Security Automation and Continuous Monitoring M. Cokus
Internet-Draft D. Haynes
Intended status: Informational D. Rothenberg
Expires: September 8, 2016 The MITRE Corporation
J. Gonzalez
Department of Homeland Security
March 7, 2016
OVAL(R) Variables Model
draft-haynes-sacm-oval-variables-model-00
Abstract
This document specifies Version 5.11.1 of the OVAL Variables Model
which contains constructs that allow for the specification of values
for external_variables defined in content that was created using the
OVAL Definitions Model. The OVAL Variables Model serves as a useful
mechanism for parameterizing content based on the OVAL Definitions
Model.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 8, 2016.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Cokus, et al. Expires September 8, 2016 [Page 1]
Internet-Draft OVAL Variables Model March 2016
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. oval_variables . . . . . . . . . . . . . . . . . . . . . . . 3
3. VariablesType . . . . . . . . . . . . . . . . . . . . . . . . 3
4. VariableType . . . . . . . . . . . . . . . . . . . . . . . . 4
5. OVAL Variables Model Schema . . . . . . . . . . . . . . . . . 4
6. Intellectual Property Considerations . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
9. Security Considerations . . . . . . . . . . . . . . . . . . . 9
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
10.1. Normative References . . . . . . . . . . . . . . . . . . 9
10.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
The Open Vulnerability and Assessment Language (OVAL) [OVAL-WEBSITE]
is an international, information security community effort to
standardize how to assess and report upon the machine state of
systems. For over ten years, OVAL has been developed in
collaboration with any and all interested parties to promote open and
publicly available security content and to standardize the
representation of this information across the entire spectrum of
security tools and services.
OVAL provides an established framework for making assertions about an
system's state by standardizing the three main steps of the
assessment process: representing the current machine state; analyzing
the system for the presence of the specified machine state; and
representing the results of the assessment which facilitates
collaboration and information sharing among the information security
community and interoperability among tools.
This draft is part of the OVAL contribution to the IETF SACM WG that
standardizes the representation used to analyze a system for the
presence of a specific machine state. It is intended to serve as a
starting point for the endpoint posture assessment data modeling
needs of SACM specifically for creating parameterized Collection and
Evaluation Guidance.
Cokus, et al. Expires September 8, 2016 [Page 2]
Internet-Draft OVAL Variables Model March 2016
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. oval_variables
The oval_variables type defines the base structure in the OVAL
Variables Model for representing a collection of OVAL Variables and
their associated values. This container type adds metadata about the
origin of the content and allows for a signature.
+-----------+--------------------+-------+--------------------------+
| Property | Type | Count | Description |
+-----------+--------------------+-------+--------------------------+
| generator | oval:GeneratorType | 1 | Information regarding |
| | | | the generation of the |
| | | | OVAL Variables content. |
| | | | The timestamp property |
| | | | of the generator MUST |
| | | | represent the time at |
| | | | which the oval_variables |
| | | | was created. |
| | | | |
| variables | VariablesType | 1 | The variables defined in |
| | | | the OVAL Variables |
| | | | content. |
| | | | |
| signature | ext:Signature | 0..1 | Mechanism to ensure the |
| | | | integrity and |
| | | | authenticity of the OVAL |
| | | | Variables content. |
+-----------+--------------------+-------+--------------------------+
Table 1: oval_variables Construct
3. VariablesType
The VariablesType provides a container for one or more OVAL
Variables.
Cokus, et al. Expires September 8, 2016 [Page 3]
Internet-Draft OVAL Variables Model March 2016
+----------+--------------+-------+---------------------------------+
| Property | Type | Count | Description |
+----------+--------------+-------+---------------------------------+
| variable | VariableType | 1..* | A collection of OVAL Variables. |
+----------+--------------+-------+---------------------------------+
Table 2: VariablesType Construct
4. VariableType
The VariableType defines a variable in the OVAL Variables Model that
corresponds to an instance of an external variable in content based
on the OVAL Definitions Model.
+----------+--------------------------------+-------+---------------+
| Property | Type | Count | Description |
+----------+--------------------------------+-------+---------------+
| id | oval:VariableIDPattern | 1 | The globally |
| | | | unique |
| | | | identifier of |
| | | | an external |
| | | | variable. |
| | | | |
| datatype | oval:SimpleDatatypeEnumeration | 1 | The datatype |
| | | | of the |
| | | | value(s) in |
| | | | the variable. |
| | | | |
| comment | string | 1 | The |
| | | | documentation |
| | | | associated |
| | | | with the |
| | | | variable |
| | | | instance. |
| | | | |
| value | string | 1..* | The value(s) |
| | | | associated |
| | | | with the |
| | | | variable. |
+----------+--------------------------------+-------+---------------+
Table 3: VariableType Construct
5. OVAL Variables Model Schema
The XML Schema that implements this OVAL Variables Model can be found
below.
