniel Haynes, Scott Pope, Charles Schmidt, and Steve
   Venema have contributed text to many sections of this document.

9.1.  Contributors

   The RFC guidelines no longer allow RFCs to be published timestamp associated
   with the collected information will vary.  For example, if a large
   number of authors.  Some additional authors contributed to specific
   sections of this document; their names are listed
   collector is only running once every 12 hours, the change probably
   happened at some point in time prior to the individual
   section headings as well as alphabetically listed with their
   affiliations below.

   +---------------+----------------+---------------------------------+
   | Name          | Affiliation    | Contact                         |
   +---------------+----------------+---------------------------------+
   | Henk Birkholz | Fraunhofer SIT | henk.birkholz@sit.fraunhofer.de |
   +---------------+----------------+---------------------------------+

10.  IANA Considerations

   This memo includes no request scan and the timestamp is
   likely not accurate.  Due to IANA.

11.  Operational Considerations

   TODO: Need this, it is important for system
   administrators to include various operational considerations here.
   Proposed sections include timestamp determine if the accuracy and which attributes
   attributes designate an endpoint. of a timestamp is good
   enough for their intended purposes.

12.  Privacy Considerations

   TODO: Need to include various

   In the IETF, there are privacy considerations here.

13.  Security Considerations

   Posture Assessments need concerns with respect to endpoint
   identity and monitoring.  This is especially true when the activity
   on an endpoint can be linked to a particular person.  For example, by
   correlating endpoint attributes such as usernames, certificates, etc.
   with browser activity, it may be performed possible to gain insight in a safe to user
   behavior and secure manner.
   In that regard, there are multiple aspects of security that apply trends beyond what is required to carry out endpoint
   posture assessments.  In the communications between components as well as hands of the capabilities
   themselves.  Due to time constraints, wrong person, this
   information model only
   contains an initial listing of items that need to could be used to negatively influence a user's behavior
   or to plan attacks against the organization's infrastructure.

   As a result, SACM data models should incorporate a mechanism by which
   an organization can designate which endpoint attributes are
   considered sensitive with respect to security. privacy.  This list is not exhaustive, and will need allow SACM
   Components to
   be augmented as handle endpoint attributes in a manner consistent with
   the model continues to be developed/refined.

   Initial list of security considerations include:

   Authentication:  Every component and asset needs to be able to
           identify itself and verify organization's privacy policies.  Furthermore, organization's
   should put the identity of other components
           and assets.

   Confidentiality:  Communications between components need proper mechanism in place to be ensure endpoint
   attributes are protected from eavesdropping or unauthorized collection.
           Some communications between components when transmitted, stored, and assets may need to
           be protected as well.

   Integrity:  The information exchanged between components needs accessed to
   ensure only authorized parties are granted access.

   It should also be
           protected from modification. noted that some exchanges between assets
           and components will also have of this requirement.

   Restricted Access:  Access is often mitigated by
   organizational policies that require a user of an organization's
   network to the information collected, evaluated,
           reported, and stored should only be viewable/consumable consent to
           authenticated some level of monitoring in return for access
   to the network and authorized entities. other resources.  The TNC IF-MAP Binding for SOAP [TNC-IF-MAP-SOAP-Binding] and TNC IF-
   MAP Metadata for Network Security [TNC-IF-MAP-NETSEC-METADATA]
   document security considerations for sharing information via security
   automation.  Most, that is
   monitored and possibly all, of these considerations also
   apply to information shared via this proposed collected will vary by organization and further
   highlights the need for a mechanism by which an organization can
   specify what constitutes privacy sensitive information model.

14. for them.

13.  References

14.1.

13.1.  Normative References

   [PEN]      Internet Assigned Numbers Authority, "Private Enterprise
              Numbers", July 2016, <https://www.iana.org/assignments/
              enterprise-numbers/enterprise-numbers>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <http://www.rfc-editor.org/info/rfc5280>.

14.2.

13.2.  Informative References

   [I-D.ietf-sacm-architecture]
              Cam-Winget, N., Ford, B., Lorenzin, L., McDonald, I., and
              l. loxx@cisco.com, "Secure Automation and Continuous
              Monitoring (SACM) Architecture", draft-ietf-sacm-
              architecture-00 (work in progress), October 2014.

   [I-D.ietf-sacm-requirements]
              Cam-Winget, N. and L. Lorenzin, "Secure Automation and
              Continuous Monitoring (SACM) Requirements", draft-ietf-
              sacm-requirements-01 (work in progress), October 2014.

