draft-ietf-sacm-information-model-09.txt   draft-ietf-sacm-information-model-10.txt 
SACM D. Waltermire, Ed. SACM D. Waltermire, Ed.
Internet-Draft NIST Internet-Draft NIST
Intended status: Standards Track K. Watson Intended status: Standards Track K. Watson
Expires: September 14, 2017 DHS Expires: October 29, 2017 DHS
C. Kahn C. Kahn
L. Lorenzin L. Lorenzin
Pulse Secure, LLC Pulse Secure, LLC
M. Cokus M. Cokus
D. Haynes D. Haynes
The MITRE Corporation The MITRE Corporation
H. Birkholz H. Birkholz
Fraunhofer SIT Fraunhofer SIT
March 13, 2017 April 27, 2017
SACM Information Model SACM Information Model
draft-ietf-sacm-information-model-09 draft-ietf-sacm-information-model-10
Abstract Abstract
This document defines the Information Elements that are transported This document defines the Information Elements that are transported
between SACM components and their interconnected relationships. The between SACM components and their interconnected relationships. The
primary purpose of the Secure Automation and Continuous Monitoring primary purpose of the Secure Automation and Continuous Monitoring
(SACM) Information Model is to ensure the interoperability of (SACM) Information Model is to ensure the interoperability of
corresponding SACM data models and addresses the use cases defined by corresponding SACM data models and addresses the use cases defined by
SACM. The Information Elements and corresponding types are SACM. The Information Elements and corresponding types are
maintained as the IANA "SACM Information Elements" registry. maintained as the IANA "SACM Information Elements" registry.
skipping to change at page 1, line 45 skipping to change at page 1, line 45
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 14, 2017. This Internet-Draft will expire on October 29, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 27 skipping to change at page 2, line 27
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 12 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 12
2. Conventions used in this document . . . . . . . . . . . . . . 13 2. Conventions used in this document . . . . . . . . . . . . . . 13
2.1. Requirements Language . . . . . . . . . . . . . . . . . . 13 2.1. Requirements Language . . . . . . . . . . . . . . . . . . 13
2.2. Information Element Examples . . . . . . . . . . . . . . 13 2.2. Information Element Examples . . . . . . . . . . . . . . 13
3. Information Elements . . . . . . . . . . . . . . . . . . . . 13 3. Information Elements . . . . . . . . . . . . . . . . . . . . 13
3.1. Context of Information Elements . . . . . . . . . . . . . 13 3.1. Context of Information Elements . . . . . . . . . . . . . 14
3.2. Extensibility of Information Elements . . . . . . . . . . 14 3.2. Extensibility of Information Elements . . . . . . . . . . 14
4. Structure of Information Elements . . . . . . . . . . . . . . 14 4. Structure of Information Elements . . . . . . . . . . . . . . 14
4.1. Information Element Naming Convention . . . . . . . . . . 17 4.1. Information Element Naming Convention . . . . . . . . . . 17
4.2. SACM Content Elements . . . . . . . . . . . . . . . . . . 17 4.2. SACM Content Elements . . . . . . . . . . . . . . . . . . 18
4.3. SACM Statements . . . . . . . . . . . . . . . . . . . . . 18 4.3. SACM Statements . . . . . . . . . . . . . . . . . . . . . 18
4.4. Relationships . . . . . . . . . . . . . . . . . . . . . . 20 4.4. Relationships . . . . . . . . . . . . . . . . . . . . . . 20
4.5. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 22 4.5. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.6. Categories . . . . . . . . . . . . . . . . . . . . . . . 23 4.6. Categories . . . . . . . . . . . . . . . . . . . . . . . 23
5. Abstract Data Types . . . . . . . . . . . . . . . . . . . . . 23 5. Abstract Data Types . . . . . . . . . . . . . . . . . . . . . 23
5.1. Simple Datatypes . . . . . . . . . . . . . . . . . . . . 23 5.1. Simple Datatypes . . . . . . . . . . . . . . . . . . . . 23
5.1.1. IPFIX Datatypes . . . . . . . . . . . . . . . . . . . 23 5.1.1. IPFIX Datatypes . . . . . . . . . . . . . . . . . . . 23
5.2. Structured Datatypes . . . . . . . . . . . . . . . . . . 24 5.2. Structured Datatypes . . . . . . . . . . . . . . . . . . 24
5.2.1. List Datatypes . . . . . . . . . . . . . . . . . . . 24 5.2.1. List Datatypes . . . . . . . . . . . . . . . . . . . 24
5.2.2. Enumeration Datatype . . . . . . . . . . . . . . . . 25 5.2.2. Enumeration Datatype . . . . . . . . . . . . . . . . 25
skipping to change at page 5, line 29 skipping to change at page 5, line 29
7.108. softwareIdentifier . . . . . . . . . . . . . . . . . . . 55 7.108. softwareIdentifier . . . . . . . . . . . . . . . . . . . 55
7.109. softwareTitle . . . . . . . . . . . . . . . . . . . . . 55 7.109. softwareTitle . . . . . . . . . . . . . . . . . . . . . 55
7.110. softwareCreator . . . . . . . . . . . . . . . . . . . . 56 7.110. softwareCreator . . . . . . . . . . . . . . . . . . . . 56
7.111. simpleSoftwareVersion . . . . . . . . . . . . . . . . . 56 7.111. simpleSoftwareVersion . . . . . . . . . . . . . . . . . 56
7.112. rpmSoftwareVersion . . . . . . . . . . . . . . . . . . . 56 7.112. rpmSoftwareVersion . . . . . . . . . . . . . . . . . . . 56
7.113. ciscoTrainSoftwareVersion . . . . . . . . . . . . . . . 56 7.113. ciscoTrainSoftwareVersion . . . . . . . . . . . . . . . 56
7.114. softwareVersion . . . . . . . . . . . . . . . . . . . . 56 7.114. softwareVersion . . . . . . . . . . . . . . . . . . . . 56
7.115. softwareLastUpdated . . . . . . . . . . . . . . . . . . 57 7.115. softwareLastUpdated . . . . . . . . . . . . . . . . . . 57
7.116. softwareClass . . . . . . . . . . . . . . . . . . . . . 57 7.116. softwareClass . . . . . . . . . . . . . . . . . . . . . 57
7.117. softwareInstance . . . . . . . . . . . . . . . . . . . . 58 7.117. softwareInstance . . . . . . . . . . . . . . . . . . . . 58
7.118. globallyUniqueIdentifier . . . . . . . . . . . . . . . . 58 7.118. globallyUniqueIdentifier . . . . . . . . . . . . . . . . 59
7.119. creationTimestamp . . . . . . . . . . . . . . . . . . . 58 7.119. creationTimestamp . . . . . . . . . . . . . . . . . . . 59
7.120. collectionTimestamp . . . . . . . . . . . . . . . . . . 58 7.120. collectionTimestamp . . . . . . . . . . . . . . . . . . 59
7.121. publicationTimestamp . . . . . . . . . . . . . . . . . . 58 7.121. publicationTimestamp . . . . . . . . . . . . . . . . . . 59
7.122. relayTimestamp . . . . . . . . . . . . . . . . . . . . . 59 7.122. relayTimestamp . . . . . . . . . . . . . . . . . . . . . 59
