draft-ietf-sacm-terminology-14.txt   draft-ietf-sacm-terminology-15.txt 
SACM Working Group H. Birkholz SACM Working Group H. Birkholz
Internet-Draft Fraunhofer SIT Internet-Draft Fraunhofer SIT
Intended status: Informational J. Lu Intended status: Informational J. Lu
Expires: June 13, 2018 Oracle Corporation Expires: December 15, 2018 Oracle Corporation
J. Strassner J. Strassner
Huawei Technologies Huawei Technologies
N. Cam-Winget N. Cam-Winget
Cisco Systems Cisco Systems
A. Montville A. Montville
CIS CIS
December 10, 2017 June 13, 2018
Security Automation and Continuous Monitoring (SACM) Terminology Security Automation and Continuous Monitoring (SACM) Terminology
draft-ietf-sacm-terminology-14 draft-ietf-sacm-terminology-15
Abstract Abstract
This memo documents terminology used in the documents produced by This memo documents terminology used in the documents produced by
SACM (Security Automation and Continuous Monitoring). SACM (Security Automation and Continuous Monitoring).
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 13, 2018. This Internet-Draft will expire on December 15, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 2 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 2
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
4. Security Considerations . . . . . . . . . . . . . . . . . . . 20 4. Security Considerations . . . . . . . . . . . . . . . . . . . 22
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 21 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22
6. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 21 6. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 22
7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 25 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 26
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 26 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 27
8.1. Normative References . . . . . . . . . . . . . . . . . . 26 8.1. Normative References . . . . . . . . . . . . . . . . . . 28
8.2. Informative References . . . . . . . . . . . . . . . . . 26 8.2. Informative References . . . . . . . . . . . . . . . . . 28
Appendix A. The Attic . . . . . . . . . . . . . . . . . . . . . 27 Appendix A. The Attic . . . . . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29
1. Introduction 1. Introduction
Our goal with this document is to improve our agreement on the Our goal with this document is to improve our agreement on the
terminology used in documents produced by the IETF Working Group for terminology used in documents produced by the IETF Working Group for
Security Automation and Continuous Monitoring. Agreeing on Security Automation and Continuous Monitoring. Agreeing on
terminology should help reach consensus on which problems we're terminology should help reach consensus on which problems we're
trying to solve, and propose solutions and decide which ones to use. trying to solve, and propose solutions and decide which ones to use.
2. Terms and Definitions 2. Terms and Definitions
skipping to change at page 2, line 47 skipping to change at page 2, line 47
which the term is used in SACM. Note that explanatory or which the term is used in SACM. Note that explanatory or
informational augmentation to definitions are segregated from the informational augmentation to definitions are segregated from the
definitions themselves. The definition for the term immediately definitions themselves. The definition for the term immediately
follows the term on the same line, whereas expositional text is follows the term on the same line, whereas expositional text is
contained in subsequent paragraphs immediately following the contained in subsequent paragraphs immediately following the
definition. definition.
Assertion: Defined by the ITU in [X.1252] as "a statement made by an Assertion: Defined by the ITU in [X.1252] as "a statement made by an
entity without accompanying evidence of its validity". entity without accompanying evidence of its validity".
In the context of SACM, an assertion is the output of a SACM
Component in the form of a SACM Statement (including metadata
about the data source and data origin, e.g. timestamps). While
the validity of an assertion about Content and Content Metadata
cannot be verified without, for example, Integrity Proofing of the
Data Source, an assertion (and therefore a SACM statement,
respectively) of the validity of Statement Metadata can by enabled
by including corresponding Integrity Evidence created by the Data
Origin.
Assessment: Defined in [RFC5209] as "the process of collecting Assessment: Defined in [RFC5209] as "the process of collecting
posture for a set of capabilities on the endpoint (e.g., host- posture for a set of capabilities on the endpoint (e.g., host-
based firewall) such that the appropriate validators may evaluate based firewall) such that the appropriate validators may evaluate
the posture against compliance policy." the posture against compliance policy."
Asset: Is a system resource, as defined in [RFC4949], that may be Asset: Is a system resource, as defined in [RFC4949], that may be
composed of other assets. composed of other assets.
Examples of Assets include: Endpoints, Software, Guidance, or Examples of Assets include: Endpoints, Software, Guidance, or
X.509 public key certificates. An asset is not necessarily owned X.509 public key certificates. An asset is not necessarily owned
skipping to change at page 3, line 22 skipping to change at page 3, line 31
Asset Management: The IT process by which assets are provisioned, Asset Management: The IT process by which assets are provisioned,
updated, maintained and deprecated. updated, maintained and deprecated.
Attribute: Is a data element, as defined in [RFC5209], that is Attribute: Is a data element, as defined in [RFC5209], that is
atomic. atomic.
In the context of SACM, attributes are "atomic" information In the context of SACM, attributes are "atomic" information
elements and an equivalent to attribute-value-pairs. Attributes elements and an equivalent to attribute-value-pairs. Attributes
can be components of Subjects. can be components of Subjects.
