SACM D. Waltermire, Ed. Internet-Draft NIST Intended status: Standards Track K. Watson Expires: October 29, 2017 DHS C. Kahn L. Lorenzin Pulse Secure, LLC M. Cokus D. Haynes The MITRE Corporation H. Birkholz Fraunhofer SIT April 27, 2017 SACM Information Model draft-ietf-sacm-information-model-10 Abstract This document defines the Information Elements that are transported between SACM components and their interconnected relationships. The primary purpose of the Secure Automation and Continuous Monitoring (SACM) Information Model is to ensure the interoperability of corresponding SACM data models and addresses the use cases defined by SACM. The Information Elements and corresponding types are maintained as the IANA "SACM Information Elements" registry. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on October 29, 2017. Waltermire, et al. Expires October 29, 2017 [Page 1] Internet-Draft SACM Information Model April 2017 Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 12 2. Conventions used in this document . . . . . . . . . . . . . . 13 2.1. Requirements Language . . . . . . . . . . . . . . . . . . 13 2.2. Information Element Examples . . . . . . . . . . . . . . 13 3. Information Elements . . . . . . . . . . . . . . . . . . . . 13 3.1. Context of Information Elements . . . . . . . . . . . . . 14 3.2. Extensibility of Information Elements . . . . . . . . . . 14 4. Structure of Information Elements . . . . . . . . . . . . . . 14 4.1. Information Element Naming Convention . . . . . . . . . . 17 4.2. SACM Content Elements . . . . . . . . . . . . . . . . . . 18 4.3. SACM Statements . . . . . . . . . . . . . . . . . . . . . 18 4.4. Relationships . . . . . . . . . . . . . . . . . . . . . . 20 4.5. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 22 4.6. Categories . . . . . . . . . . . . . . . . . . . . . . . 23 5. Abstract Data Types . . . . . . . . . . . . . . . . . . . . . 23 5.1. Simple Datatypes . . . . . . . . . . . . . . . . . . . . 23 5.1.1. IPFIX Datatypes . . . . . . . . . . . . . . . . . . . 23 5.2. Structured Datatypes . . . . . . . . . . . . . . . . . . 24 5.2.1. List Datatypes . . . . . . . . . . . . . . . . . . . 24 5.2.2. Enumeration Datatype . . . . . . . . . . . . . . . . 25 5.2.3. Category Datatype . . . . . . . . . . . . . . . . . . 26 6. Information Model Assets . . . . . . . . . . . . . . . . . . 26 6.1. Asset . . . . . . . . . . . . . . . . . . . . . . . . . . 27 6.2. Endpoint . . . . . . . . . . . . . . . . . . . . . . . . 28 6.3. Hardware Component . . . . . . . . . . . . . . . . . . . 28 6.4. Software Component . . . . . . . . . . . . . . . . . . . 29 6.4.1. Software Instance . . . . . . . . . . . . . . . . . . 29 6.5. Identity . . . . . . . . . . . . . . . . . . . . . . . . 29 6.6. Guidance . . . . . . . . . . . . . . . . . . . . . . . . 29 6.6.1. Collection Guidance . . . . . . . . . . . . . . . . . 30 6.6.2. Evaluation Guidance . . . . . . . . . . . . . . . . . 30 Waltermire, et al. Expires October 29, 2017 [Page 2] Internet-Draft SACM Information Model April 2017 6.6.3. Classification Guidance . . . . . . . . . . . . . . . 31 6.6.4. Storage Guidance . . . . . . . . . . . . . . . . . . 31 6.6.5. Evaluation Results . . . . . . . . . . . . . . . . . 31 7. Information Model Elements . . . . . . . . . . . . . . . . . 32 7.1. sacmStatement . . . . . . . . . . . . . . . . . . . . . . 32 7.2. sacmStatementMetadata . . . . . . . . . . . . . . . . . . 32 7.3. sacmContentElement . . . . . . . . . . . . . . . . . . . 32 7.4. sacmContentElementMetadata . . . . . . . . . . . . . . . 33 7.5. targetEndpoint . . . . . . . . . . . . . . . . . . . . . 33 7.6. targetEndpointIdentifier . . . . . . . . . . . . . . . . 33 7.7. targetEndpointLabel . . . . . . . . . . . . . . . . . . . 33 7.8. anyIE . . . . . . . . . . . . . . . . . . . . . . . . . . 34 7.9. accessPrivilegeType . . . . . . . . . . . . . . . . . . . 34 7.10. accountName . . . . . . . . . . . . . . . . . . . . . . . 34 7.11. administrativeDomainType . . . . . . . . . . . . . . . . 34 7.12. addressAssociationType . . . . . . . . . . . . . . . . . 34 7.13. addressMaskValue . . . . . . . . . . . . . . . . . . . . 35 7.14. addressType . . . . . . . . . . . . . . . . . . . . . . . 35 7.15. addressValue . . . . . . . . . . . . . . . . . . . . . . 35 7.16. applicationComponent . . . . . . . . . . . . . . . . . . 35 7.17. applicationLabel . . . . . . . . . . . . . . . . . . . . 36 7.18. applicationType . . . . . . . . . . . . . . . . . . . . . 36 7.19. applicationManufacturer . . . . . . . . . . . . . . . . . 36 7.20. authenticator . . . . . . . . . . . . . . . . . . . . . . 36 7.21. authenticationType . . . . . . . . . . . . . . . . . . . 36 7.22. birthdate . . . . . . . . . . . . . . . . . . . . . . . . 37 7.23. bytesReceived . . . . . . . . . . . . . . . . . . . . . . 37 7.24. bytesReceived . . . . . . . . . . . . . . . . . . . . . . 37 7.25. bytesSent . . . . . . . . . . . . . . . . . . . . . . . . 37 7.26. certificate . . . . . . . . . . . . . . . . . . . . . . . 38 7.27. collectionTaskType . . . . . . . . . . . . . . . . . . . 38 7.28. confidence . . . . . . . . . . . . . . . . . . . . . . . 38 7.29. contentAction . . . . . . . . . . . . . . . . . . . . . . 38 7.30. countryCode . . . . . . . . . . . . . . . . . . . . . . . 38 7.31. dataOrigin . . . . . . . . . . . . . . . . . . . . . . . 39 7.32. dataSource . . . . . . . . . . . . . . . . . . . . . . . 39 7.33. default-depth . . . . . . . . . . . . . . . . . . . . . . 39 7.34. discoverer . . . . . . . . . . . . . . . . . . . . . . . 39 7.35. emailAddress . . . . . . . . . . . . . . . . . . . . . . 40 7.36. eventType . . . . . . . . . . . . . . . . . . . . . . . . 40 7.37. eventThreshold . . . . . . . . . . . . . . . . . . . . . 40 7.38. eventThresholdName . . . . . . . . . . . . . . . . . . . 40 7.39. eventTrigger . . . . . . . . . . . . . . . . . . . . . . 40 7.40. firmwareId . . . . . . . . . . . . . . . . . . . . . . . 41 7.41. hostName . . . . . . . . . . . . . . . . . . . . . . . . 41 7.42. interfaceLabel . . . . . . . . . . . . . . . . . . . . . 41 7.43. ipv6AddressSubnetMask . . . . . . . . . . . . . . . . . . 41 7.44. ipv6AddressSubnetMaskCidrNotation . . . . . . . . . . . . 41 Waltermire, et al. Expires October 29, 2017 [Page 3] Internet-Draft SACM Information Model April 2017 7.45. ipv6AddressValue . . . . . . . . . . . . . . . . . . . . 42 7.46. ipv4AddressSubnetMask . . . . . . . . . . . . . . . . . . 42 7.47. ipv4AddressSubnetMaskCidrNotation . . . . . . . . . . . . 42 7.48. ipv4AddressValue . . . . . . . . . . . . . . . . . . . . 42 7.49. layer2InterfaceType . . . . . . . . . . . . . . . . . . . 42 7.50. layer4PortAddress . . . . . . . . . . . . . . . . . . . . 