   [I-D.ietf-sacm-terminology]
              Waltermire, D., Montville, A., Harrington, D., and N. Cam-
              Winget, "Terminology for Security Assessment", draft-ietf-
              sacm-terminology-05 (work in progress), August 2014.

   [I-D.salowey-sacm-xmpp-grid]
              Salowey, J., Lorenzin, L., Kahn, C., Pope, S., Appala, S.,
              Woland, A.,

   [RFC2434]  Narten, T. and N. Cam-Winget, "XMPP Protocol Extensions H. Alvestrand, "Guidelines for Use in SACM Information Transport", draft-salowey-
              sacm-xmpp-grid-00 (work Writing an
              IANA Considerations Section in progress), July 2014. RFCs", RFC 2434,
              DOI 10.17487/RFC2434, October 1998,
              <http://www.rfc-editor.org/info/rfc2434>.

   [RFC3580]  Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese,
              "IEEE 802.1X Remote Authentication Dial In User Service
              (RADIUS) Usage Guidelines", RFC 3580,
              DOI 10.17487/RFC3580, September 2003,
              <http://www.rfc-editor.org/info/rfc3580>.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
              FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
              <http://www.rfc-editor.org/info/rfc4949>.

   [RFC5201]  Moskowitz, R., Nikander, P., Jokela, P., Ed., and T.
              Henderson, "Host Identity Protocol", RFC 5201,
              DOI 10.17487/RFC5201, April 2008,
              <http://www.rfc-editor.org/info/rfc5201>.

   [RFC5209]  Sangster, P., Khosravi, H., Mani, M., Narayan, K., and J.
              Tardo, "Network Endpoint Assessment (NEA): Overview and
              Requirements", RFC 5209, DOI 10.17487/RFC5209, June 2008,
              <http://www.rfc-editor.org/info/rfc5209>.

   [RFC5793]  Sahita, R., Hanna, S., Hurst, R., and K. Narayan, "PB-TNC:
              A Posture Broker (PB) Protocol Compatible with Trusted
              Network Connect (TNC)", RFC 5793, DOI 10.17487/RFC5793,
              March 2010, <http://www.rfc-editor.org/info/rfc5793>.

   [RFC7012]  Claise, B., Ed. and B. Trammell, Ed., "Information Model
              for IP Flow Information Export (IPFIX)", RFC 7012,
              DOI 10.17487/RFC7012, September 2013,
              <http://www.rfc-editor.org/info/rfc7012>.

   [RFC7632]  Waltermire, D. and D. Harrington, "Endpoint Security
              Posture Assessment: Enterprise Use Cases", RFC 7632,
              DOI 10.17487/RFC7632, September 2015,
              <http://www.rfc-editor.org/info/rfc7632>.

   [TNC-IF-MAP-NETSEC-METADATA]
              Trusted Computing Group, ""TNC IF-MAP Metadata for Network
              Security", Specification Version 1.1", May 2012.

   [TNC-IF-MAP-SOAP-Binding]
              Trusted Computing Group, ""TNC IF-MAP Binding for SOAP",
              Specification Version 2.2", March 2014.

Appendix A.  Change Log

A.1.  Changes in Revision 01

   Added some proposed normative text.

   For provenance:

      Added a class "Method"

      Added the produced-using relationship between an AVP and a method

      Added the produced-by relationship between a Guidance and a SACM
      Component

      Added the hosted-by relationship between a SACM Component and an
      Endpoint

   asserted-by and summarized-by have been renamed to produced-by.

   "User" is now "Account".  If a user has different credentials, SACM
   cannot know that they belong to the same user.  But, per Kim W, many
   organizations do have accounts that associate credentials.

   The multiplicity of the based-on relationships has been corrected.

   More relationships now have labels, per UML convention.

   The diagram no longer has causal arrow.  They had become redundant
   and were nonstandard and clutter.

   Renamed "credential" to "identity", following industry usage.  A
   credential includes proof, such as a key or password.  A username or
   a distinguished name is called an "identity".

   Removed Session, because an endpoint's network activity is not SACM's
   initial focus

   Removed Authorization, for the same reason

   Added many-to-many relationship between Hardware Component and
   Endpoint, for clarity

   Added many-to-many relationship between Software Component and
   Endpoint, for clarity

   Added "contains" relationship between Network Interface and Network
   Interface
   Removed relationship between Network Interface and Account.  The
   endpoint knows the identity it used to gain network access.  The PDP
   also knows that.  But they probably do not know the account.

   Added relationship between Network Interface and Identity.  The
   endpoint and the PDP will typically know the identity.