Authentication: Defined in [RFC4949] as "the process of verifying a Broken remnant of a term again, but this time left here to show how
claim that a system entity or system resource has a certain much the last submit of -14 broke the document (this is actually not
attribute value." a term definition, apparently, but if you are curious this was
"Authorization", became a second paragraph of expositional text to
Authorization: Defined in [RFC4949] as "an approval that is granted the definition of Attribute and now became the universal disclaimer
to a system entity to access a system resource." of "please alter the structure of the document with care") - until
removal by a less annoyed editor:
Defined in [RFC4949] as "an approval that is granted to a system
entity to access a system resource."
Capability: A set of features that are available from a SACM Capability: A set of features that are available from a SACM
Component. Component.
See also "capability" in [I-D.ietf-i2nsf-terminology]. See also "capability" in [I-D.ietf-i2nsf-terminology].
In the context of SACM, the extent of a SACM component's ability In the context of SACM, the extent of a SACM component's ability
is enabled by the functions it is composed of. Capabilities are is enabled by the functions it is composed of. Capabilities are
registered at a SACM broker (potentially also at a proxy or a registered at a SACM broker (potentially also at a proxy or a
repository component if it includes broker functions) by a SACM repository component if it includes broker functions) by a SACM
skipping to change at page 5, line 37 skipping to change at page 5, line 50
identifies a log-file directory, a registry entry. identifies a log-file directory, a registry entry.
Configuration Drift: The disposition of endpoint characteristics to Configuration Drift: The disposition of endpoint characteristics to
change over time. change over time.
Configuration drift exists for both hardware components and Configuration drift exists for both hardware components and
software components. Typically, the frequency and scale of software components. Typically, the frequency and scale of
configuration drift of software components is significantly higher configuration drift of software components is significantly higher
than the configuration drift of hardware components. than the configuration drift of hardware components.
Consumer: Is a SACM Role that contains functions to receive Consumer: A SACM Role that requires a SACM Component to include SACM
information from other SACM Components. Functions enabling it to receive information from other SACM
Components.
Content Element: Content elements constitute the payload data (SACM Content Element: Content elements constitute the payload data (SACM
content) transferred via statement Subjects emitted by providers content) transferred via statement Subjects emitted by providers
of information. Every content element Subject includes a specific of information. Every content element Subject includes a specific
content Subject and a corresponding content metadata Subject. content Subject and a corresponding content metadata Subject.
Content Metadata: Data about content Subjects. Every content- Content Metadata: Data about content Subjects. Every content-
element includes a content metadata Subject. The Subject can element includes a content metadata Subject. The Subject can
include any information element that can annotate the content include any information element that can annotate the content
transferred. Examples include time stamps or data provenance transferred. Examples include time stamps or data provenance
skipping to change at page 6, line 46 skipping to change at page 7, line 8
information. The termination points of provider of information information. The termination points of provider of information
and consumer of information data is transferred between are and consumer of information data is transferred between are
interfaces. In regard to data in motion, the interpretation of interfaces. In regard to data in motion, the interpretation of
the roles consumer of information and provider of information the roles consumer of information and provider of information
depends on the corresponding OSI layer (e.g. on layer2: between depends on the corresponding OSI layer (e.g. on layer2: between
interfaces connected to a broadcast domain, on layer4: between interfaces connected to a broadcast domain, on layer4: between
interfaces that maintain a TCP connection). In the context of interfaces that maintain a TCP connection). In the context of
SACM, consumer of information and provider of information are SACM SACM, consumer of information and provider of information are SACM
components. components.
The SACM architecture and corresponding models focus on data in
motion.
Data At Rest: Data that is stored. Data At Rest: Data that is stored.
Data at rest requires a data model to encode the data to be Data at rest requires a data model to encode the data to be
stored. In the context of SACM, data at rest located on a SACM stored. In the context of SACM, data at rest located on a SACM
component can be provided to other SACM components via component can be provided to other SACM components via
discoverable capabilities. discoverable capabilities.
In the context of SACM, data models for data at rest are out of
scope.
Data Integrity: Defined in [RFC4949] as "the property that data has Data Integrity: Defined in [RFC4949] as "the property that data has
not been changed, destroyed, or lost in an unauthorized or not been changed, destroyed, or lost in an unauthorized or
accidental manner." accidental manner."
Data Origin: The SACM Component that initially acquired or produced Data Origin: The SACM Component that initially acquired or produced
data about an endpoint. data about an endpoint.
Data Origin enables a SACM component to identify the SACM Data Origin enables a SACM component to identify the SACM
component that initially acquired or produced data about a component that initially acquired or produced data about a
(target) endpoint (e.g. via collection from a data source) and (target) endpoint (e.g. via collection from a data source) and
skipping to change at page 9, line 7 skipping to change at page 9, line 14
Endpoint Attributes typically constitute Attributes that can be Endpoint Attributes typically constitute Attributes that can be
bundled into Subject (e.g. information about a specific network bundled into Subject (e.g. information about a specific network
interface can be represented via a set of multiple AVP). interface can be represented via a set of multiple AVP).