42 7.51. layer4Protocol . . . . . . . . . . . . . . . . . . . . . 43 7.52. locationName . . . . . . . . . . . . . . . . . . . . . . 43 7.53. networkZoneLocation . . . . . . . . . . . . . . . . . . . 43 7.54. layer2NetworkLocation . . . . . . . . . . . . . . . . . . 43 7.55. layer3NetworkLocation . . . . . . . . . . . . . . . . . . 44 7.56. macAddressValue . . . . . . . . . . . . . . . . . . . . . 44 7.57. methodLabel . . . . . . . . . . . . . . . . . . . . . . . 44 7.58. methodRepository . . . . . . . . . . . . . . . . . . . . 44 7.59. networkAccessLevelType . . . . . . . . . . . . . . . . . 44 7.60. networkId . . . . . . . . . . . . . . . . . . . . . . . . 45 7.61. networkInterfaceName . . . . . . . . . . . . . . . . . . 45 7.62. networkLayer . . . . . . . . . . . . . . . . . . . . . . 45 7.63. networkName . . . . . . . . . . . . . . . . . . . . . . . 45 7.64. organizationId . . . . . . . . . . . . . . . . . . . . . 45 7.65. patchId . . . . . . . . . . . . . . . . . . . . . . . . . 46 7.66. patchName . . . . . . . . . . . . . . . . . . . . . . . . 46 7.67. personFirstName . . . . . . . . . . . . . . . . . . . . . 46 7.68. personLastName . . . . . . . . . . . . . . . . . . . . . 46 7.69. personMiddleName . . . . . . . . . . . . . . . . . . . . 46 7.70. phoneNumber . . . . . . . . . . . . . . . . . . . . . . . 46 7.71. phoneNumberType . . . . . . . . . . . . . . . . . . . . . 47 7.72. privilegeName . . . . . . . . . . . . . . . . . . . . . . 47 7.73. privilegeValue . . . . . . . . . . . . . . . . . . . . . 47 7.74. protocol . . . . . . . . . . . . . . . . . . . . . . . . 47 7.75. publicKey . . . . . . . . . . . . . . . . . . . . . . . . 48 7.76. relationshipContentElementGuid . . . . . . . . . . . . . 48 7.77. relationshipStatementElementGuid . . . . . . . . . . . . 48 7.78. relationshipObjectLabel . . . . . . . . . . . . . . . . . 48 7.79. relationshipType . . . . . . . . . . . . . . . . . . . . 48 7.80. roleName . . . . . . . . . . . . . . . . . . . . . . . . 49 7.81. sessionStateType . . . . . . . . . . . . . . . . . . . . 49 7.82. statementGuid . . . . . . . . . . . . . . . . . . . . . . 49 7.83. statementType . . . . . . . . . . . . . . . . . . . . . . 49 7.84. status . . . . . . . . . . . . . . . . . . . . . . . . . 50 7.85. subAdministrativeDomain . . . . . . . . . . . . . . . . . 50 7.86. subInterfaceLabel . . . . . . . . . . . . . . . . . . . . 50 7.87. superAdministrativeDomain . . . . . . . . . . . . . . . . 50 7.88. superInterfaceLabel . . . . . . . . . . . . . . . . . . . 51 7.89. teAssessmentState . . . . . . . . . . . . . . . . . . . . 51 7.90. teLabel . . . . . . . . . . . . . . . . . . . . . . . . . 51 7.91. teId . . . . . . . . . . . . . . . . . . . . . . . . . . 51 7.92. timestampType . . . . . . . . . . . . . . . . . . . . . . 51 Waltermire, et al. Expires October 29, 2017 [Page 4] Internet-Draft SACM Information Model April 2017 7.93. unitsReceived . . . . . . . . . . . . . . . . . . . . . . 52 7.94. unitsSent . . . . . . . . . . . . . . . . . . . . . . . . 52 7.95. userDirectory . . . . . . . . . . . . . . . . . . . . . . 52 7.96. sacmUserId . . . . . . . . . . . . . . . . . . . . . . . 52 7.97. webSite . . . . . . . . . . . . . . . . . . . . . . . . . 53 7.98. WGS84Longitude . . . . . . . . . . . . . . . . . . . . . 53 7.99. WGS84Latitude . . . . . . . . . . . . . . . . . . . . . . 53 7.100. WGS84Altitude . . . . . . . . . . . . . . . . . . . . . 53 7.101. hardwareSerialNumber . . . . . . . . . . . . . . . . . . 53 7.102. interfaceName . . . . . . . . . . . . . . . . . . . . . 54 7.103. interfaceIndex . . . . . . . . . . . . . . . . . . . . . 54 7.104. interfaceMacAddress . . . . . . . . . . . . . . . . . . 54 7.105. interfaceType . . . . . . . . . . . . . . . . . . . . . 54 7.106. interfaceFlags . . . . . . . . . . . . . . . . . . . . . 54 7.107. networkInterface . . . . . . . . . . . . . . . . . . . . 55 7.108. softwareIdentifier . . . . . . . . . . . . . . . . . . . 55 7.109. softwareTitle . . . . . . . . . . . . . . . . . . . . . 55 7.110. softwareCreator . . . . . . . . . . . . . . . . . . . . 56 7.111. simpleSoftwareVersion . . . . . . . . . . . . . . . . . 56 7.112. rpmSoftwareVersion . . . . . . . . . . . . . . . . . . . 56 7.113. ciscoTrainSoftwareVersion . . . . . . . . . . . . . . . 56 7.114. softwareVersion . . . . . . . . . . . . . . . . . . . . 56 7.115. softwareLastUpdated . . . . . . . . . . . . . . . . . . 57 7.116. softwareClass . . . . . . . . . . . . . . . . . . . . . 57 7.117. softwareInstance . . . . . . . . . . . . . . . . . . . . 58 7.118. globallyUniqueIdentifier . . . . . . . . . . . . . . . . 59 7.119. creationTimestamp . . . . . . . . . . . . . . . . . . . 59 7.120. collectionTimestamp . . . . . . . . . . . . . . . . . . 59 7.121. publicationTimestamp . . . . . . . . . . . . . . . . . . 59 7.122. relayTimestamp . . . . . . . . . . . . . . . . . . . . . 59 7.123. storageTimestamp . . . . . . . . . . . . . . . . . . . . 60 7.124. type . . . . . . . . . . . . . . . . . . . . . . . . . . 60 7.125. protocolIdentifier . . . . . . . . . . . . . . . . . . . 60 7.126. sourceTransportPort . . . . . . . . . . . . . . . . . . 60 7.127. sourceIPv4PrefixLength . . . . . . . . . . . . . . . . . 61 7.128. ingressInterface . . . . . . . . . . . . . . . . . . . . 61 7.129. destinationTransportPort . . . . . . . . . . . . . . . . 61 7.130. sourceIPv6PrefixLength . . . . . . . . . . . . . . . . . 61 7.131. sourceIPv4Prefix . . . . . . . . . . . . . . . . . . . . 62 7.132. destinationIPv4Prefix . . . . . . . . . . . . . . . . . 62 7.133. sourceMacAddress . . . . . . . . . . . . . . . . . . . . 62 7.134. ipVersion . . . . . . . . . . . . . . . . . . . . . . . 62 7.135. interfaceDescription . . . . . . . . . . . . . . . . . . 62 7.136. applicationDescription . . . . . . . . . . . . . . . . . 62 7.137. applicationId . . . . . . . . . . . . . . . . . . . . . 63 7.138. applicationName . . . . . . . . . . . . . . . . . . . . 63 7.139. exporterIPv4Address . . . . . . . . . . . . . . . . . . 63 7.140. exporterIPv6Address . . . . . . . . . . . . . . . . . . 63 Waltermire, et al. Expires October 29, 2017 [Page 5] Internet-Draft SACM Information Model April 2017 7.141. portId . . . . . . . . . . . . . . . . . . . . . . . . . 63 7.142. templateId . . . . . . . . . . . . . . . . . . . . . . . 64 7.143. collectorIPv4Address . . . . . . . . . . . . . . . . . . 64 7.144. collectorIPv6Address . . . . . . . . . . . . . . . . . . 64 7.145. informationElementIndex . . . . . . . . . . . . . . . . 65 7.146. informationElementId . . . . . . . . . . . . . . . . . . 65 7.147. informationElementDataType . . . . . . . . . . . . . . . 