7.123. storageTimestamp . . . . . . . . . . . . . . . . . . . . 59 7.123. storageTimestamp . . . . . . . . . . . . . . . . . . . . 60
7.124. type . . . . . . . . . . . . . . . . . . . . . . . . . . 59 7.124. type . . . . . . . . . . . . . . . . . . . . . . . . . . 60
7.125. protocolIdentifier . . . . . . . . . . . . . . . . . . . 59 7.125. protocolIdentifier . . . . . . . . . . . . . . . . . . . 60
7.126. sourceTransportPort . . . . . . . . . . . . . . . . . . 60 7.126. sourceTransportPort . . . . . . . . . . . . . . . . . . 60
7.127. sourceIPv4PrefixLength . . . . . . . . . . . . . . . . . 60 7.127. sourceIPv4PrefixLength . . . . . . . . . . . . . . . . . 61
7.128. ingressInterface . . . . . . . . . . . . . . . . . . . . 60 7.128. ingressInterface . . . . . . . . . . . . . . . . . . . . 61
7.129. destinationTransportPort . . . . . . . . . . . . . . . . 61 7.129. destinationTransportPort . . . . . . . . . . . . . . . . 61
7.130. sourceIPv6PrefixLength . . . . . . . . . . . . . . . . . 61 7.130. sourceIPv6PrefixLength . . . . . . . . . . . . . . . . . 61
7.131. sourceIPv4Prefix . . . . . . . . . . . . . . . . . . . . 61 7.131. sourceIPv4Prefix . . . . . . . . . . . . . . . . . . . . 62
7.132. destinationIPv4Prefix . . . . . . . . . . . . . . . . . 61 7.132. destinationIPv4Prefix . . . . . . . . . . . . . . . . . 62
7.133. sourceMacAddress . . . . . . . . . . . . . . . . . . . . 62 7.133. sourceMacAddress . . . . . . . . . . . . . . . . . . . . 62
7.134. ipVersion . . . . . . . . . . . . . . . . . . . . . . . 62 7.134. ipVersion . . . . . . . . . . . . . . . . . . . . . . . 62
7.135. interfaceDescription . . . . . . . . . . . . . . . . . . 62 7.135. interfaceDescription . . . . . . . . . . . . . . . . . . 62
7.136. applicationDescription . . . . . . . . . . . . . . . . . 62 7.136. applicationDescription . . . . . . . . . . . . . . . . . 62
7.137. applicationId . . . . . . . . . . . . . . . . . . . . . 62 7.137. applicationId . . . . . . . . . . . . . . . . . . . . . 63
7.138. applicationName . . . . . . . . . . . . . . . . . . . . 63 7.138. applicationName . . . . . . . . . . . . . . . . . . . . 63
7.139. exporterIPv4Address . . . . . . . . . . . . . . . . . . 63 7.139. exporterIPv4Address . . . . . . . . . . . . . . . . . . 63
7.140. exporterIPv6Address . . . . . . . . . . . . . . . . . . 63 7.140. exporterIPv6Address . . . . . . . . . . . . . . . . . . 63
7.141. portId . . . . . . . . . . . . . . . . . . . . . . . . . 63 7.141. portId . . . . . . . . . . . . . . . . . . . . . . . . . 63
7.142. templateId . . . . . . . . . . . . . . . . . . . . . . . 63 7.142. templateId . . . . . . . . . . . . . . . . . . . . . . . 64
7.143. collectorIPv4Address . . . . . . . . . . . . . . . . . . 64 7.143. collectorIPv4Address . . . . . . . . . . . . . . . . . . 64
7.144. collectorIPv6Address . . . . . . . . . . . . . . . . . . 64 7.144. collectorIPv6Address . . . . . . . . . . . . . . . . . . 64
7.145. informationElementIndex . . . . . . . . . . . . . . . . 64 7.145. informationElementIndex . . . . . . . . . . . . . . . . 65
7.146. informationElementId . . . . . . . . . . . . . . . . . . 65 7.146. informationElementId . . . . . . . . . . . . . . . . . . 65
7.147. informationElementDataType . . . . . . . . . . . . . . . 65 7.147. informationElementDataType . . . . . . . . . . . . . . . 65
7.148. informationElementDescription . . . . . . . . . . . . . 65 7.148. informationElementDescription . . . . . . . . . . . . . 65
7.149. informationElementName . . . . . . . . . . . . . . . . . 66 7.149. informationElementName . . . . . . . . . . . . . . . . . 66
7.150. informationElementRangeBegin . . . . . . . . . . . . . . 66 7.150. informationElementRangeBegin . . . . . . . . . . . . . . 66
7.151. informationElementRangeEnd . . . . . . . . . . . . . . . 66 7.151. informationElementRangeEnd . . . . . . . . . . . . . . . 66
7.152. informationElementSemantics . . . . . . . . . . . . . . 67 7.152. informationElementSemantics . . . . . . . . . . . . . . 67
7.153. informationElementUnits . . . . . . . . . . . . . . . . 67 7.153. informationElementUnits . . . . . . . . . . . . . . . . 67
7.154. applicationCategoryName . . . . . . . . . . . . . . . . 68 7.154. applicationCategoryName . . . . . . . . . . . . . . . . 68
7.155. mibObjectValueInteger . . . . . . . . . . . . . . . . . 68 7.155. mibObjectValueInteger . . . . . . . . . . . . . . . . . 68
skipping to change at page 7, line 42 skipping to change at page 7, line 42
7.217. aTime . . . . . . . . . . . . . . . . . . . . . . . . . 86 7.217. aTime . . . . . . . . . . . . . . . . . . . . . . . . . 86
7.218. cTime . . . . . . . . . . . . . . . . . . . . . . . . . 86 7.218. cTime . . . . . . . . . . . . . . . . . . . . . . . . . 86
7.219. mTime . . . . . . . . . . . . . . . . . . . . . . . . . 87 7.219. mTime . . . . . . . . . . . . . . . . . . . . . . . . . 87
7.220. size . . . . . . . . . . . . . . . . . . . . . . . . . . 87 7.220. size . . . . . . . . . . . . . . . . . . . . . . . . . . 87
7.221. suid . . . . . . . . . . . . . . . . . . . . . . . . . . 87 7.221. suid . . . . . . . . . . . . . . . . . . . . . . . . . . 87
7.222. sgid . . . . . . . . . . . . . . . . . . . . . . . . . . 87 7.222. sgid . . . . . . . . . . . . . . . . . . . . . . . . . . 87
7.223. sticky . . . . . . . . . . . . . . . . . . . . . . . . . 87 7.223. sticky . . . . . . . . . . . . . . . . . . . . . . . . . 87
7.224. hasExtendedAcl . . . . . . . . . . . . . . . . . . . . . 88 7.224. hasExtendedAcl . . . . . . . . . . . . . . . . . . . . . 88
7.225. inetd . . . . . . . . . . . . . . . . . . . . . . . . . 88 7.225. inetd . . . . . . . . . . . . . . . . . . . . . . . . . 88
7.226. serverProgram . . . . . . . . . . . . . . . . . . . . . 88 7.226. serverProgram . . . . . . . . . . . . . . . . . . . . . 88
7.227. endpointType . . . . . . . . . . . . . . . . . . . . . . 88 7.227. inetdEndpointType . . . . . . . . . . . . . . . . . . . 88
7.228. execAsUser . . . . . . . . . . . . . . . . . . . . . . . 89 7.228. execAsUser . . . . . . . . . . . . . . . . . . . . . . . 89
7.229. waitStatus . . . . . . . . . . . . . . . . . . . . . . . 89 7.229. waitStatus . . . . . . . . . . . . . . . . . . . . . . . 89
7.230. inetAddr . . . . . . . . . . . . . . . . . . . . . . . . 90 7.230. inetAddr . . . . . . . . . . . . . . . . . . . . . . . . 90
7.231. netmask . . . . . . . . . . . . . . . . . . . . . . . . 90 7.231. netmask . . . . . . . . . . . . . . . . . . . . . . . . 90