Endpoint Characteristics: The state, configuration and composition Endpoint Characteristics: The state, configuration and composition
of the software components and (virtual) hardware components a of the software components and (virtual) hardware components a
target endpoint is composed of, including observable behavior, target endpoint is composed of, including observable behavior,
e.g. sys-calls, log-files, or PDU emission on a network. e.g. sys-calls, log-files, or PDU emission on a network.
Endpoint Characterization: The description of the distinctive nature In SACM work-flows, (Target) Endpoint Characteristics are
of an endpoint, that is based on its characteristics. represented via Information Elements.
Endpoint Characterization Task: The task of endpoint Endpoint Characterization Task: The task of endpoint
characterization that uses endpoint attributes that represent characterization that uses endpoint attributes that represent
distinct endpoint characteristics. distinct endpoint characteristics.
Endpoint Classification: The categorization of of the endpoint into Endpoint Classification: The categorization of of the endpoint into
one or more taxonomic structures. one or more taxonomic structures.
Endpoint classification requires declarative guidance in the form Endpoint classification requires declarative guidance in the form
of an endpoint profile, discovery results and potentially of an endpoint profile, discovery results and potentially
skipping to change at page 9, line 46 skipping to change at page 10, line 5
Evaluation Task: A task by which an endpoint's asserted attribute Evaluation Task: A task by which an endpoint's asserted attribute
value is evaluated against a policy-compliant attribute value. value is evaluated against a policy-compliant attribute value.
Evaluation Result: The resulting value from having evaluated a set Evaluation Result: The resulting value from having evaluated a set
of posture attributes. of posture attributes.
Expected Endpoint Attribute State: The policy-compliant state of an Expected Endpoint Attribute State: The policy-compliant state of an
endpoint attribute that is to be compared against. endpoint attribute that is to be compared against.
Guidance: Input directing SACM processes or tasks. Sets of expected endpoint attribute states are transported as
declarative guidance in target endpoint profiles via the
management plane. This, for example, can be a policy, but also a
recorded past state. An expected state is represented by an
Attribute or a Subject that represents a set of multiple attribute
value pairs.
Guidance: Machine-processable input directing SACM processes or
tasks.
Examples of such processes/tasks include automated device
management, remediation, collection, evaluation. Guidance
influences the behavior of a SACM Component and is considered
content of the management plane. In the context of SACM, guidance
is machine-readable and can be manually or automatically generated
or provided. Typically, the tasks that provide guidance to SACM
components have a low-frequency and tend to be sporadic.
There are two types of guidance: There are two types of guidance:
Declarative Guidance: Guidance that defines the configuration or Declarative Guidance: Guidance that defines the configuration or
state an endpoint is supposed to be in, without providing specific state an endpoint is supposed to be in, without providing specific
actions or methods to produce that desired state. Examples actions or methods to produce that desired state. Examples
include Target Endpoint Profiles or network topology based include Target Endpoint Profiles or network topology based
requirements. requirements.
Imperative Guidance: Guidance that prescribes specific actions to Imperative Guidance: Guidance that prescribes specific actions to
be conducted or methods to be used in order to achieve an outcome. be conducted or methods to be used in order to achieve an outcome.
Examples include a targeted Collection Task or the IP-Address of a Examples include a targeted Collection Task or the IP-Address of a
SACM Component that provides a registration function. SACM Component that provides a registration function.
Prominent examples include: modification of the configuration of a
SACM component or updating a target endpoint profile that resides
on an evaluator. In essence, guidance is transported via the
management plane.
Endpoint Hardware Inventory: The set of hardware components that Endpoint Hardware Inventory: The set of hardware components that
compose a specific endpoint representing its hardware compose a specific endpoint representing its hardware
configuration. configuration.
Hardware Component: A distinguishable physical component used to
compose an endpoint.
The composition of an endpoint can be changed over time by adding
or removing hardware components. In essence, every physical
endpoint is potentially a composite of multiple hardware
components, typically resulting in a hierarchical composition of
hardware components. The composition of hardware components is
based on interconnects provided by specific hardware types (e.g.
FRU in a chassis are connected via redundant busses). In general,
a hardware component can be distinguished by its serial number.
Occasionally, hardware components are referred to as power sucking
aliens.
Information Element: A representation of information about physical Information Element: A representation of information about physical
and virtual "objects of interest". and virtual "objects of interest".