65 7.148. informationElementDescription . . . . . . . . . . . . . 65 7.149. informationElementName . . . . . . . . . . . . . . . . . 66 7.150. informationElementRangeBegin . . . . . . . . . . . . . . 66 7.151. informationElementRangeEnd . . . . . . . . . . . . . . . 66 7.152. informationElementSemantics . . . . . . . . . . . . . . 67 7.153. informationElementUnits . . . . . . . . . . . . . . . . 67 7.154. applicationCategoryName . . . . . . . . . . . . . . . . 68 7.155. mibObjectValueInteger . . . . . . . . . . . . . . . . . 68 7.156. mibObjectValueOctetString . . . . . . . . . . . . . . . 69 7.157. mibObjectValueOID . . . . . . . . . . . . . . . . . . . 69 7.158. mibObjectValueBits . . . . . . . . . . . . . . . . . . . 69 7.159. mibObjectValueIPAddress . . . . . . . . . . . . . . . . 70 7.160. mibObjectValueCounter . . . . . . . . . . . . . . . . . 70 7.161. mibObjectValueGauge . . . . . . . . . . . . . . . . . . 71 7.162. mibObjectValueTimeTicks . . . . . . . . . . . . . . . . 71 7.163. mibObjectValueUnsigned . . . . . . . . . . . . . . . . . 72 7.164. mibObjectValueTable . . . . . . . . . . . . . . . . . . 72 7.165. mibObjectValueRow . . . . . . . . . . . . . . . . . . . 72 7.166. mibObjectIdentifier . . . . . . . . . . . . . . . . . . 73 7.167. mibSubIdentifier . . . . . . . . . . . . . . . . . . . . 73 7.168. mibIndexIndicator . . . . . . . . . . . . . . . . . . . 73 7.169. mibCaptureTimeSemantics . . . . . . . . . . . . . . . . 74 7.170. mibContextEngineID . . . . . . . . . . . . . . . . . . . 75 7.171. mibContextName . . . . . . . . . . . . . . . . . . . . . 76 7.172. mibObjectName . . . . . . . . . . . . . . . . . . . . . 76 7.173. mibObjectDescription . . . . . . . . . . . . . . . . . . 76 7.174. mibObjectSyntax . . . . . . . . . . . . . . . . . . . . 76 7.175. mibModuleName . . . . . . . . . . . . . . . . . . . . . 76 7.176. interface . . . . . . . . . . . . . . . . . . . . . . . 77 7.177. iflisteners . . . . . . . . . . . . . . . . . . . . . . 77 7.178. physicalProtocol . . . . . . . . . . . . . . . . . . . . 77 7.179. hwAddress . . . . . . . . . . . . . . . . . . . . . . . 78 7.180. programName . . . . . . . . . . . . . . . . . . . . . . 79 7.181. userId . . . . . . . . . . . . . . . . . . . . . . . . . 79 7.182. inetlisteningserver . . . . . . . . . . . . . . . . . . 79 7.183. transportProtocol . . . . . . . . . . . . . . . . . . . 79 7.184. localAddress . . . . . . . . . . . . . . . . . . . . . . 79 7.185. localPort . . . . . . . . . . . . . . . . . . . . . . . 80 7.186. localFullAddress . . . . . . . . . . . . . . . . . . . . 80 7.187. foreignAddress . . . . . . . . . . . . . . . . . . . . . 80 7.188. foreignFullAddress . . . . . . . . . . . . . . . . . . . 80 Waltermire, et al. Expires October 29, 2017 [Page 6] Internet-Draft SACM Information Model April 2017 7.189. selinuxboolean . . . . . . . . . . . . . . . . . . . . . 80 7.190. selinuxName . . . . . . . . . . . . . . . . . . . . . . 81 7.191. currentStatus . . . . . . . . . . . . . . . . . . . . . 81 7.192. pendingStatus . . . . . . . . . . . . . . . . . . . . . 81 7.193. selinuxsecuritycontext . . . . . . . . . . . . . . . . . 81 7.194. filepath . . . . . . . . . . . . . . . . . . . . . . . . 82 7.195. path . . . . . . . . . . . . . . . . . . . . . . . . . . 82 7.196. filename . . . . . . . . . . . . . . . . . . . . . . . . 82 7.197. pid . . . . . . . . . . . . . . . . . . . . . . . . . . 82 7.198. role . . . . . . . . . . . . . . . . . . . . . . . . . . 82 7.199. domainType . . . . . . . . . . . . . . . . . . . . . . . 83 7.200. lowSensitivity . . . . . . . . . . . . . . . . . . . . . 83 7.201. lowCategory . . . . . . . . . . . . . . . . . . . . . . 83 7.202. highSensitivity . . . . . . . . . . . . . . . . . . . . 83 7.203. highCategory . . . . . . . . . . . . . . . . . . . . . . 83 7.204. rawlowSensitivity . . . . . . . . . . . . . . . . . . . 84 7.205. rawlowCategory . . . . . . . . . . . . . . . . . . . . . 84 7.206. rawhighSensitivity . . . . . . . . . . . . . . . . . . . 84 7.207. rawhighCategory . . . . . . . . . . . . . . . . . . . . 84 7.208. systemdunitdependency . . . . . . . . . . . . . . . . . 84 7.209. unit . . . . . . . . . . . . . . . . . . . . . . . . . . 85 7.210. dependency . . . . . . . . . . . . . . . . . . . . . . . 85 7.211. systemdunitproperty . . . . . . . . . . . . . . . . . . 85 7.212. property . . . . . . . . . . . . . . . . . . . . . . . . 85 7.213. systemdunitValue . . . . . . . . . . . . . . . . . . . . 85 7.214. file . . . . . . . . . . . . . . . . . . . . . . . . . . 86 7.215. fileType . . . . . . . . . . . . . . . . . . . . . . . . 86 7.216. groupId . . . . . . . . . . . . . . . . . . . . . . . . 86 7.217. aTime . . . . . . . . . . . . . . . . . . . . . . . . . 86 7.218. cTime . . . . . . . . . . . . . . . . . . . . . . . . . 86 7.219. mTime . . . . . . . . . . . . . . . . . . . . . . . . . 87 7.220. size . . . . . . . . . . . . . . . . . . . . . . . . . . 87 7.221. suid . . . . . . . . . . . . . . . . . . . . . . . . . . 87 7.222. sgid . . . . . . . . . . . . . . . . . . . . . . . . . . 87 7.223. sticky . . . . . . . . . . . . . . . . . . . . . . . . . 87 7.224. hasExtendedAcl . . . . . . . . . . . . . . . . . . . . . 88 7.225. inetd . . . . . . . . . . . . . . . . . . . . . . . . . 88 7.226. serverProgram . . . . . . . . . . . . . . . . . . . . . 88 7.227. inetdEndpointType . . . . . . . . . . . . . . . . . . . 88 7.228. execAsUser . . . . . . . . . . . . . . . . . . . . . . . 89 7.229. waitStatus . . . . . . . . . . . . . . . . . . . . . . . 89 7.230. inetAddr . . . . . . . . . . . . . . . . . . . . . . . . 90 7.231. netmask . . . . . . . . . . . . . . . . . . . . . . . . 90 7.232. passwordInfo . . . . . . . . . . . . . . . . . . . . . . 90 7.233. username . . . . . . . . . . . . . . . . . . . . . . . . 91 7.234. password . . . . . . . . . . . . . . . . . . . . . . . . 91 7.235. gcos . . . . . . . . . . . . . . . . . . . . . . . . . . 91 7.236. homeDir . . . . . . . . . . . . . . . . . . . . . . . . 91 Waltermire, et al. Expires October 29, 2017 [Page 7] Internet-Draft SACM Information Model April 2017 7.237. loginShell . . . . . . . . . . . . . . . . . . . . . . . 91 7.238. lastLogin . . . . . . . . . . . . . . . . . . . . . . . 92 7.239. process . . . . . . . . . . . . . . . . . . . . . . . . 92 7.240. commandLine . . . . . . . . . . . . . . . . . . . . . . 92 7.241. ppid . . . . . . . . . . . . . . . . . . . . . . . . . . 92 7.242. priority . . . . . . . . . . . . . . . . . . . . . . . . 93 7.243. startTime . . . . . . . . . . . . . . . . . . . . . . . 93 7.244. routingtable . . . . . . . . . . . . . . . . . . . . . . 93 7.245. destination . . . . . . . . . . . . . . . . . . . . . . 