7.232. passwordInfo . . . . . . . . . . . . . . . . . . . . . . 90 7.232. passwordInfo . . . . . . . . . . . . . . . . . . . . . . 90
7.233. username . . . . . . . . . . . . . . . . . . . . . . . . 91 7.233. username . . . . . . . . . . . . . . . . . . . . . . . . 91
7.234. password . . . . . . . . . . . . . . . . . . . . . . . . 91 7.234. password . . . . . . . . . . . . . . . . . . . . . . . . 91
7.235. gcos . . . . . . . . . . . . . . . . . . . . . . . . . . 91 7.235. gcos . . . . . . . . . . . . . . . . . . . . . . . . . . 91
7.236. homeDir . . . . . . . . . . . . . . . . . . . . . . . . 91 7.236. homeDir . . . . . . . . . . . . . . . . . . . . . . . . 91
7.237. loginShell . . . . . . . . . . . . . . . . . . . . . . . 91 7.237. loginShell . . . . . . . . . . . . . . . . . . . . . . . 91
skipping to change at page 11, line 31 skipping to change at page 11, line 31
7.398. servicePause . . . . . . . . . . . . . . . . . . . . . . 142 7.398. servicePause . . . . . . . . . . . . . . . . . . . . . . 142
7.399. serviceInterrogate . . . . . . . . . . . . . . . . . . . 142 7.399. serviceInterrogate . . . . . . . . . . . . . . . . . . . 142
7.400. serviceUserDefined . . . . . . . . . . . . . . . . . . . 142 7.400. serviceUserDefined . . . . . . . . . . . . . . . . . . . 142
7.401. sharedresourceauditedpermissions . . . . . . . . . . . . 143 7.401. sharedresourceauditedpermissions . . . . . . . . . . . . 143
7.402. netname . . . . . . . . . . . . . . . . . . . . . . . . 143 7.402. netname . . . . . . . . . . . . . . . . . . . . . . . . 143
7.403. sharedresourceeffectiverights . . . . . . . . . . . . . 143 7.403. sharedresourceeffectiverights . . . . . . . . . . . . . 143
7.404. user . . . . . . . . . . . . . . . . . . . . . . . . . . 144 7.404. user . . . . . . . . . . . . . . . . . . . . . . . . . . 144
7.405. enabled . . . . . . . . . . . . . . . . . . . . . . . . 144 7.405. enabled . . . . . . . . . . . . . . . . . . . . . . . . 144
7.406. lastLogon . . . . . . . . . . . . . . . . . . . . . . . 144 7.406. lastLogon . . . . . . . . . . . . . . . . . . . . . . . 144
7.407. groupSid . . . . . . . . . . . . . . . . . . . . . . . . 144 7.407. groupSid . . . . . . . . . . . . . . . . . . . . . . . . 144
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 144 7.408. endpointType . . . . . . . . . . . . . . . . . . . . . . 144
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 145 7.409. endpointPurpose . . . . . . . . . . . . . . . . . . . . 145
10. Security Considerations . . . . . . . . . . . . . . . . . . . 145 7.410. endpointCriticality . . . . . . . . . . . . . . . . . . 145
11. Operational Considerations . . . . . . . . . . . . . . . . . 146 7.411. ingestTimestamp . . . . . . . . . . . . . . . . . . . . 145
11.1. Endpoint Designation . . . . . . . . . . . . . . . . . . 146 7.412. vulnerabilityVersion . . . . . . . . . . . . . . . . . . 146
11.2. Timestamp Accuracy . . . . . . . . . . . . . . . . . . . 147 7.413. vulnerabilityExternalId . . . . . . . . . . . . . . . . 146
12. Privacy Considerations . . . . . . . . . . . . . . . . . . . 148 7.414. vulnerabilitySeverity . . . . . . . . . . . . . . . . . 146
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 148 7.415. assessmentTimestamp . . . . . . . . . . . . . . . . . . 146
13.1. Normative References . . . . . . . . . . . . . . . . . . 148 7.416. vulnerableSoftware . . . . . . . . . . . . . . . . . . . 146
13.2. Informative References . . . . . . . . . . . . . . . . . 149 7.417. endpointVulnerabilityStatus . . . . . . . . . . . . . . 147
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 149 7.418. vulnerabilityDescription . . . . . . . . . . . . . . . . 147
A.1. Changes in Revision 01 . . . . . . . . . . . . . . . . . 150 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 147
A.2. Changes in Revision 02 . . . . . . . . . . . . . . . . . 151 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 148
A.3. Changes in Revision 03 . . . . . . . . . . . . . . . . . 151 10. Security Considerations . . . . . . . . . . . . . . . . . . . 148
A.4. Changes in Revision 04 . . . . . . . . . . . . . . . . . 152 11. Operational Considerations . . . . . . . . . . . . . . . . . 149
A.5. Changes in Revision 05 . . . . . . . . . . . . . . . . . 152 11.1. Endpoint Designation . . . . . . . . . . . . . . . . . . 149
A.6. Changes in Revision 06 . . . . . . . . . . . . . . . . . 152 11.2. Timestamp Accuracy . . . . . . . . . . . . . . . . . . . 150
A.7. Changes in Revision 07 . . . . . . . . . . . . . . . . . 153 12. Privacy Considerations . . . . . . . . . . . . . . . . . . . 151
A.8. Changes in Revision 08 . . . . . . . . . . . . . . . . . 153 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 151
A.9. Changes in Revision 09 . . . . . . . . . . . . . . . . . 153 13.1. Normative References . . . . . . . . . . . . . . . . . . 151
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 154 13.2. Informative References . . . . . . . . . . . . . . . . . 151
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 152
A.1. Changes in Revision 01 . . . . . . . . . . . . . . . . . 152
A.2. Changes in Revision 02 . . . . . . . . . . . . . . . . . 154
A.3. Changes in Revision 03 . . . . . . . . . . . . . . . . . 154
A.4. Changes in Revision 04 . . . . . . . . . . . . . . . . . 154
A.5. Changes in Revision 05 . . . . . . . . . . . . . . . . . 155
A.6. Changes in Revision 06 . . . . . . . . . . . . . . . . . 155
A.7. Changes in Revision 07 . . . . . . . . . . . . . . . . . 155
A.8. Changes in Revision 08 . . . . . . . . . . . . . . . . . 156
A.9. Changes in Revision 09 . . . . . . . . . . . . . . . . . 156
A.10. Changes in Revision 10 . . . . . . . . . . . . . . . . . 157
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 157
1. Introduction 1. Introduction
The SACM Information Model (IM) serves multiple purposes: The SACM Information Model (IM) serves multiple purposes:
o to ensure interoperability between SACM data models that are used o to ensure interoperability between SACM data models that are used
as transport encodings, as transport encodings,
o to provide a standardized set of Information Elements - the SACM o to provide a standardized set of Information Elements - the SACM
Vocabulary - to enable the exchange of content vital to automated Vocabulary - to enable the exchange of content vital to automated
skipping to change at page 23, line 7 skipping to change at page 23, line 7
), ),
hostname = "lilac" hostname = "lilac"
) )
) )
) )
Figure 7: Example of a SACM statement containing an event. Figure 7: Example of a SACM statement containing an event.