Information elements are the building blocks that constitute the Information elements are the building blocks that constitute the
SACM information model. In the context of SACM, an information SACM information model. In the context of SACM, an information
element that expresses a single value with a specific name is element that expresses a single value with a specific name is
referred to as an Attribute (analogous to an attribute-value- referred to as an Attribute (analogous to an attribute-value-
pair). A set of attributes that is bundled into a more complex pair). A set of attributes that is bundled into a more complex
composite information element is referred to as a Subject. Every composite information element is referred to as a Subject. Every
information element in the SACM information model has a unique information element in the SACM information model has a unique
skipping to change at page 10, line 44 skipping to change at page 11, line 37
While there is some overlap with a data model, [RFC3444] While there is some overlap with a data model, [RFC3444]
distinguishes an information model as being protocol and distinguishes an information model as being protocol and
implementation neutral whereas a data model would provide such implementation neutral whereas a data model would provide such
details. The purpose of the SACM information model is to ensure details. The purpose of the SACM information model is to ensure
interoperability between SACM data models (that are used as interoperability between SACM data models (that are used as
transport encoding) and to provide a standardized set of transport encoding) and to provide a standardized set of
information elements for communication between SACM components. information elements for communication between SACM components.
Interaction Model: The definition of specific sequences regarding Interaction Model: The definition of specific sequences regarding
the exchange of messages (data in motion), including, for example, the exchange of messages (data in motion), including, for example,
conditional branching, thresholds and timers. An interaction conditional branching, thresholds and timers.
model, for example, can be used to define operations, such as
registration or discovery, on the control plane. A composition of
data models for data in motion and a corresponding interaction
model is a protocol.
Internal Collector: Internal Collector: a collector that runs on a An interaction model, for example, can be used to define
target endpoint to acquire information from that target endpoint. operations, such as registration or discovery, on the control
plane. A composition of data models for data in motion and a
corresponding interaction model is a protocol.
Management Plane: Is an architectural component providing common Internal Collector: A collector that runs on a target endpoint to
acquire information from that target endpoint.
Management Plane: An architectural component providing common
functions to steer the behavior of SACM components, e.g. their functions to steer the behavior of SACM components, e.g. their
behavior on the control plane. behavior on the control plane.
Prominent examples include: modification of the configuration of a Typically, a SACM component can fulfill its purpose without
SACM component or updating a target endpoint profile that resides continuous input from the management plane. In contrast, without
on an evaluator. In essence, guidance is transported via the continuous availability of control plane functions a typical SACM
management plane. Typically, a SACM component can fulfill its component could not function properly. In general, interaction on
purpose without continuous input from the management plane. In the management plane is less frequent and less regular than on the
contrast, without continuous availability of control plane control plane. Input via the management plane can be manual (e.g.
functions a typical SACM component could not function properly. via a CLI), or can be automated via management plane functions
In general, interaction on the management plane is less frequent that are part of other SACM components.
and less regular than on the control plane. Input via the
management plane can be manual (e.g. via a CLI), or can be Network Address: A layer-specific address that follows a layer-
automated via management plane functions that are part of other specific address scheme.
SACM components.
The following characteristics are a summery derived from the
Common Information Model and ITU-T X.213. Each Network Interface
of a specific layer can be associated with one or more addresses
appropriate for that layer. There is no guarantee that a network
address is globally unique. A dedicated authority entity can
provide a level of assurance that a network address is unique in
its given scope. In essence, there is always a scope to a network
address, in which it is intended to be unique.
Examples include: physical Ethernet port with a MAC address, layer
2 VLAN interface with a MAC address, layer 3 interface with
multiple IPv6 addresses, layer 3 tunnel ingress or egress with an
IPv4 address.
Network Interface: An Endpoint is connected to a network via one or
more Network Interfaces. Network Interfaces can be physical
(Hardware Component) or logical (virtual Hardware component, i.e.
a dedicated Software Component). Network Interfaces of an
Endpoint can operate on different layers, most prominently what is
now commonly called layer 2 and 3. Within a layer, interfaces can
be nested.
In SACM, the association of Endpoints and Network Addresses via
Network Interfaces is vital to maintain interdependent autonomous
processes that can be targeted at Target Endpoints, unambiguously.
Examples include: physical Ethernet port, layer 2 VLAN interface,
a MC-LAG setup, layer 3 Point-to-Point tunnel ingress or egress.
Metadata: Data about data. Metadata: Data about data.
In the SACM information model, data is referred to as Content. In the SACM information model, data is referred to as Content.
Metadata about the content is referred to as Content-Metadata, Metadata about the content is referred to as Content-Metadata,
respectively. Content and Content-Metadata are combined into respectively. Content and Content-Metadata are combined into
Subjects called Content-Elements in the SACM information model. Subjects called Content-Elements in the SACM information model.
Some information elements defined by the SACM information model Some information elements defined by the SACM information model
can be part of the Content or the Content-Metadata. Therefore, if can be part of the Content or the Content-Metadata. Therefore, if
an information element is considered data or data about data an information element is considered data or data about data
depends on which kind of Subject it is associated with. The SACM depends on which kind of Subject it is associated with. The SACM
information model also defines metadata about the data origin via information model also defines metadata about the data origin via
the Subject Statement-Metadata. Typical examples of metadata are the Subject Statement-Metadata. Typical examples of metadata are
time stamps, data origin or data source. time stamps, data origin or data source.