Cokus, et al. Expires September 8, 2016 [Page 4]
Internet-Draft OVAL Variables Model March 2016
The following is a
description of the elements, types, and
attributes that compose the core schema for
encoding Open Vulnerability and Assessment
Language (OVAL) Variables. This schema is
provided to give structure to any external
variables and their values that an OVAL
Definition is expecting.
Core Variable
5.11.1
4/22/2015 09:00:00 AM
Copyright (C) 2010 United States Government.
All Rights Reserved.
The oval_variables
element is the root of an OVAL Variable
Document. Its purpose is to bind together
the different variables contained in the
document. The generator section must be
Cokus, et al. Expires September 8, 2016 [Page 5]
Internet-Draft OVAL Variables Model March 2016
present and provides information about
when the variable file was compiled and
under what version. The optional Signature
element allows an XML Signature as defined
by the W3C to be attached to the document.
This allows authentication and data
integrity to be provided to the user.
Enveloped signatures are supported. More
information about the official W3C
Recommendation regarding XML digital
signatures can be found at
http://www.w3.org/TR/xmldsig-core/.
Enforce uniqueness
amongst the variable ids found in the
variable document.
The VariablesType complex
Cokus, et al. Expires September 8, 2016 [Page 6]
Internet-Draft OVAL Variables Model March 2016
type is a container for one or more
variable elements. Each variable element
holds the value of an external variable
used in an OVAL Definition. Please refer
to the description of the VariableType for
more information about an individual
variable.
Each variable element
contains the associated datatype and value
which will be substituted into the OVAL
Definition that is referencing this
specific variable.
The notes section of a
variable should be used to hold
information that might be helpful to
someone examining the technical aspects of
the variable. Please refer to the
description of the NotesType complex type
for more information about the notes
element.
Note that the 'record'
datatype is not permitted on
variables.
Cokus, et al. Expires September 8, 2016 [Page 7]
Internet-Draft OVAL Variables Model March 2016
6. Intellectual Property Considerations
Copyright (C) 2010 United States Government. All Rights Reserved.
DHS, on behalf of the United States, owns the registered OVAL
trademarks, identifying the OVAL STANDARDS SUITE and any component
part, as that suite has been provided to the IETF Trust. A "(R)"
will be used in conjunction with the first use of any OVAL trademark
in any document or publication in recognition of DHS's trademark
ownership.
7. Acknowledgements
The authors wish to thank DHS for sponsoring the OVAL effort over the
years which has made this work possible. The authors also wish to
thank the original authors of this document Jonathan Baker, Matthew
Hansbury, and Daniel Haynes of the MITRE Corporation as well as the
OVAL Community for its assistance in contributing and reviewing the
original document. The authors would also like to acknowledge Dave
Waltermire of NIST for his contribution to the development of the
original document.
8. IANA Considerations
This memo includes no request to IANA.
Cokus, et al. Expires September 8, 2016 [Page 8]
Internet-Draft OVAL Variables Model March 2016
9. Security Considerations
While OVAL is just a set of data models and does not directly
introduce security concerns, it does provide a mechanism by which to
represent endpoint posture assessment information. This information
could be extremely valuable to an attacker allowing them to learn
about very sensitive information including, but, not limited to:
security policies, systems on the network, criticality of systems,
software and hardware inventory, patch levels, user accounts and much
more. To address this concern, all endpoint posture assessment
information should be protected while in transit and at rest.
Furthermore, it should only be shared with parties that are
authorized to receive it.
Another possible security concern is due to the fact that content
expressed as OVAL has the ability to impact how a security tool
operates. For example, content may instruct a tool to collect
certain information off a system or may be used to drive follow-up
actions like remediation. As a result, it is important for security
tools to ensure that they are obtaining OVAL content from a trusted
source, that it has not been modified in transit, and that proper
validation is performed in order to ensure it does not contain
malicious data.
10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
.
10.2. Informative References
[OVAL-WEBSITE]
The MITRE Corporation, "The Open Vulnerability and
Assessment Language", 2015,
.
Authors' Addresses
Cokus, et al. Expires September 8, 2016 [Page 9]
Internet-Draft OVAL Variables Model March 2016
Michael Cokus
The MITRE Corporation
903 Enterprise Parkway, Suite 200
Hampton, VA 23666
USA
Email: msc@mitre.org
Daniel Haynes
The MITRE Corporation
202 Burlington Road
Bedford, MA 01730
USA
Email: dhaynes@mitre.org
David Rothenberg
The MITRE Corporation
202 Burlington Road
Bedford, MA 01730
USA
Email: drothenberg@mitre.org
Juan Gonzalez
Department of Homeland Security
245 Murray Lane
Washington, DC 20548
USA
Email: juan.gonzalez@dhs.gov
Cokus, et al. Expires September 8, 2016 [Page 10]