93 7.246. gateway . . . . . . . . . . . . . . . . . . . . . . . . 93 7.247. runlevelInfo . . . . . . . . . . . . . . . . . . . . . . 94 7.248. runlevel . . . . . . . . . . . . . . . . . . . . . . . . 94 7.249. start . . . . . . . . . . . . . . . . . . . . . . . . . 94 7.250. kill . . . . . . . . . . . . . . . . . . . . . . . . . . 94 7.251. shadowItem . . . . . . . . . . . . . . . . . . . . . . . 94 7.252. chgLst . . . . . . . . . . . . . . . . . . . . . . . . . 95 7.253. chgAllow . . . . . . . . . . . . . . . . . . . . . . . . 95 7.254. chgReq . . . . . . . . . . . . . . . . . . . . . . . . . 95 7.255. expWarn . . . . . . . . . . . . . . . . . . . . . . . . 95 7.256. expInact . . . . . . . . . . . . . . . . . . . . . . . . 95 7.257. expDate . . . . . . . . . . . . . . . . . . . . . . . . 96 7.258. encryptMethod . . . . . . . . . . . . . . . . . . . . . 96 7.259. symlink . . . . . . . . . . . . . . . . . . . . . . . . 96 7.260. symlinkFilepath . . . . . . . . . . . . . . . . . . . . 96 7.261. canonicalPath . . . . . . . . . . . . . . . . . . . . . 97 7.262. sysctl . . . . . . . . . . . . . . . . . . . . . . . . . 97 7.263. kernelParameterName . . . . . . . . . . . . . . . . . . 97 7.264. kernelParameterValue . . . . . . . . . . . . . . . . . . 97 7.265. uname . . . . . . . . . . . . . . . . . . . . . . . . . 98 7.266. machineClass . . . . . . . . . . . . . . . . . . . . . . 98 7.267. nodeName . . . . . . . . . . . . . . . . . . . . . . . . 98 7.268. osName . . . . . . . . . . . . . . . . . . . . . . . . . 98 7.269. osRelease . . . . . . . . . . . . . . . . . . . . . . . 98 7.270. processorType . . . . . . . . . . . . . . . . . . . . . 99 7.271. internetService . . . . . . . . . . . . . . . . . . . . 99 7.272. serviceProtocol . . . . . . . . . . . . . . . . . . . . 99 7.273. serviceName . . . . . . . . . . . . . . . . . . . . . . 99 7.274. flags . . . . . . . . . . . . . . . . . . . . . . . . . 99 7.275. noAccess . . . . . . . . . . . . . . . . . . . . . . . . 100 7.276. onlyFrom . . . . . . . . . . . . . . . . . . . . . . . . 100 7.277. port . . . . . . . . . . . . . . . . . . . . . . . . . . 100 7.278. server . . . . . . . . . . . . . . . . . . . . . . . . . 100 7.279. serverArguments . . . . . . . . . . . . . . . . . . . . 100 7.280. socketType . . . . . . . . . . . . . . . . . . . . . . . 101 7.281. registeredServiceType . . . . . . . . . . . . . . . . . 101 7.282. wait . . . . . . . . . . . . . . . . . . . . . . . . . . 101 7.283. disabled . . . . . . . . . . . . . . . . . . . . . . . . 102 7.284. windowsView . . . . . . . . . . . . . . . . . . . . . . 102 Waltermire, et al. Expires October 29, 2017 [Page 8] Internet-Draft SACM Information Model April 2017 7.285. fileauditedpermissions . . . . . . . . . . . . . . . . . 102 7.286. trusteeName . . . . . . . . . . . . . . . . . . . . . . 103 7.287. auditStandardDelete . . . . . . . . . . . . . . . . . . 103 7.288. auditStandardReadControl . . . . . . . . . . . . . . . . 103 7.289. auditStandardWriteDac . . . . . . . . . . . . . . . . . 104 7.290. auditStandardWriteOwner . . . . . . . . . . . . . . . . 104 7.291. auditStandardSynchronize . . . . . . . . . . . . . . . . 105 7.292. auditAccessSystemSecurity . . . . . . . . . . . . . . . 105 7.293. auditGenericRead . . . . . . . . . . . . . . . . . . . . 106 7.294. auditGenericWrite . . . . . . . . . . . . . . . . . . . 106 7.295. auditGenericExecute . . . . . . . . . . . . . . . . . . 107 7.296. auditGenericAll . . . . . . . . . . . . . . . . . . . . 107 7.297. auditFileReadData . . . . . . . . . . . . . . . . . . . 108 7.298. auditFileWriteData . . . . . . . . . . . . . . . . . . . 108 7.299. auditFileAppendData . . . . . . . . . . . . . . . . . . 109 7.300. auditFileReadEa . . . . . . . . . . . . . . . . . . . . 109 7.301. auditFileWriteEa . . . . . . . . . . . . . . . . . . . . 110 7.302. auditFileExecute . . . . . . . . . . . . . . . . . . . . 110 7.303. auditFileDeleteChild . . . . . . . . . . . . . . . . . . 111 7.304. auditFileReadAttributes . . . . . . . . . . . . . . . . 111 7.305. auditFileWriteAttributes . . . . . . . . . . . . . . . . 112 7.306. fileeffectiverights . . . . . . . . . . . . . . . . . . 112 7.307. standardDelete . . . . . . . . . . . . . . . . . . . . . 113 7.308. standardReadControl . . . . . . . . . . . . . . . . . . 113 7.309. standardWriteDac . . . . . . . . . . . . . . . . . . . . 113 7.310. standardWriteOwner . . . . . . . . . . . . . . . . . . . 114 7.311. standardSynchronize . . . . . . . . . . . . . . . . . . 114 7.312. accessSystemSecurity . . . . . . . . . . . . . . . . . . 114 7.313. genericRead . . . . . . . . . . . . . . . . . . . . . . 114 7.314. genericWrite . . . . . . . . . . . . . . . . . . . . . . 114 7.315. genericExecute . . . . . . . . . . . . . . . . . . . . . 115 7.316. genericAll . . . . . . . . . . . . . . . . . . . . . . . 115 7.317. fileReadData . . . . . . . . . . . . . . . . . . . . . . 115 7.318. fileWriteData . . . . . . . . . . . . . . . . . . . . . 115 7.319. fileAppendData . . . . . . . . . . . . . . . . . . . . . 115 7.320. fileReadEa . . . . . . . . . . . . . . . . . . . . . . . 116 7.321. fileWriteEa . . . . . . . . . . . . . . . . . . . . . . 116 7.322. fileExecute . . . . . . . . . . . . . . . . . . . . . . 116 7.323. fileDeleteChild . . . . . . . . . . . . . . . . . . . . 116 7.324. fileReadAttributes . . . . . . . . . . . . . . . . . . . 116 7.325. fileWriteAttributes . . . . . . . . . . . . . . . . . . 117 7.326. groupInfo . . . . . . . . . . . . . . . . . . . . . . . 117 7.327. group . . . . . . . . . . . . . . . . . . . . . . . . . 117 7.328. subgroup . . . . . . . . . . . . . . . . . . . . . . . . 117 7.329. groupSidInfo . . . . . . . . . . . . . . . . . . . . . . 117 7.330. userSidInfo . . . . . . . . . . . . . . . . . . . . . . 118 7.331. userSid . . . . . . . . . . . . . . . . . . . . . . . . 118 7.332. subgroupSid . . . . . . . . . . . . . . . . . . . . . . 118 Waltermire, et al. Expires October 29, 2017 [Page 9] Internet-Draft SACM Information Model April 2017 7.333. lockoutpolicy . . . . . . . . . . . . . . . . . . . . . 118 7.334. forceLogoff . . . . . . . . . . . . . . . . . . . . . . 118 7.335. lockoutDuration . . . . . . . . . . . . . . . . . . . . 119 7.336. lockoutObservationWindow . . . . . . . . . . . . . . . . 119 7.337. lockoutThreshold . . . . . . . . . . . . . . . . . . . . 119 7.338. passwordpolicy . . . . . . . . . . . . . . . . . . . . . 119 7.339. maxPasswdAge . . . . . . . . . . . . . . . . . . . . . . 120 7.340. minPasswdAge . . . . . . . . . . . . . . . . . . . . . . 120 7.341. minPasswdLen . . . . . . . . . . . . . . . . . . . . . . 