4.6. Categories 4.6. Categories
Categories are special IEs that enable to refer to multiple types of Categories are special IEs that refer to multiple types of IEs via
IE via just one name. Therefore, they are similar to a type-choice. just one name. Therefore, they are similar to a type-choice. A
A prominent example of a category is when identifying a target prominent example of a category is when identifying a target
endpoint. In some cases, a target endpoint will be identified by a endpoint. In some cases, a target endpoint will be identified by a
set of identifying attributes and in other cases a target endpoint set of identifying attributes and in other cases a target endpoint
will be identified by a target endpoint label which is unique within will be identified by a target endpoint label which is unique within
a SACM domain. If a subject includes the targetEndpoint information a SACM domain. If a subject includes the targetEndpoint information
element as one of its components, any of the category members element as one of its components, any of the category members
(targetEndpointIdentifier or targetEndpointLabel) are valid to be (targetEndpointIdentifier or targetEndpointLabel) are valid to be
used in its place. used in its place.
5. Abstract Data Types 5. Abstract Data Types
skipping to change at page 24, line 42 skipping to change at page 24, line 42
<list-def> -> ("list"|"orderedList") "(" <ie-expression> ")" <list-def> -> ("list"|"orderedList") "(" <ie-expression> ")"
<ie-expression> -> <ie-name> <cardinality>? <ie-expression> -> <ie-name> <cardinality>?
( ("," | "|") <ie-name> <cardinality>?)* ( ("," | "|") <ie-name> <cardinality>?)*
<cardinality> -> "*" | "+" | "?" | <cardinality> -> "*" | "+" | "?" |
( "(" <non-neg-int> ("," <non-neg-int>)? ")" ) ( "(" <non-neg-int> ("," <non-neg-int>)? ")" )
Figure 8: Syntax for Defining List Datatypes Figure 8: Syntax for Defining List Datatypes
As seen above, multiple occurences of an Information Element may be As seen above, multiple occurrences of an Information Element may be
present in a structured datatype. The cardinality of an Information present in a structured datatype. The cardinality of an Information
Element within a structured Information Element definition is defined Element within a structured Information Element definition is defined
by the following operators: by the following operators:
* - zero or more occurrences * - zero or more occurrences
+ - one or more occurrences + - one or more occurrences
? - zero or one occurrence ? - zero or one occurrence
skipping to change at page 33, line 22 skipping to change at page 33, line 22
information about the data source and type of information about the data source and type of
security automation information such that other security automation information such that other
SACM Components are able to parse and understand SACM Components are able to parse and understand
the security automation information contained the security automation information contained
within the SACM Statement's SACM Content Element(s). within the SACM Statement's SACM Content Element(s).
structure: orderedList(collectionTimestamp, structure: orderedList(collectionTimestamp,
targetEndpoint, anyIE*) targetEndpoint, anyIE*)
7.5. targetEndpoint 7.5. targetEndpoint
elementId: TBD elementId: TBD
name: targetEndpoint name: targetEndpoint
dataType: category dataType: category
status: current status: current
description: Information that identifies a target description: Information that identifies a target
endpoint on the network. This may be a set of endpoint on the network. This may be a set of
attributes that can be used to identify an endpoint attributes that can be used to identify an endpoint
on the network or a label that is unique to a SACM on the network or a label that is unique to a SACM
domain. domain.
structure: category(targetEndpointIdentifier | structure: category(targetEndpointIdentifier |
targetEndpointLabel) targetEndpointLabel)
7.6. targetEndpointIdentifier 7.6. targetEndpointIdentifier
elementId: TBD elementId: TBD
name: targetEndpointIdentifier name: targetEndpointIdentifier
dataType: list dataType: list
status: current status: current
description: A set of attributes that uniquely description: A set of attributes that uniquely
identify a target endpoint on the network. identify a target endpoint on the network.
structure: list(anyIE+) structure: list(anyIE+)
skipping to change at page 36, line 24 skipping to change at page 36, line 24
7.18. applicationType 7.18. applicationType
elementId: TBD elementId: TBD
name: applicationType name: applicationType
dataType: string dataType: string
status: current status: current
description: A set of types (FIXME maybe a finite set description: A set of types (FIXME maybe a finite set
is not realistic here - value not enumerator?) that is not realistic here - value not enumerator?) that
identifies the type of (user-space) application identifies the type of (user-space) application
(e.g. text-editor, policy-editor, service-client, (e.g. text-editor, policy-editor, service-client,
service-server, calender, rouge-like RPG). service-server, calendar, rouge-like RPG).
7.19. applicationManufacturer 7.19. applicationManufacturer
elementId: TBD elementId: TBD
name: applicationManufacturer name: applicationManufacturer
dataType: string dataType: string
status: current status: current
description: The name of the vendor that created the description: The name of the vendor that created the
application. application.
skipping to change at page 37, line 8 skipping to change at page 37, line 8
description: A label that references a SACM component description: A label that references a SACM component
that can authenticate target endpoints (can be used in that can authenticate target endpoints (can be used in
a target-endpoint subject to express that the target a target-endpoint subject to express that the target
endpoint was authenticated by that SACM component. endpoint was authenticated by that SACM component.
7.21. authenticationType 7.21. authenticationType
elementId: TBD elementId: TBD
name: authenticationType name: authenticationType
dataType: string dataType: string
status: current status: current
description: A set of types that expresses which type description: A set of types that express which type
of authentication was used to enable a network of authentication was used to enable a network
interaction/connection. interaction/connection.
7.22. birthdate 7.22. birthdate
elementId: TBD elementId: TBD
name: birthdate name: birthdate
dataType: string dataType: string
status: current status: current
description: A label for the registered day of birth description: A label for the registered day of
of a natural person (e.g. the date of birth of a person birth of a natural person (e.g. the date of birth
as an ISO date string). of a person as an ISO date string).
references: http://rs.tdwg.org/ontology/voc/Person#birthdate references: http://rs.tdwg.org/ontology/voc/Person#birthdate
7.23. bytesReceived 7.23. bytesReceived
elementId: TBD elementId: TBD
name: bytesReceived name: bytesReceived
dataType: string dataType: string
status: current status: current
description: A value that represents a number of octets description: A value that represents a number of octets
received on a network interface. received on a network interface.
skipping to change at page 40, line 21 skipping to change at page 40, line 21
description: A value that expresses an email-address. description: A value that expresses an email-address.
7.36. eventType 7.36. eventType
elementId: TBD elementId: TBD
name: eventType name: eventType
dataType: string dataType: string
status: current status: current
description: a set of types that define the categories description: a set of types that define the categories
of an event (e.g. access-level-change, of an event (e.g. access-level-change,
change-of-priviledge, change-of-authorization, change-of-privilege, change-of-authorization,
environmental-event, or provisioning-event). environmental-event, or provisioning-event).
7.37. eventThreshold 7.37. eventThreshold
elementId: TBD elementId: TBD
name: eventThreshold name: eventThreshold
dataType: string dataType: string
status: current status: current
description: if applicable, a value that can be description: If applicable, a value that can be
included in an event subject to indicate what numeric included in an event subject to indicate what numeric
threshold value was crossed to trigger that event. threshold value was crossed to trigger that event.
7.38. eventThresholdName 7.38. eventThresholdName
elementId: TBD elementId: TBD
name: eventThresholdName name: eventThresholdName
dataType: string dataType: string
status: current status: current
description: If an event is created due to a crossed description: If an event is created due to a crossed
skipping to change at page 42, line 12 skipping to change at page 42, line 12
status: current status: current
description: An IPv6 subnet bitmask in CIDR notation. description: An IPv6 subnet bitmask in CIDR notation.