Examples include: physical Ethernet port with a MAC address, layer
2 VLAN interface with a MAC address, layer 3 interface with
multiple IPv6 addresses, layer 3 tunnel ingress or egress with an
IPv4 address.
Posture: Defined in [RFC5209] as "configuration and/or status of Posture: Defined in [RFC5209] as "configuration and/or status of
hardware or software on an endpoint as it pertains to an hardware or software on an endpoint as it pertains to an
organization's security policy." organization's security policy."
This term is used within the scope of SACM to represent the This term is used within the scope of SACM to represent the
configuration and state information that is collected from a configuration and state information that is collected from a
target endpoint in the form of endpoint attributes (e.g. software/ target endpoint in the form of endpoint attributes (e.g. software/
hardware inventory, configuration settings, dynamically assigned hardware inventory, configuration settings, dynamically assigned
addresses). This information may constitute one or more posture addresses). This information may constitute one or more posture
attributes. attributes.
skipping to change at page 13, line 8 skipping to change at page 14, line 27
component contains at least a basic set of control plane functions component contains at least a basic set of control plane functions
and can contain data plane and management plane functions. A SACM and can contain data plane and management plane functions. A SACM
component residing on an endpoint assigns one or more SACM roles component residing on an endpoint assigns one or more SACM roles
to the corresponding endpoint due to the SACM functions it is to the corresponding endpoint due to the SACM functions it is
composed of. A SACM component "resides on" an endpoint and an composed of. A SACM component "resides on" an endpoint and an
endpoint "contains" a SACM component, correspondingly. For endpoint "contains" a SACM component, correspondingly. For
example, a SACM component that is composed solely of functions example, a SACM component that is composed solely of functions
that provide information would only take on the role of a that provide information would only take on the role of a
provider. provider.
SACM Component Discovery: The task of brokering appropriate SACM SACM Component Discovery: The task of discovering the capabilities
components according to their capabilities or roles on request. provided by SACM components within a SACM domain.
Input: Query
Output: a list of SACM components including metadata This is likely to be performed via an appropriate set of control
plane functions.
SACM Component Label: A specific endpoint label that is used to SACM Component Label: A specific endpoint label that is used to
identify a SACM component. identify a SACM component.
In content-metadata, this label is called data origin. In content-metadata, this label is called data origin.
SACM Content: The payload provided by SACM components to the SACM SACM Content: The payload provided by SACM components to the SACM
domain on the data plane. domain on the data plane.
SACM content includes the SACM data models. SACM content includes the SACM data models.
SACM Domain: Endpoints that include a SACM component compose a SACM SACM Domain: Endpoints that include a SACM component compose a SACM
domain. domain.
(To be revised, additional definition content TBD, possible (To be revised, additional definition content TBD, possible
dependencies to SACM architecture) dependencies to SACM architecture)
SACM Function: A behavioral aspect of a SACM component that provides
external SACM Interfaces or internal interfaces to other SACM
Functionse.
For example, a SACM Function with SACM Interfaces on the Control
Plane can provide a brokering function to other SACM Components.
Via Data Plane interfaces, a SACM Function can act as a provider
and/or as a consumer of information. SACM Functions can be
propagated as the Capabilities of a SACM Component and can be
discovered by or negotiated with other SACM Components.
SACM Interface: An interface, as defined in SACM Interface: An interface, as defined in
[I-D.ietf-i2nsf-terminology], that provides SACM-specific [I-D.ietf-i2nsf-terminology], that provides SACM-specific
operations. operations.
[I-D.ietf-i2nsf-terminology] defines interface as a "set of [I-D.ietf-i2nsf-terminology] defines interface as a "set of
operations one object knows it can invoke on, and expose to, operations one object knows it can invoke on, and expose to,
another object," and further defines interface by stating that an another object," and further defines interface by stating that an
interface "decouples the implementation of the operation from its interface "decouples the implementation of the operation from its
specification. An interface is a subset of all operations that a specification. An interface is a subset of all operations that a
given object implements. The same object may have multiple types given object implements. The same object may have multiple types
skipping to change at page 14, line 27 skipping to change at page 16, line 7
the Roles of a Component from the Applications that use that the Roles of a Component from the Applications that use that
Component." Component."
In the context of SACM, SACM roles are associated with SACM In the context of SACM, SACM roles are associated with SACM
components and are defined by the set of functions and interfaces components and are defined by the set of functions and interfaces
a SACM component includes. There are three SACM roles: provider, a SACM component includes. There are three SACM roles: provider,
consumer, and controller. The roles associated with a SACM consumer, and controller. The roles associated with a SACM
component are determined by the purpose of the SACM functions and component are determined by the purpose of the SACM functions and
corresponding SACM interfaces the SACM component is composed of. corresponding SACM interfaces the SACM component is composed of.
SACM Statement: Is SACM component output that represents an SACM Statement: Is an assertion that is made by a SACM Component.
assertion.