120 7.342. passwordHistLen . . . . . . . . . . . . . . . . . . . . 121 7.343. passwordComplexity . . . . . . . . . . . . . . . . . . . 121 7.344. reversibleEncryption . . . . . . . . . . . . . . . . . . 121 7.345. portInfo . . . . . . . . . . . . . . . . . . . . . . . . 121 7.346. foreignPort . . . . . . . . . . . . . . . . . . . . . . 121 7.347. printereffectiverights . . . . . . . . . . . . . . . . . 122 7.348. printerName . . . . . . . . . . . . . . . . . . . . . . 122 7.349. printerAccessAdminister . . . . . . . . . . . . . . . . 122 7.350. printerAccessUse . . . . . . . . . . . . . . . . . . . . 122 7.351. jobAccessAdminister . . . . . . . . . . . . . . . . . . 122 7.352. jobAccessRead . . . . . . . . . . . . . . . . . . . . . 123 7.353. registry . . . . . . . . . . . . . . . . . . . . . . . . 123 7.354. registryHive . . . . . . . . . . . . . . . . . . . . . . 123 7.355. registryKey . . . . . . . . . . . . . . . . . . . . . . 124 7.356. registryKeyName . . . . . . . . . . . . . . . . . . . . 124 7.357. lastWriteTime . . . . . . . . . . . . . . . . . . . . . 124 7.358. registryKeyType . . . . . . . . . . . . . . . . . . . . 125 7.359. registryKeyValue . . . . . . . . . . . . . . . . . . . . 126 7.360. regkeyauditedpermissions . . . . . . . . . . . . . . . . 127 7.361. auditKeyQueryValue . . . . . . . . . . . . . . . . . . . 128 7.362. auditKeySetValue . . . . . . . . . . . . . . . . . . . . 128 7.363. auditKeyCreateSubKey . . . . . . . . . . . . . . . . . . 129 7.364. auditKeyEnumerateSubKeys . . . . . . . . . . . . . . . . 129 7.365. auditKeyNotify . . . . . . . . . . . . . . . . . . . . . 130 7.366. auditKeyCreateLink . . . . . . . . . . . . . . . . . . . 130 7.367. auditKeyWow6464Key . . . . . . . . . . . . . . . . . . . 131 7.368. auditKeyWow6432Key . . . . . . . . . . . . . . . . . . . 131 7.369. auditKeyWow64Res . . . . . . . . . . . . . . . . . . . . 132 7.370. regkeyeffectiverights . . . . . . . . . . . . . . . . . 132 7.371. keyQueryValue . . . . . . . . . . . . . . . . . . . . . 133 7.372. keySetValue . . . . . . . . . . . . . . . . . . . . . . 133 7.373. keyCreateSubKey . . . . . . . . . . . . . . . . . . . . 133 7.374. keyEnumerateSubKeys . . . . . . . . . . . . . . . . . . 134 7.375. keyNotify . . . . . . . . . . . . . . . . . . . . . . . 134 7.376. keyCreateLink . . . . . . . . . . . . . . . . . . . . . 134 7.377. keyWow6464Key . . . . . . . . . . . . . . . . . . . . . 134 7.378. keyWow6432Key . . . . . . . . . . . . . . . . . . . . . 134 7.379. keyWow64Res . . . . . . . . . . . . . . . . . . . . . . 134 7.380. service . . . . . . . . . . . . . . . . . . . . . . . . 135 Waltermire, et al. Expires October 29, 2017 [Page 10] Internet-Draft SACM Information Model April 2017 7.381. displayName . . . . . . . . . . . . . . . . . . . . . . 135 7.382. description . . . . . . . . . . . . . . . . . . . . . . 135 7.383. serviceType . . . . . . . . . . . . . . . . . . . . . . 135 7.384. startType . . . . . . . . . . . . . . . . . . . . . . . 136 7.385. currentState . . . . . . . . . . . . . . . . . . . . . . 137 7.386. controlsAccepted . . . . . . . . . . . . . . . . . . . . 138 7.387. startName . . . . . . . . . . . . . . . . . . . . . . . 140 7.388. serviceFlag . . . . . . . . . . . . . . . . . . . . . . 140 7.389. dependencies . . . . . . . . . . . . . . . . . . . . . . 140 7.390. serviceeffectiverights . . . . . . . . . . . . . . . . . 140 7.391. trusteeSid . . . . . . . . . . . . . . . . . . . . . . . 141 7.392. serviceQueryConf . . . . . . . . . . . . . . . . . . . . 141 7.393. serviceChangeConf . . . . . . . . . . . . . . . . . . . 141 7.394. serviceQueryStat . . . . . . . . . . . . . . . . . . . . 141 7.395. serviceEnumDependents . . . . . . . . . . . . . . . . . 141 7.396. serviceStart . . . . . . . . . . . . . . . . . . . . . . 142 7.397. serviceStop . . . . . . . . . . . . . . . . . . . . . . 142 7.398. servicePause . . . . . . . . . . . . . . . . . . . . . . 142 7.399. serviceInterrogate . . . . . . . . . . . . . . . . . . . 142 7.400. serviceUserDefined . . . . . . . . . . . . . . . . . . . 142 7.401. sharedresourceauditedpermissions . . . . . . . . . . . . 143 7.402. netname . . . . . . . . . . . . . . . . . . . . . . . . 143 7.403. sharedresourceeffectiverights . . . . . . . . . . . . . 143 7.404. user . . . . . . . . . . . . . . . . . . . . . . . . . . 144 7.405. enabled . . . . . . . . . . . . . . . . . . . . . . . . 144 7.406. lastLogon . . . . . . . . . . . . . . . . . . . . . . . 144 7.407. groupSid . . . . . . . . . . . . . . . . . . . . . . . . 144 7.408. endpointType . . . . . . . . . . . . . . . . . . . . . . 144 7.409. endpointPurpose . . . . . . . . . . . . . . . . . . . . 145 7.410. endpointCriticality . . . . . . . . . . . . . . . . . . 145 7.411. ingestTimestamp . . . . . . . . . . . . . . . . . . . . 145 7.412. vulnerabilityVersion . . . . . . . . . . . . . . . . . . 146 7.413. vulnerabilityExternalId . . . . . . . . . . . . . . . . 146 7.414. vulnerabilitySeverity . . . . . . . . . . . . . . . . . 146 7.415. assessmentTimestamp . . . . . . . . . . . . . . . . . . 146 7.416. vulnerableSoftware . . . . . . . . . . . . . . . . . . . 146 7.417. endpointVulnerabilityStatus . . . . . . . . . . . . . . 147 7.418. vulnerabilityDescription . . . . . . . . . . . . . . . . 147 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 147 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 148 10. Security Considerations . . . . . . . . . . . . . . . . . . . 148 11. Operational Considerations . . . . . . . . . . . . . . . . . 149 11.1. Endpoint Designation . . . . . . . . . . . . . . . . . . 149 11.2. Timestamp Accuracy . . . . . . . . . . . . . . . . . . . 150 12. Privacy Considerations . . . . . . . . . . . . . . . . . . . 151 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 151 13.1. Normative References . . . . . . . . . . . . . . . . . . 151 13.2. Informative References . . . . . . . . . . . . . . . . . 151 Waltermire, et al. Expires October 29, 2017 [Page 11] Internet-Draft SACM Information Model April 2017 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 152 A.1. Changes in Revision 01 . . . . . . . . . . . . . . . . . 152 A.2. Changes in Revision 02 . . . . . . . . . . . . . . . . . 154 A.3. Changes in Revision 03 . . . . . . . . . . . . . . . . . 154 A.4. Changes in Revision 04 . . . . . . . . . . . . . . . . . 154 A.5. Changes in Revision 05 . . . . . . . . . . . . . . . . . 155 A.6. Changes in Revision 06 . . . . . . . . . . . . . . . . . 155 A.7. Changes in Revision 07 . . . . . . . . . . . . . . . . . 155 A.8. Changes in Revision 08 . . . . . . . . . . . . . . . . . 156 A.9. Changes in Revision 09 . . . . . . . . . . . . . . . . . 