7.45. ipv6AddressValue 7.45. ipv6AddressValue
elementId: TBD elementId: TBD
name: ipv6AddressValue name: ipv6AddressValue
dataType: ipv6Address dataType: ipv6Address
status: current status: current
description: An IPv6 subnet bitmask in CIDR notation. description: An IPv6 subnet bitmask in CIDR notation.
a network interface.
7.46. ipv4AddressSubnetMask 7.46. ipv4AddressSubnetMask
elementId: TBD elementId: TBD
name: ipv4AddressSubnetMask name: ipv4AddressSubnetMask
dataType: string dataType: string
status: current status: current
description: An IPv4 subnet bitmask. description: An IPv4 subnet bitmask.
7.47. ipv4AddressSubnetMaskCidrNotation 7.47. ipv4AddressSubnetMaskCidrNotation
skipping to change at page 44, line 50 skipping to change at page 44, line 50
methods can be registered at and that can provide methods can be registered at and that can provide
guidance in the form of registered methods to other guidance in the form of registered methods to other
SACM components. SACM components.
7.59. networkAccessLevelType 7.59. networkAccessLevelType
elementId: TBD elementId: TBD
name: networkAccessLevelType name: networkAccessLevelType
dataType: string dataType: string
status: current status: current
description: A set of types that expresses categories description: A set of types that express categories
of network access-levels (e.g. block, quarantine, etc.). of network access-levels (e.g. block, quarantine, etc.).
7.60. networkId 7.60. networkId
elementId: TBD elementId: TBD
name: networkId name: networkId
dataType: string dataType: string
status: current status: current
description: Most networks such as AS, OSBF domains, description: Most networks such as AS, OSBF domains,
or VLANs can have an ID. or VLANs can have an ID.
7.61. networkInterfaceName 7.61. networkInterfaceName
elementId: TBD elementId: TBD
name: networkInterfaceName name: networkInterfaceName
dataType: string dataType: string
status: current status: current
description: A label that uniquely identifies an interface description: A label that uniquely identifies an
associated with a distinguishable endpoint. interface associated with a distinguishable endpoint.
7.62. networkLayer 7.62. networkLayer
elementId: TBD elementId: TBD
name: networkLayer name: networkLayer
dataType: string dataType: string
status: current status: current
description: A set of layers that expresses the specific description: A set of layers that expresses the specific
network layer an interface operates on. network layer an interface operates on.
skipping to change at page 46, line 11 skipping to change at page 46, line 11
status: current status: current
description: A label that uniquely identifies an description: A label that uniquely identifies an
organization via a PEN. organization via a PEN.
7.65. patchId 7.65. patchId
elementId: TBD elementId: TBD
name: patchId name: patchId
dataType: string dataType: string
status: current status: current
description: A label the uniquely identifies a specific description: A label that uniquely identifies a specific
software patch. software patch.
7.66. patchName 7.66. patchName
elementId: TBD elementId: TBD
name: patchName name: patchName
dataType: string dataType: string
status: current status: current
description: The vendor's name of a software patch. description: The vendor's name of a software patch.
skipping to change at page 48, line 35 skipping to change at page 48, line 35
elementId: TBD elementId: TBD
name: relationshipStatementElementGuid name: relationshipStatementElementGuid
dataType: string dataType: string
status: current status: current
description: A reference to a specific SACM statement description: A reference to a specific SACM statement
used in a relationship subject. used in a relationship subject.
7.78. relationshipObjectLabel 7.78. relationshipObjectLabel
elementId: TBD elementId: TBD
name: relationshipObjectLabel name: relationshipObjectLabel
dataType: string dataType: string
status: current status: current
description: A reference to a specific label used in description: A reference to a specific label used in
content (e.g. a te-label or a user-id). This content (e.g. a te-label or a user-id). This
reference is typically used if matching content reference is typically used if matching content
attribute can be done efficiantly and can also be attribute can be done efficiantly and can also be
included in addition to a relationship-content-element-guid included in addition to a
reference. relationship-content-element-guid reference.
7.79. relationshipType 7.79. relationshipType
elementId: TBD elementId: TBD
name: relationshipType name: relationshipType
dataType: string dataType: string
status: current status: current
description: A set of types that is in every instance description: A set of types that is in every instance
of a relationship subject to highlight what kind of of a relationship subject to highlight what kind of
relationship exists between the subject the relationship relationship exists between the subject the relationship
is included in (e.g. associated_with_user, is included in (e.g. associated_with_user,
applies_to_session, seen_on_interface, associated_with_flow, applies_to_session, seen_on_interface,
contains_virtual_device). associated_with_flow, contains_virtual_device).
7.80. roleName 7.80. roleName
elementId: TBD elementId: TBD
name: roleName name: roleName
dataType: string dataType: string
status: current status: current
description: A label that references a collection of description: A label that references a collection of
privileges assigned to a specific entity (identity? privileges assigned to a specific entity.
FIXME).
7.81. sessionStateType 7.81. sessionStateType
elementId: TBD elementId: TBD
name: sessionStateType name: sessionStateType
dataType: string dataType: string
status: current status: current
description: A set of types a discernible session (an description: A set of types a discernible session (an
ongoing network interaction) can be in (e.g. ongoing network interaction) can be in (e.g.
Authenticating, Authenticated, Postured, Started, Authenticating, Authenticated, Postured, Started,
skipping to change at page 50, line 31 skipping to change at page 50, line 31
false, error, unknown, not applicable, not evaluated). false, error, unknown, not applicable, not evaluated).
7.85. subAdministrativeDomain 7.85. subAdministrativeDomain
elementId: TBD elementId: TBD
name: subAdministrativeDomain name: subAdministrativeDomain
dataType: string dataType: string
status: current status: current
description: A label for related child domains an description: A label for related child domains an
administrative domain can be composed of (used in the administrative domain can be composed of (used in the
subject administrative-domain) subject administrativeDomain).
7.86. subInterfaceLabel 7.86. subInterfaceLabel
elementId: TBD elementId: TBD
name: subInterfaceLabel name: subInterfaceLabel
dataType: string dataType: string
status: current status: current
description: A unique label a sub network interface description: A unique label a sub network interface
(e.g. a tagged vlan on a trunk) can be referenced (e.g. a tagged vlan on a trunk) can be referenced
with. with.
7.87. superAdministrativeDomain 7.87. superAdministrativeDomain
elementId: TBD elementId: TBD
name: superAdministrativeDomain name: superAdministrativeDomain
dataType: string dataType: string
status: current status: current
description: a label for related parent domains an description: a label for related parent domains an
administrative domain is part of (used administrative domain is part of (used
in the subject s.administrative-domain). in the subject administrativeDomain).
7.88. superInterfaceLabel 7.88. superInterfaceLabel
elementId: TBD elementId: TBD
name: superInterfaceLabel name: superInterfaceLabel
dataType: string dataType: string
status: current status: current
description: a unique label a super network interface description: a unique label a super network interface
(e.g. a physical interface a tunnel (e.g. a physical interface a tunnel
interface terminates on) can be referenced interface terminates on) can be referenced
skipping to change at page 52, line 12 skipping to change at page 52, line 12
7.92. timestampType 7.92. timestampType
elementId: TBD elementId: TBD
name: timestampType name: timestampType
dataType: string dataType: string
status: current status: current
description: a set of types that express what type of description: a set of types that express what type of
action or event happened at that point action or event happened at that point
of time (e.g. discovered, classified, of time (e.g. discovered, classified,
collected, published). Can be included in collected, published). Can be included in
a generic s.timestamp subject. a generic timestamp subject.