   Made identity-to-account a many-to-one relationship.

A.2.  Changes in Revision 02

   Added Section Identifying Attributes.

   Split the figure into Figure Model of Endpoint and Figure Information
   Elements.

   Added Figure Information Elements Take 2, proposing a triple-store
   model.

   Some editorial cleanup

A.3.  Changes in Revision 03

   Moved Appendix A.1, Appendix A.2, and Mapping to SACM Use Cases into
   the Appendix.  Added a reference to it in Section 1

   Added the Section 4 section.  Provided notes for the type of
   information we need to add in this section.

   Added the Section 6 section.  Moved sections on Endpoint, Hardware
   Component, Software Component, Hardware Instance, and Software
   Instance there.  Provided notes for the type of information we need
   to add in this section.

   Removed the Provenance of Information Section.  SACM is not going to
   solve provenance rather give organizations enough information to
   figure it out.

   Updated references to the Endpoint Security Posture Assessment:
   Enterprise Use Cases document to reflect that it was published as an
   RFC.

   Fixed the formatting of a few figures.

   Included references to [RFC3580] where RADIUS is mentioned.

A.4.  Changes in Revision 04

   Integrated the IPFIX [RFC7012] syntax into Section 4.

   Converted many of the existing SACM Information Elements to the IPFIX
   syntax.

   Included existing IPFIX Information Elements and datatypes that could
   likely be reused for SACM in Section 7 and Section 4 respectively.

   Removed the sections related to reports as described in
   https://github.com/sacmwg/draft-ietf-sacm-information-model/
   issues/30.

   Cleaned up other text throughout the document.

A.5.  Changes in Revision 05

   Merged proposed changes from the I-D IM into the WG IM
   (https://github.com/sacmwg/draft-ietf-sacm-information-model/
   issues/41).

   Fixed some formatting warnings.

   Removed a duplicate IE and added a few IE datatypes that were
   missing.

A.6.  Changes in Revision 06

   Clarified that the SACM statement and content-element subjects are
   conceptual and that they do not need to be explicitly defined in a
   data model as long as the necessary information is provided.

   Updated the IPFIX syntax used to define Information Elements.  There
   are still a couple of open issues that need to be resolved.

   Updated some of the Information Elements contained in Section 7 to
   use the revised IPFIX syntax.  The rest of the Information Elements
   will be converted in a later revision.

   Performed various clean-up and refactoring in Sections 6 and 7.
   Still need to go through Section 8.

   Removed appendices that were not referenced in the body of the draft.
   The text from them is still available in previous revisions of this
   document if needed.

A.7.  Changes in Revision 07

   Made various changes to the IPFIX syntax based on discussions at the
   IETF 96 Meeting.  Changes included the addition of a structure
   property to the IE specification template, the creation of an
   enumeration datatype, and the specification of an IE naming
   convention.

   Provided text to define Collection Guidance, Evaluation Guidance,
   Classification Guidance, Storage Guidance, and Evaluation Results.

   Included additional IEs related to software, configuration, and the
   vulnerability assessment scenario.

   Added text for the IANA considerations, security considerations,
   operational considerations, and privacy considerations sections.

   Performed various other editorial changes and clean-up.

Authors' Addresses

   David Waltermire (editor)
   National Institute of Standards and Technology
   100 Bureau Drive
   Gaithersburg, Maryland  20877
   USA

   Email: david.waltermire@nist.gov

   Kim Watson
   United States Department of Homeland Security
   DHS/CS&C/FNR
   245 Murray Ln. SW, Bldg 410
   MS0613
   Washington, DC  20528
   USA

   Email: kimberly.watson@hq.dhs.gov

   Clifford Kahn
   Pulse Secure, LLC
   2700 Zanker Road, Suite 200
   San Jose, CA  95134
   USA

   Email: cliffordk@pulsesecure.net
   Lisa Lorenzin
   Pulse Secure, LLC
   2700 Zanker Road, Suite 200
   San Jose, CA  95134
   USA

   Email: llorenzin@pulsesecure.net

   Michael Cokus
   The MITRE Corporation
   903 Enterprise Parkway, Suite 200
   Hampton, VA  23666
   USA

   Email: msc@mitre.org

   Daniel Haynes
   The MITRE Corporation
   202 Burlington Road
   Bedford, MA  01730
   USA

   Email: dhaynes@mitre.org

   Henk Birkholz
   Fraunhofer SIT
   Rheinstrasse 75
   Darmstadt  64295
   Germany

   Email: henk.birkholz@sit.fraunhofer.de