Security Automation: The process of which security alerts can be Security Automation: The process of which security alerts can be
automated through the use of different components to monitor, automated through the use of different components to monitor,
analyze and assess endpoints and network traffic for the purposes analyze and assess endpoints and network traffic for the purposes
of detecting misconfigurations, misbehaviors or threats. of detecting misconfigurations, misbehaviors or threats.
Security Automation is intended to identify target endpoints that Security Automation is intended to identify target endpoints that
cannot be trusted (see "trusted" in [RFC4949]. This goal is cannot be trusted (see "trusted" in [RFC4949]. This goal is
achieved by creating and processing evidence (assessment achieved by creating and processing evidence (assessment
statements) that a target endpoint is not a trusted system statements) that a target endpoint is not a trusted system
skipping to change at page 15, line 17 skipping to change at page 16, line 44
State: A volatile set of endpoint attributes of a (target) endpoint State: A volatile set of endpoint attributes of a (target) endpoint
that is affected by a reboot-cycle. that is affected by a reboot-cycle.
Local state is created by the interaction of components with other Local state is created by the interaction of components with other
components via the control plane, via processing data plane components via the control plane, via processing data plane
payload, or via the functional properties of local hardware and payload, or via the functional properties of local hardware and
software components. Dynamic configuration (e.g. IP address software components. Dynamic configuration (e.g. IP address
distributed dynamically via an address distribution and management distributed dynamically via an address distribution and management
services, such as DHCP) is considered state that is the result of services, such as DHCP) is considered state that is the result of
the interaction with another component that provides configuration the interaction with another component (e.g. provided by a DHCP
via the control plane (e.g. provided by a DHCP server with a server with a specific configuration).
specific configuration).
Examples: The static association of an IP address and a MAC Examples: The static association of an IP address and a MAC
address in a DHCP server configuration, a directory-path that address in a DHCP server configuration, a directory-path that
identifies a log-file directory, a registry entry. identifies a log-file directory, a registry entry.
Statement: A statement is a subject defined in the SACM information Statement: A statement is the root/top-level subject defined in the
model. SACM information model.
When a statement is used to provide content to a SACM domain, it A statement is used to bundle Content Elements into one subject
is a top-level subject that bundles Content Elements into one and includes metadata about the data origin.
subject and includes metadata about the data origin.
Subject: A semantic composite information element pertaining to a Subject: A semantic composite information element pertaining to a
system entity that is a target endpoint. system entity that is a target endpoint.
Like Attributes, subjects have a name and are composed of Like Attributes, subjects have a name and are composed of
attributes and/or other subjects. Every IE that is part of a attributes and/or other subjects. Every IE that is part of a
subject can have a quantitiy associated with it (e.g. zero-one, subject can have a quantitiy associated with it (e.g. zero-one,
none-unbounded). The content IE of a subject can be an unordered none-unbounded). The content IE of a subject can be an unordered
or an ordered list. or an ordered list.
skipping to change at page 16, line 31 skipping to change at page 18, line 9
Every endpoint that is not specifically designated as an excluded Every endpoint that is not specifically designated as an excluded
endpoint is a target endpoint. A target endpoint is not part of a endpoint is a target endpoint. A target endpoint is not part of a
SACM domain unless it contains a SACM component (e.g. a SACM SACM domain unless it contains a SACM component (e.g. a SACM
component that publishes collection results coming from an component that publishes collection results coming from an
internal collector). internal collector).
A target endpoint is similar to a device that is a Target of A target endpoint is similar to a device that is a Target of
Evaluation (TOE) as defined in Common Criteria and as referenced Evaluation (TOE) as defined in Common Criteria and as referenced
by {{RFC4949}. by {{RFC4949}.
Target Endpoint Address: An address that is layer specific and which
follows layer specific address schemes.
Each interface of a specific layer can be associated with one or
more addresses appropriate for that layer. There is no guarantee
that an address is globally unique. In general, there is a scope
to an address in which it is intended to be unique.
Examples include: physical Ethernet port with a MAC address, layer
2 VLAN interface with a MAC address, layer 3 interface with
multiple IPv6 addresses, layer 3 tunnel ingress or egress with an
IPv4 address.
Target Endpoint Characterization: The description of the distinctive
nature of a target endpoint, that is based on its characteristics.
Target Endpoint Characterization Record: A set of endpoint Target Endpoint Characterization Record: A set of endpoint
attributes about a target endpoint that was encountered in a SACM attributes about a target endpoint that was encountered in a SACM
domain, which are associated with that target endpoint as a result domain, which are associated with that target endpoint as a result
of a Target Endpoint Characterization Task. of a Target Endpoint Characterization Task.