7.93. unitsReceived 7.93. unitsReceived
elementId: TBD elementId: TBD
name: unitsReceived name: unitsReceived
dataType: string dataType: string
status: current status: current
description: a value that represents a number of units description: a value that represents a number of units
(e.g. frames, packets, cells or segments) (e.g. frames, packets, cells or segments)
received on a network interface. received on a network interface.
skipping to change at page 53, line 42 skipping to change at page 53, line 42
elementId: TBD elementId: TBD
name: WGS84Altitude name: WGS84Altitude
dataType: float64 dataType: float64
status: current status: current
description: a label that represents WGS 84 rev 2004 description: a label that represents WGS 84 rev 2004
altitude. altitude.
7.101. hardwareSerialNumber 7.101. hardwareSerialNumber
elementId: TBD elementId: TBD
name: hardwareSerialNumber name: hardwareSerialNumber
dataType: string dataType: string
status: current status: current
description: A globally unique identifier for a particular description: A globally unique identifier for a
piece of hardware assigned by the vendor. particular piece of hardware assigned
by the vendor.
7.102. interfaceName 7.102. interfaceName
elementId: TBD elementId: TBD
name: interfaceName name: interfaceName
dataType: string dataType: string
status: current status: current
description: A short name uniquely describing an interface, description: A short name uniquely describing an
eg "Eth1/0". See [RFC2863] for the definition interface, e.g. "Eth1/0". See [RFC2863]
of the ifName object. for the definition of the ifName object.
7.103. interfaceIndex 7.103. interfaceIndex
elementId: TBD elementId: TBD
name: interfaceIndex name: interfaceIndex
dataType: unsigned32 dataType: unsigned32
status: current status: current
description: The index of an interface installed on an endpoint. description: The index of an interface installed on an endpoint.
The value matches the value of managed object The value matches the value of managed object
'ifIndex' as defined in [RFC2863]. Note that ifIndex 'ifIndex' as defined in [RFC2863]. Note that ifIndex
skipping to change at page 55, line 4 skipping to change at page 55, line 4
elementId: TBD elementId: TBD
name: interfaceType name: interfaceType
dataType: unsigned32 dataType: unsigned32
status: current status: current
description: The type of a network interface. The value matches description: The type of a network interface. The value matches
the value of managed object 'ifType' as defined in the value of managed object 'ifType' as defined in
[IANA registry ianaiftype-mib]. [IANA registry ianaiftype-mib].
7.106. interfaceFlags 7.106. interfaceFlags
elementId: TBD elementId: TBD
name: interfaceFlags name: interfaceFlags
dataType: unsigned16 dataType: unsigned16
status: current status: current
description: This information element specifies the flags description: This information element specifies the flags
associated with a network interface. Possible associated with a network interface. Possible
values include: values include:
structure: Up ; 0x1 ; Interface is up. structure:
Broadcast ; 0x2 ; Broadcast address valid. Up ; 0x1 ; Interface is up.
Debug ; 0x4 ; Turn on debugging. Broadcast ; 0x2 ; Broadcast address valid.
Loopback ; 0x8 ; Is a loopback net. Debug ; 0x4 ; Turn on debugging.
Point-to-point ; 0x10 ; Interface is point-to-point link. Loopback ; 0x8 ; Is a loopback net.
No trailers ; 0x20 ; Avoid use of trailers. Point-to-point ; 0x10 ; Interface is point-to-point
Resources allocated ; 0x40 ; Resources allocated. link.
No ARP ; 0x80 ; No address resolution protocol. No trailers ; 0x20 ; Avoid use of trailers.
Receive all ; 0x100 ; Receive all packets. Resources allocated ; 0x40 ; Resources allocated.
No ARP ; 0x80 ; No address resolution protocol.
Receive all ; 0x100 ; Receive all packets.
7.107. networkInterface 7.107. networkInterface
elementId: TBD elementId: TBD
name: networkInterface name: networkInterface
dataType: orderedList dataType: orderedList
status: current status: current
description: Information about a network interface description: Information about a network interface
installed on an endpoint. The installed on an endpoint. The
following high-level digram following high-level digram
skipping to change at page 57, line 27 skipping to change at page 58, line 4
elementId: TBD elementId: TBD
name: softwareLastUpdated name: softwareLastUpdated
dataType: dateTimeSeconds dataType: dateTimeSeconds
status: current status: current
description: The date and time when the software instance description: The date and time when the software instance
was last updated on the system (e.g., new was last updated on the system (e.g., new
version instlalled or patch applied) version instlalled or patch applied)
7.116. softwareClass 7.116. softwareClass
elementId: TBD
elementId: TBD name: softwareClass
name: softwareClass dataType: enumeration
dataType: enumeration status: current
status: current description: The class of the software instance.
description: The class of the software instance. structure:
structure: Unknown ; 0x1 ; The class is not known.
Unknown ; 0x1 ; The class is not known. Other ; 0x2 ; The class is known, but,
Other ; 0x2 ; The class is known, but, something something other than a value
other than a value listed in the listed in the enumeration.
enumeration. Driver ; 0x3 ; The class is a device driver.
Driver ; 0x3 ; The class is a device driver. Configuration Software ; 0x4 ; The class is configuration
Configuration Software ; 0x4 ; The class is configuration software. software.
Application Software ; 0x5 ; The class is application software. Application Software ; 0x5 ; The class is application
Instrumentation ; 0x6 ; The class is instrumentation. software.
Diagnostic Software ; 0x8 ; The class is diagnostic software. Instrumentation ; 0x6 ; The class is instrumentation.
Operating System ; 0x9 ; The class is operating system. Diagnostic Software ; 0x8 ; The class is diagnostic
Middleware ; 0xA ; The class is middleware. software.
Firmware ; 0xB ; The class is firmware. Operating System ; 0x9 ; The class is operating
BIOS/FCode ; 0xC ; The class is BIOS or FCode. system.
Support/Service Pack ; 0xD ; The class is a support or service pack. Middleware ; 0xA ; The class is middleware.
Software Bundle ; 0xE ; The class is a software bundle. Firmware ; 0xB ; The class is firmware.
References: See Classifications of the DMTF CIM_SoftwareIdentity BIOS/FCode ; 0xC ; The class is BIOS or FCode.
schema. Support/Service Pack ; 0xD ; The class is a support or
service pack.
Software Bundle ; 0xE ; The class is a software
bundle.
References: See Classifications of the DMTF
CIM_SoftwareIdentity schema.
7.117. softwareInstance 7.117. softwareInstance
elementId: TBD elementId: TBD
name: softwareInstance name: softwareInstance
dataType: orderedList dataType: orderedList
status: current status: current
description: Information about an instance of software description: Information about an instance of software
installed on an endpoint. The following installed on an endpoint. The following
high-level digram describes the structure of high-level digram describes the structure of
softwareInstance information element. the softwareInstance information element.
structure: orderedList(softwareIdentifier, softwareTitle, structure: orderedList(softwareIdentifier, softwareTitle,
softwareCreator, softwareVersion, softwareCreator, softwareVersion,
softwareLastUpdated, softwareClass) softwareLastUpdated, softwareClass)
7.118. globallyUniqueIdentifier 7.118. globallyUniqueIdentifier
elementId: TBD elementId: TBD
name: globallyUniqueIdentifier name: globallyUniqueIdentifier
dataType: unsigned8 dataType: unsigned8
status: current status: current
description: TODO. description: TODO.
7.119. creationTimestamp 7.119. creationTimestamp
skipping to change at page 62, line 32 skipping to change at page 62, line 43
dataType: unsigned8 dataType: unsigned8
status: current status: current
description: The IP version field in the IP packet header. description: The IP version field in the IP packet header.