156 A.10. Changes in Revision 10 . . . . . . . . . . . . . . . . . 157 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 157 1. Introduction The SACM Information Model (IM) serves multiple purposes: o to ensure interoperability between SACM data models that are used as transport encodings, o to provide a standardized set of Information Elements - the SACM Vocabulary - to enable the exchange of content vital to automated security posture assessment, and o to enable secure information sharing in a scalable and extensible fashion in order to support the tasks conducted by SACM components. A complete set of requirements imposed on the IM can be found in [I-D.ietf-sacm-requirements]. The SACM IM is intended to be used for standardized data exchange between SACM components (data in motion). Nevertheless, the Information Elements (IE) and their relationships defined in this document can be leveraged to create and align corresponding data models for data at rest. The information model expresses, for example, target endpoint (TE) attributes, guidance, and evaluation results. The corresponding Information Elements are consumed and produced by SACM components as they carry out tasks. The primary tasks that this information model supports (on data, control, and management plane) are: o TE Discovery o TE Characterization o TE Classification Waltermire, et al. Expires October 29, 2017 [Page 12] Internet-Draft SACM Information Model April 2017 o Collection o Evaluation o Information Sharing o SACM Component Discovery o SACM Component Authentication o SACM Component Authorization o SACM Component Registration These tasks are defined in [I-D.ietf-sacm-terminology]. 2. Conventions used in this document 2.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2.2. Information Element Examples The notation used to define the SACM Information Elements (IEs) is based on a customized version of the IPFIX information model syntax [RFC7012] which is described in Figure 2. However, there are several examples presented throughout the document that use a simplified pseudo-code to illustrate the basic structure. It should be noted that while they include actual names of subjects and attributes as well as values, they are not intended to influence how corresponding SACM IEs should be defined in Section 7. The examples are provided for demonstration purposes only. 3. Information Elements The IEs defined in this document comprise the building blocks by which all SACM content is composed. They are consumed and provided by SACM components on the data plane. Every Information Element has a unique label: its name. Every type of IE defined by the SACM IM is registered as a type at the IANA registry. The Integer Index of the IANA SMI number tables can be used by SACM data models. Waltermire, et al. Expires October 29, 2017 [Page 13] Internet-Draft SACM Information Model April 2017 3.1. Context of Information Elements The IEs in this information model represent information related to assets in the following areas (based on the use cases described in [RFC7632]): o Endpoint Management o Software Inventory Management o Hardware Inventory Management o Configuration Management o Vulnerability Management 3.2. Extensibility of Information Elements A SACM data model based on this information model MAY include additional information elements that are not defined here. The labels of additional Information Elements included in different SACM data models MUST NOT conflict with the labels of the Information Elements defined by this information model, and the names of additional Information Elements MUST NOT conflict with each other or across multiple data models. In order to avoid naming conflicts, the labels of additional IEs SHOULD be prefixed to avoid collisions across extensions. The prefix MUST include an organizational identifier and therefore, for example, MAY be an IANA enterprise number, a (partial) name space URI, or an organization name abbreviation. 4. Structure of Information Elements There are two basic types of IEs: o Attributes: Atomic information elements that are equivalent to name-value-pairs and can be components of Subjects. o Subjects: Composite information elements that have a name and are made up of Attributes and/or other Subjects. Every IE that is part of a Subject can have a quantity associated with it (e.g. zero-one, none-unbounded). The content IEs of a Subject can be ordered or unordered. Waltermire, et al. Expires October 29, 2017 [Page 14] Internet-Draft SACM Information Model April 2017 Example Instance of an Attribute: hostname = "arbutus" Example Instance of a Subject: coordinates = ( latitude = N27.99619, longitude = E86.92761 ) Figure 1: Example instance of an attribute and subject. In general, every piece of information that enables security posture assessment or further enriches the quality of the assessment process can be associated with metadata. In the SACM IM, metadata is represented by specific subjects and is bundled with other attributes or subjects to provide additional information about them. The IM explicitly defines two kinds of metadata: o Metadata focusing on the data origin (the SACM component that provides the information to the SACM domain) o Metadata focusing on the data source (the target endpoint that is assessed) Metadata can also include relationships that refer to other associated IEs (or SACM content in general) by using referencing labels that have to be included in the metadata of the associated IE. Subjects can be nested and the SACM IM allows for circular or recursive nesting. The association of IEs via nesting results in a tree-like structure wherein subjects compose the root and intermediary nodes and attributes the leaves of the tree. This semantic structure does not impose a specific structure on SACM data models regarding data in motion or data repository schemata for data at rest. The SACM IM provides two conceptual top-level subjects that are used to ensure a homogeneous structure for SACM content and its associated metadata: SACM statements and SACM content-elements. Every set of IEs that is provided by a SACM component must provide the information contained in these two subjects although it is up to the implementer whether or not the subjects are explicitly defined in a data model. The notation the SACM IM is defined in is based on a modified version of the IP Information Flow Export (IPFIX) Information Model syntax described in Section 2.1 of [RFC7012]. The customized syntax used by the SACM IM is defined below in Figure 2. Waltermire, et al. Expires October 29, 2017 [Page 15] Internet-Draft SACM Information Model April 2017 elementId (required): The numeric identifier of the