A characterization record is intended to be a representation of an A characterization record is intended to be a representation of an
endpoint. It cannot be assured that a record distinctly endpoint. It cannot be assured that a record distinctly
represents a single target endpoint unless a set of one or more represents a single target endpoint unless a set of one or more
endpoint attributes that compose a unique set of identifying endpoint attributes that compose a unique set of identifying
endpoint attributes are included in the record. Otherwise, the endpoint attributes are included in the record. Otherwise, the
skipping to change at page 17, line 23 skipping to change at page 19, line 17
corresponding record. The TE characterization task manages the corresponding record. The TE characterization task manages the
representation of encountered target endpoints in the SACM domain representation of encountered target endpoints in the SACM domain
in the form of characterization records. For example, the output in the form of characterization records. For example, the output
of a target endpoint discovery task or a collection task can be of a target endpoint discovery task or a collection task can be
processed by the characterization task and added to the record. processed by the characterization task and added to the record.
The TE characterization Task also manages these representations of The TE characterization Task also manages these representations of
target endpoints encountered in the SACM domain by splitting or target endpoints encountered in the SACM domain by splitting or
merging the corresponding records as new or more refined endpoint merging the corresponding records as new or more refined endpoint
attributes become available. attributes become available.
Input: discovered target endpoint attributes, endpoint attribute
collection, existing characterization records
Output: target endpoint characterization records
Target Endpoint Classification Task: The task of associating a class Target Endpoint Classification Task: The task of associating a class
from an extensible list of classes with an endpoint from an extensible list of classes with an endpoint
characterization record. TE classes function as imperative and characterization record. TE classes function as imperative and
declarative guidance for collection, evaluation, remediation and declarative guidance for collection, evaluation, remediation and
security posture assessment in general. security posture assessment in general.
Input: endpoint characterization records (without classification),
guidance (how to classify a record)
Output: endpoint characterization records (with classification)
Target Endpoint Discovery Task: The ongoing task of detecting Target Endpoint Discovery Task: The ongoing task of detecting
previously unknown interaction of a potential target endpoint in previously unknown interaction of a potential target endpoint in
the SACM domain. TE Discovery is not directly targeted at a the SACM domain. TE Discovery is not directly targeted at a
specific target endpoint and therefore an un-targeted task. SACM specific target endpoint and therefore an un-targeted task. SACM
Components conducting the discovery task as a part of their Components conducting the discovery task as a part of their
function are typically distributed and located, for example, on function are typically distributed and located, for example, on
infrastructure components or collect from those remotely via infrastructure components or collect from those remotely via
appropriate interfaces. Examples of infrastructure components appropriate interfaces. Examples of infrastructure components
that are of interest to the discovery task include routers, that are of interest to the discovery task include routers,
switches, VM hosting or VM managing components, AAA servers, or switches, VM hosting or VM managing components, AAA servers, or
servers handling dynamic address distribution. servers handling dynamic address distribution.
Input: endpoint attributes acquired via local or remote interfaces
Output: endpoint attributes including metadata such as data source
or data origin
Target Endpoint Identifier: The target endpoint discovery task and Target Endpoint Identifier: The target endpoint discovery task and
the collection tasks can result in a set of identifying endpoint the collection tasks can result in a set of identifying endpoint
attributes added to a corresponding Characterization Record. This attributes added to a corresponding Characterization Record. This
subset of the endpoint attributes included in the record is used subset of the endpoint attributes included in the record is used
as a target endpoint identifier, by which a specific target as a target endpoint identifier, by which a specific target
endpoint can be referenced. Depending on the available endpoint can be referenced. Depending on the available
identifying attributes, this reference can be ambiguous and is a identifying attributes, this reference can be ambiguous and is a
"best-effort" mechanism. Every distinct set of identifying "best-effort" mechanism. Every distinct set of identifying
endpoint attributes can be associated with a target endpoint label endpoint attributes can be associated with a target endpoint label
that is unique in a SACM domain. that is unique in a SACM domain.
Target Endpoint Label: A specific endpoint label that refers to a Target Endpoint Label: An endpoint label that identifies a specific
target endpoint identifier used to identify a specific target target endpoint.
endpoint (also referred to as TE label). In content-metadata,
this label is called data source.
Target Endpoint Profile: A bundle of expected or desired component Target Endpoint Profile: A bundle of expected or desired component
composition, configurations and states that is associated with a composition, configurations and states that is associated with a
target endpoint. target endpoint.
The corresponding task by which the association with a target The corresponding task by which the association with a target
endpoint takes places is the endpoint classification task. The endpoint takes places is the endpoint classification task. The
task by which an endpoint profile is created is the endpoint task by which an endpoint profile is created is the endpoint
characterization task. A type or class of target endpoints can be characterization task. A type or class of target endpoints can be
defined via a target endpoint profile. Examples include: defined via a target endpoint profile. Examples include:
skipping to change at page 19, line 28 skipping to change at page 21, line 5
SACM Component Authentication [TBD] SACM Component Authentication [TBD]
SACM Component Authorization [TBD] SACM Component Authorization [TBD]
SACM Component Registration [TBD] SACM Component Registration [TBD]
Timestamps : Defined in [RFC4949] as "with respect to a data object, Timestamps : Defined in [RFC4949] as "with respect to a data object,
a label or marking in which is recorded the time (time of day or a label or marking in which is recorded the time (time of day or
other instant of elapsed time) at which the label or marking was other instant of elapsed time) at which the label or marking was
affixed to the data object" and as "with respect to a recorded affixed to the data object".
network event, a data field in which is recorded the time (time of
day or other instant of elapsed time) at which the event took
place.".