7.135. interfaceDescription 7.135. interfaceDescription
elementId: TBD elementId: TBD
name: interfaceDescription name: interfaceDescription
dataType: string dataType: string
status: current status: current
description: The description of an interface, eg "FastEthernet description: The description of an interface, e.g.
1/0" or "ISP "FastEthernet 1/0" or "ISP connection".
connection".
7.136. applicationDescription 7.136. applicationDescription
elementId: TBD elementId: TBD
name: applicationDescription name: applicationDescription
dataType: string dataType: string
status: current status: current
description: Specifies the description of an application. description: Specifies the description of an application.
7.137. applicationId 7.137. applicationId
skipping to change at page 88, line 26 skipping to change at page 88, line 26
directory has an ACL, the entity will have a status of 'exists' directory has an ACL, the entity will have a status of 'exists'
and a value of 'true'. Lastly, if a system doesn't support ACLs, and a value of 'true'. Lastly, if a system doesn't support ACLs,
the entity will have a status of 'does not exist'. the entity will have a status of 'does not exist'.
7.225. inetd 7.225. inetd
elementId: TBD elementId: TBD
name: inetd name: inetd
dataType: list dataType: list
structure: list (serviceProtocol, serviceName, serverProgram, structure: list (serviceProtocol, serviceName, serverProgram,
serverArguments, endpointType, execAsUser, waitStatus) serverArguments, inetdEndpointType, execAsUser, waitStatus)
status: current status: current
description: Holds information associated description: Holds information associated
with different Internet services. with different Internet services.
7.226. serverProgram 7.226. serverProgram
elementId: TBD elementId: TBD
name: serverProgram name: serverProgram
dataType: string dataType: string
status: current status: current
description: Either the pathname of a server program to be description: Either the pathname of a server program to be
invoked by inetd to perform the requested service, or the value invoked by inetd to perform the requested service, or the value
internal if inetd itself provides the service. internal if inetd itself provides the service.
7.227. endpointType 7.227. inetdEndpointType
elementId: TBD elementId: TBD
name: endpointType name: inetdEndpointType
dataType: enumeration dataType: enumeration
structure: structure:
stream ; 0x1 ; The stream value is used to describe a stream stream ; 0x1 ; The stream value is used to describe a stream
socket. socket.
dgram ; 0x2 ; The dgram value is used to describe a datagram dgram ; 0x2 ; The dgram value is used to describe a datagram
socket. socket.
raw ; 0x3 ; The raw value is used to describe a raw socket. raw ; 0x3 ; The raw value is used to describe a raw socket.
seqpacket ; 0x4 ; The seqpacket value is used to describe a seqpacket ; 0x4 ; The seqpacket value is used to describe a
sequenced packet socket. sequenced packet socket.
tli ; 0x5 ; The tli value is used to describe all TLI endpoints. tli ; 0x5 ; The tli value is used to describe all TLI endpoints.
skipping to change at page 138, line 42 skipping to change at page 138, line 42
the service is stopped. The DWORD value that this corresponds the service is stopped. The DWORD value that this corresponds
to is 0x00000001. to is 0x00000001.
; 0x8 ; The empty string value is permitted here to allow ; 0x8 ; The empty string value is permitted here to allow
for empty elements associated with error conditions. for empty elements associated with error conditions.
status: current status: current
description: Specifies the current state of description: Specifies the current state of
the service. the service.
7.386. controlsAccepted 7.386. controlsAccepted
elementId: TBD elementId: TBD
name: controlsAccepted name: controlsAccepted
dataType: enumeration dataType: enumeration
structure: SERVICE_ACCEPT_NETBINDCHANGE ; 0x1 ; structure:
The SERVICE_ACCEPT_NETBINDCHANGE type means that the SERVICE_ACCEPT_NETBINDCHANGE ; 0x1 ;
service is a network component and can accept changes in its The SERVICE_ACCEPT_NETBINDCHANGE type means that the
binding without being stopped or restarted. The DWORD value service is a network component and can accept changes in its
that this corresponds to is 0x00000010. binding without being stopped or restarted. The DWORD value
SERVICE_ACCEPT_PARAMCHANGE ; 0x2 ; The SERVICE_ACCEPT_PARAMCHANGE that this corresponds to is 0x00000010.
type means that the service can re-read its SERVICE_ACCEPT_PARAMCHANGE ; 0x2 ; The SERVICE_ACCEPT_PARAMCHANGE
startup parameters without being stopped or restarted. The type means that the service can re-read its
DWORD value that this corresponds to is 0x00000008. startup parameters without being stopped or restarted. The
SERVICE_ACCEPT_PAUSE_CONTINUE ; 0x3 ; The DWORD value that this corresponds to is 0x00000008.
SERVICE_ACCEPT_PAUSE_CONTINUE type means that the service SERVICE_ACCEPT_PAUSE_CONTINUE ; 0x3 ; The
can be paused or continued. The DWORD value that this SERVICE_ACCEPT_PAUSE_CONTINUE type means that the service
corresponds to is 0x00000002. can be paused or continued. The DWORD value that this
SERVICE_ACCEPT_PRESHUTDOWN ; 0x4 ; The corresponds to is 0x00000002.
SERVICE_ACCEPT_PRESHUTDOWN type means that the service can SERVICE_ACCEPT_PRESHUTDOWN ; 0x4 ; The
receive pre-shutdown notifications. The DWORD value SERVICE_ACCEPT_PRESHUTDOWN type means that the service can
that this corresponds to is 0x00000100. receive pre-shutdown notifications. The DWORD value
SERVICE_ACCEPT_SHUTDOWN ; 0x5 ; The SERVICE_ACCEPT_SHUTDOWN that this corresponds to is 0x00000100.
type means that the service can receive shutdown notifications. SERVICE_ACCEPT_SHUTDOWN ; 0x5 ; The SERVICE_ACCEPT_SHUTDOWN
The DWORD value that this corresponds to is 0x00000004. type means that the service can receive shutdown notifications.
SERVICE_ACCEPT_STOP ; 0x6 ; The SERVICE_ACCEPT_STOP type The DWORD value that this corresponds to is 0x00000004.
means that the service can be stopped. The DWORD value SERVICE_ACCEPT_STOP ; 0x6 ; The SERVICE_ACCEPT_STOP type
that this corresponds to is 0x00000001. means that the service can be stopped. The DWORD value
SERVICE_ACCEPT_HARDWAREPROFILECHANGE ; 0x7 ; The that this corresponds to is 0x00000001.
SERVICE_ACCEPT_HARDWAREPROFILECHANGE type means that the SERVICE_ACCEPT_HARDWAREPROFILECHANGE ; 0x7 ; The
service can receive notifications when the system's SERVICE_ACCEPT_HARDWAREPROFILECHANGE type means that the
hardware profile changes. The DWORD value that this service can receive notifications when the system's
corresponds to is 0x00000020. hardware profile changes. The DWORD value that this
SERVICE_ACCEPT_POWEREVENT ; 0x8 ; The SERVICE_ACCEPT_POWEREVENT corresponds to is 0x00000020.
type means that the service can receive notifications when the SERVICE_ACCEPT_POWEREVENT ; 0x8 ; The SERVICE_ACCEPT_POWEREVENT
system's power status has changed. The DWORD value that this type means that the service can receive notifications when the
corresponds to is 0x00000040. system's power status has changed. The DWORD value that this
SERVICE_ACCEPT_SESSIONCHANGE ; 0x9 ; The corresponds to is 0x00000040.