Information Element. It is used for the compact identification of an Information Element. If this identifier is used without an enterpriseID, then the elementId must be unique, and the description of allowed values is administrated by IANA. The value "TBD" may be used during development of the information model until an elementId is assigned by IANA and filled in at publication time. enterpriseId (optional): Enterprises may wish to define Information Elements without registering them with IANA, for example, for enterprise-internal purposes. For such Information Elements, the elementId is not sufficient when used outside the enterprise. If specifications of enterprise- specific Information Elements are made public and/or if enterprise-specific identifiers are used by SACM components outside the enterprise, then the enterprise-specific identifier MUST be made globally unique by combining it with an enterprise identifier. Valid values for the enterpriseId are defined by IANA as Structure of Management Information (SMI) network management private enterprise numbers. name (required): A unique and meaningful name for the Information Element. dataType (required): There are two kinds of datatypes: simple and structured. Attributes are defined using simple datatypes and subjects are defined using structured datatypes. The contents of the datatype field will be either a reference to one of the simple Waltermire, et al. Expires October 29, 2017 [Page 16] Internet-Draft SACM Information Model April 2017 datatypes listed in Section 5.1, or the specification of structured datatype as defined in Section 5.2. status (required): The status of the specification of the Information Element. Allowed values are "current" and "deprecated". All newly defined Information Elements have "current" status. The process for moving Information Elements to the "deprecated" status is TBD. description (required): Describes the meaning of the Information Element, how it is derived, conditions for its use, etc. structure (optional): A parsable property that provides details about the definition of structured Information Elements as described in Section 5.2. references (optional): Identifies other RFCs or documents outside the IETF which provide additional information or context about the Information Element. Figure 2: Information Element Specification Template 4.1. Information Element Naming Convention SACM Information Elements must adhere to the following naming conventions. o Names SHOULD be descriptive o Names MUST be unique within the SACM registry. Enterprise- specific names SHOULD be prefixed with a Private Enterprise Number [PEN]. o Names MUST start with lowercase letters unless it begins with a Private Enterprise Number o Composed names MUST use capital letters for the first letter of each part Waltermire, et al. Expires October 29, 2017 [Page 17] Internet-Draft SACM Information Model April 2017 4.2. SACM Content Elements Every piece of information that is provided by a SACM Component is always associated with a set of data source metadata (e.g. the timestamp when the information was collected, the target endpoint from which the this set of information is about, etc.) which is provided in the SACM Content Element Metadata. The SACM Content Element is the subject information element that associates the information with the SACM Content Element Metadata. The SACM Content Element Metadata may also include relationships that express associations with other SACM Content Elements. content-element = ( content-metadata = ( collection-timestamp = 146193322, data-source = fb02e551-7101-4e68-8dec-1fde6bd10981 ), hostname = "arbutus", coordinates = ( latitude = N27.99619, longitude = E86.92761 ) ) Figure 3: Example set of IEs associated with a timestamp and a target endpoint label. 4.3. SACM Statements One or more SACM Content Elements are bundled in a SACM Statement. In contrast to SACM Content Element Metadata, SACM Statement Metadata focuses on the providing information about the SACM Component that provided it rather than the target endpoint that the content is about. The only content-specific metadata included in the SACM Statement is the statement-type IE. Therefore, multiple SACM Content Elements that share the same SACM Statement Metadata and are of the same statement-type can be included in a single SACM Statement. A SACM Statement functions similar to an envelope or a header and is the subject information element that associates SACM Statement Metadata with security automation information provided in its SACM Content Element(s). Its purpose is to enable the tracking of the origin of data inside a SACM domain and more importantly to enable the mitigation of conflicting information that may originate from different SACM Components. How a consuming SACM Component actually deals with conflicting information is out-of-scope of the SACM IM. Semantically, the term statement implies that the SACM content provided by a SACM Component might not be correct in every context, Waltermire, et al. Expires October 29, 2017 [Page 18] Internet-Draft SACM Information Model April 2017 but, rather is the result of a best-effort to produce correct information. sacm-statement = ( statement-metadata = ( publish-timestamp = 1461934031, data-origin = 24e67957-3d31-4878-8892-da2b35e121c2, statement-type = observation ), content-element = ( content-metadata = ( collection-timestamp = 146193322, data-source = fb02e551-7101-4e68-8dec-1fde6bd10981 ), hostname = "arbutus" ) ) Figure 4: Example of a simple SACM statement including a single content-element. Waltermire, et al. Expires October 29, 2017 [Page 19] Internet-Draft SACM Information Model April 2017 sacm-statement = ( statement-metadata = ( publish-timestamp = 1461934031, data-origin = 24e67957-3d31-4878-8892-da2b35e121c2 statement-type = observation ), content-element = ( content-metadata = ( collection-timestamp = 146193322, data-source = fb02e551-7101-4e68-8dec-1fde6bd10981 ), coordinates = ( latitude = N27.99619, longitude = E86.92761 ) ) ) sacm-statement = ( statement-metadata = ( publish-timestamp = 1461934744, data-origin = e42885a1-0270-44e9-bb5c-865cf6bd4800, statement-type = observation ), content-element = ( content-metadata = ( collection-timestamp = 146193821, te-label = fb02e551-7101-4e68-8dec-1fde6bd10981 ), coordinates = ( latitude = N16.67622, longitude = E141.55321 ) ) ) Figure 5: Example of conflicting information originating from different SACM components. 