This term is used in SACM to describe a recorded point in time at A timestamp always requires context, i.e. additional information
which, for example, an information element is created or updated elements that are associated with it. Therefore, all timestamps
on a target endpoint, and observed, transmitted or processed by a wrt information elements are always metadata. Timestamps in SACM
SACM component. Timestamps can be created by target endpoints or Content Elements may be generated outside a SACM Domain and may be
SACM components and are associated with SACM statements provided encoded in an unknown representation. Inside a SACM domain the
or consumed by SACM components. Outside of the domain of SACM representation of timestamps is well-defined and unambiguous.
components the assurance of correctness of time stamps is
typically significantly lower than inside a SACM domain. In
general, it cannot be simply assumed that the source of time a
target endpoint uses is synchronized or trustworthy.
Virtual Component: A target endpoint can be composed entirely of Virtual Endpoint: An endpoint composed entirely of logical system
logical system entities (see [RFC4949]. components (see [RFC4949]).
The most common example is a virtual machine/host running on a The most common example is a virtual machine/host running on a
target endpoint. target endpoint. Effectively, target endpoints can be nested and
at the time of this writing the most common example of target
Effectively, target endpoints can be nested and at the time of endpoint characteristics about virtual components is the
this writing the most common example of target endpoint EntLogicalEntry in [RFC6933].
characteristics about virtual components is the EntLogicalEntry in
[RFC6933].
Vulnerability Assessment: An assessment specifically tailored to Vulnerability Assessment: An assessment specifically tailored to
determining whether a set of endpoints is vulnerable according to determining whether a set of endpoints is vulnerable according to
the information contained in the vulnerability description the information contained in the vulnerability description
information. information.
Vulnerability Description Information: Information pertaining to the Vulnerability Description Information: Information pertaining to the
existence of a flaw or flaws in software, hardware, and/or existence of a flaw or flaws in software, hardware, and/or
firmware, which could potentially have an adverse impact on firmware, which could potentially have an adverse impact on
enterprise IT functionality and/or security. enterprise IT functionality and/or security.
skipping to change at page 26, line 24 skipping to change at page 28, line 21
[RFC6933] Bierman, A., Romascanu, D., Quittek, J., and M. [RFC6933] Bierman, A., Romascanu, D., Quittek, J., and M.
Chandramouli, "Entity MIB (Version 4)", RFC 6933, Chandramouli, "Entity MIB (Version 4)", RFC 6933,
DOI 10.17487/RFC6933, May 2013, DOI 10.17487/RFC6933, May 2013,
<https://www.rfc-editor.org/info/rfc6933>. <https://www.rfc-editor.org/info/rfc6933>.
8.2. Informative References 8.2. Informative References
[I-D.ietf-i2nsf-terminology] [I-D.ietf-i2nsf-terminology]
Hares, S., Strassner, J., Lopez, D., Xia, L., and H. Hares, S., Strassner, J., Lopez, D., Xia, L., and H.
Birkholz, "Interface to Network Security Functions (I2NSF) Birkholz, "Interface to Network Security Functions (I2NSF)
Terminology", draft-ietf-i2nsf-terminology-04 (work in Terminology", draft-ietf-i2nsf-terminology-05 (work in
progress), July 2017. progress), January 2018.
[I-D.ietf-netmod-entity] [I-D.ietf-netmod-entity]
Bierman, A., Bjorklund, M., Dong, J., and D. Romascanu, "A Bierman, A., Bjorklund, M., Dong, J., and D. Romascanu, "A
YANG Data Model for Hardware Management", draft-ietf- YANG Data Model for Hardware Management", draft-ietf-
netmod-entity-05 (work in progress), October 2017. netmod-entity-08 (work in progress), January 2018.
[I-D.ietf-sacm-vuln-scenario] [I-D.ietf-sacm-vuln-scenario]
Coffin, C., Cheikes, B., Schmidt, C., Haynes, D., Coffin, C., Cheikes, B., Schmidt, C., Haynes, D.,
Fitzgerald-McKay, J., and D. Waltermire, "SACM Fitzgerald-McKay, J., and D. Waltermire, "SACM
Vulnerability Assessment Scenario", draft-ietf-sacm-vuln- Vulnerability Assessment Scenario", draft-ietf-sacm-vuln-
scenario-02 (work in progress), September 2016. scenario-02 (work in progress), September 2016.
[RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between
Information Models and Data Models", RFC 3444, Information Models and Data Models", RFC 3444,
DOI 10.17487/RFC3444, January 2003, DOI 10.17487/RFC3444, January 2003,
 End of changes. 38 change blocks. 
115 lines changed or deleted 180 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/