SERVICE_ACCEPT_SESSIONCHANGE type means that the service can SERVICE_ACCEPT_SESSIONCHANGE ; 0x9 ; The
receive notifications when the system's session SERVICE_ACCEPT_SESSIONCHANGE type means that the service can
status has changed. The DWORD value that this corresponds receive notifications when the system's session
to is 0x00000080. status has changed. The DWORD value that this corresponds
SERVICE_ACCEPT_TIMECHANGE ; 0xA ; The SERVICE_ACCEPT_TIMECHANGE to is 0x00000080.
type means that the service can receive notifications when SERVICE_ACCEPT_TIMECHANGE ; 0xA ; The SERVICE_ACCEPT_TIMECHANGE
the system time changes. The DWORD value that this corresponds type means that the service can receive notifications when
to is 0x00000200. the system time changes. The DWORD value that this corresponds
SERVICE_ACCEPT_TRIGGEREVENT ; 0xB ; The to is 0x00000200.
SERVICE_ACCEPT_TRIGGEREVENT type means that the service can SERVICE_ACCEPT_TRIGGEREVENT ; 0xB ; The
receive notifications when an event that the service SERVICE_ACCEPT_TRIGGEREVENT type means that the service can
has registered for occurs on the system. The DWORD value that receive notifications when an event that the service
this corresponds to is 0x00000400. has registered for occurs on the system. The DWORD value that
; 0xC ; The empty string value is permitted here to allow this corresponds to is 0x00000400.
for empty elements associated with error conditions. ; 0xC ; The empty string value is permitted here to allow
status: current for empty elements associated with error conditions.
status: current
description: Specifies the control codes that a service will description: Specifies the control codes that a service will
accept and process. accept and process.
7.387. startName 7.387. startName
elementId: TBD elementId: TBD
name: startName name: startName
dataType: string dataType: string
status: current status: current
description: Specifies the account under description: Specifies the account under
which the process should run. which the process should run.
skipping to change at page 144, line 48 skipping to change at page 144, line 48
description: Represents the SID of a description: Represents the SID of a
particular group. If the specified user belongs to more than particular group. If the specified user belongs to more than
one group, then multiple groupSid elements are one group, then multiple groupSid elements are
applicable. If the specified user is not a member of a single applicable. If the specified user is not a member of a single
group, then a single groupSid element should be group, then a single groupSid element should be
incldued with a status of 'does not exist'. If there is an incldued with a status of 'does not exist'. If there is an
error determining the groups that the user belongs to, error determining the groups that the user belongs to,
then a single groupSid element should be included with a then a single groupSid element should be included with a
status of 'error'. status of 'error'.
7.408. endpointType
elementId: TBD
name: endpointType
dataType: enumeration
status: current
description: The possible types of endpoint in the
enterprise.
structure:
workstation; 0x1; Workstation Endpoint
printer; 0x2; Printer Endpoint
router; 0x3; Router Endpoint
tablet; 0x4; Tablet Endpoint
7.409. endpointPurpose
elementId: TBD
name: endpointPurpose
dataType: string
status: current
description: A description of how the endpoint is
used within the enterprise.
Examples include end user system,
and public web server.
7.410. endpointCriticality
elementId: TBD
name: endpointCriticality
dataType: string
status: current
description: An enterprise-defined rating which
indicates the criticality of the
endpoint. The rating should be
specific enough to assess the impact
to the overall enterprise if the
endpoint is attacked or lost.
7.411. ingestTimestamp
elementId: TBD
name: ingestTimestamp
dataType: dateTimeSeconds
status: current
description: The point in time that the
description of a vulnerability was
received by the enterprise.
7.412. vulnerabilityVersion
elementId: TBD
name: vulnerabilityVersion
dataType: string
status: current
description: The version or iteration of the
vulnerability description information
(reported by the author, if applicable).
7.413. vulnerabilityExternalId
elementId: TBD
name: vulnerabilityExternalId
dataType: string
status: current
description: An external or third-party ID
assigned to the vulnerability
description. This could be multiple
IDs in some cases (e.g., vendor bug
ID, global ID, discoverer's local ID,
third-party vulnerability database
ID, etc.).
7.414. vulnerabilitySeverity
elementId: TBD
name: vulnerabilitySeverity
dataType: string
status: current
description: The severity of the vulnerability
(reported by the author, if applicable).
7.415. assessmentTimestamp
elementId: TBD
name: assessmentTimestamp
dataType: dateTimeSeconds
status: current
description: The point in time that the assessment
was performed against an endpoint.
7.416. vulnerableSoftware
elementId: TBD
name: vulnerableSoftware
dataType: list
status: current
description: A listing of software products
installed on the endpoint which are
known to have vulnerabilities.
structure: list(softwareInstance*)
7.417. endpointVulnerabilityStatus
elementId: TBD
name: endpointVulnerabilityStatus
dataType: enumeration
status: current
description: Overall vulnerability status of an
enterprise endpoint.
structure: Pass; 0x1; Endpoint passed the
vulnerability test(s).
Fail; 0x2; Endpoint failed the
vulnerability test(s).
7.418. vulnerabilityDescription
elementId: TBD
name: vulnerabilityDescription
dataType: string
status: current
description: A human-readable description of the
vulnerability.
8. Acknowledgements 8. Acknowledgements
Many of the specifications in this document have been developed in a Many of the specifications in this document have been developed in a
public-private partnership with vendors and end-users. The hard work public-private partnership with vendors and end-users. The hard work
of the SCAP community is appreciated in advancing these efforts to of the SCAP community is appreciated in advancing these efforts to
their current level of adoption. their current level of adoption.
Over the course of developing the initial draft, Brant Cheikes, Matt Over the course of developing the initial draft, Brant Cheikes, Matt
Hansbury, Daniel Haynes, Scott Pope, Charles Schmidt, and Steve Hansbury, Daniel Haynes, Scott Pope, Charles Schmidt, and Steve
Venema have contributed text to many sections of this document. Venema have contributed text to many sections of this document.
skipping to change at page 154, line 14 skipping to change at page 157, line 5
Added "networkZoneLocation", "layer2NetworkLocation", and Added "networkZoneLocation", "layer2NetworkLocation", and
"layer3NetworkLocation" IEs (https://github.com/sacmwg/draft-ietf- "layer3NetworkLocation" IEs (https://github.com/sacmwg/draft-ietf-
sacm-information-model/issues/9). sacm-information-model/issues/9).
Created a softwareClass attribute IE and added it to the Created a softwareClass attribute IE and added it to the
softwareInstance subject IE. Also, removed the os* attribute IEs softwareInstance subject IE. Also, removed the os* attribute IEs
(https://github.com/sacmwg/draft-ietf-sacm-information-model/ (https://github.com/sacmwg/draft-ietf-sacm-information-model/
issues/10). issues/10).
A.10. Changes in Revision 10
Added several IEs necessary for the SACM Vulnerability Assessment
Scenario (https://github.com/sacmwg/draft-ietf-sacm-information-
model/issues/43).
Fixed various typos and formatting issues.
Authors' Addresses Authors' Addresses
David Waltermire (editor) David Waltermire (editor)
National Institute of Standards and Technology National Institute of Standards and Technology
100 Bureau Drive 100 Bureau Drive
Gaithersburg, Maryland 20877 Gaithersburg, Maryland 20877
USA USA
Email: david.waltermire@nist.gov Email: david.waltermire@nist.gov
 End of changes. 46 change blocks. 
222 lines changed or deleted 370 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/