4.4. Relationships An IE can be associated with another IE, e.g. a user-name attribute can be associated with a content-authorization subject. These references are expressed via the relationships subject, which can be included in a corresponding content-metadata subject. The relationships subject includes a list of one or more references. The SACM IM does not enforce a SACM domain to use unique identifiers as Waltermire, et al. Expires October 29, 2017 [Page 20] Internet-Draft SACM Information Model April 2017 references. Therefore, there are at least two ways to reference another o The value of a reference represents a specific content-label that is unique in a SACM domain (and has to be included in the corresponding content-element metadata in order to be referenced), or o The reference is a subject that includes an appropriate number of IEs in order to identify the referenced content-element by its actual content. It is recommended to provide unique identifiers in a SACM domain and the SACM IM provides a corresponding naming-convention as a reference in Section 4.1. The alternative highlighted above summarizes a valid approach that does not require unique identifiers and is similar to the approach of referencing target endpoints via identifying attributes included in a characterization record. content-element = ( content-metadata = ( collection-timestamp = 1461934031, te-label = fb02e551-7101-4e68-8dec-1fde6bd10981 relationships = ( associated-with-user-account = f3d70ef4-7e18-42af-a894-8955ba87c95d ) ), hostname = "arbutus" ) content-element = ( content-metadata = ( content-label = f3d70ef4-7e18-42af-a894-8955ba87c95d ), user-account = ( username = romeo authentication = local ) ) Figure 6: Example instance of a content-element subject associated with another subject via its content metadata. Waltermire, et al. Expires October 29, 2017 [Page 21] Internet-Draft SACM Information Model April 2017 4.5. Event Event subjects provide a structure to represent the change of IE values that was detected by a collection task at a specific point of time. It is mandatory to include the new values and the collection timestamp in an event subject and it is recommended to include the past values and a collection timestamp that were replaced by the new IE values. Every event can also be associated with a subject- specific event-timestamp and a lastseen-timestamp that might differ from the corresponding collection-timestamps. If these are omitted the collection-timestamp that is included in the content-metadata subject is used instead. sacm-statement = ( statement-metadata = ( publish-timestamp = 1461934031, data-origin = 24e67957-3d31-4878-8892-da2b35e121c2, statement-type = event ), event = ( event-attributes = ( event-name = "host-name change", content-element = ( content-metadata = ( collection-timestamp = 146193322, data-source = fb02e551-7101-4e68-8dec-1fde6bd10981, event-component = past-state ), hostname = "arbutus" ), content-element = ( content-metadata = ( collection-timestamp = 146195723, data-source = fb02e551-7101-4e68-8dec-1fde6bd10981, event-component = current-state ), hostname = "lilac" ) ) ) Figure 7: Example of a SACM statement containing an event. Waltermire, et al. Expires October 29, 2017 [Page 22] Internet-Draft SACM Information Model April 2017 4.6. Categories Categories are special IEs that refer to multiple types of IEs via just one name. Therefore, they are similar to a type-choice. A prominent example of a category is when identifying a target endpoint. In some cases, a target endpoint will be identified by a set of identifying attributes and in other cases a target endpoint will be identified by a target endpoint label which is unique within a SACM domain. If a subject includes the targetEndpoint information element as one of its components, any of the category members (targetEndpointIdentifier or targetEndpointLabel) are valid to be used in its place. 5. Abstract Data Types This section describes the set of valid abstract data types that can be used for the specification of the SACM Information Elements in Section 7. SACM currently supports two classes of datatypes that can be used to define Information Elements. o Simple: Datatypes that are atomic and are used to define the type of data represented by an attribute Information Element. o Structured: Datatypes that can be used to define the type of data represented by a subject Information Element. Note that further abstract data types may be specified by future extensions of the SACM information model. 5.1. Simple Datatypes 5.1.1. IPFIX Datatypes To facilitate the use of existing work, SACM supports the following abstract data types defined in Section 3 of [RFC7012]. o unsigned8, unsigned16, unsigned32, unsigned64 o signed8, signed16, signed32, signed64 o float32, float64 o boolean o macAddress o octetArray Waltermire, et al. Expires October 29, 2017 [Page 23] Internet-Draft SACM Information Model April 2017 o string o dateTimeSeconds, dateTimeMilliseconds, dateTimeMicroseconds, dateTimeNanoSeconds o ipv4Address, ipv6Address 5.2. Structured Datatypes 5.2.1. List Datatypes SACM defines the following abstract list data types that are used to represent the structured data associated with subjects. o list: indicates that the Information Element order is not significant but MAY be preserved. o orderedList: indicates that Information Element order is significant and MUST be preserved. The notation for defining a SACM structured datatype is based on regular expressions, which are composed of the keywords "list" or "orderedList" and an Information Element expression. IE expressions use some of the regular expression syntax and operators, but the terms in the expression are the names of defined Information Elements instead of character classes. The syntax for defining list and orderedList datatypes is described below, using BNF: -> ("list"|"orderedList") "(" ")" -> ? ( ("," | "|") ?)* -> "*" | "+" | "?" | ( "(" ("," )? ")" ) Figure 8: Syntax for Defining List Datatypes As seen above, multiple occurrences of an Information Element may be present in a structured datatype. The cardinality of an Information Element within a structured Information Element definition is defined by the following operators: Waltermire, et al. Expires October 29, 2017 [Page 24] Internet-Draft SACM Information Model April 2017 * - zero or more occurrences + - one or more occurrences ? - zero or one occurrence (m,n) - between m and n occurrences Figure 9: Specifying Cardinality for Structured Datatypes The absence of a cardinality operator implies one mandatory occurrence of the Information Element. Below is an example of a structured Information Element definition. personInfo = list(firstName, middleNames?, lastName) firstName = string middleNames = orderedList(middleName+) middleName = string lastName = string As an example, consider the name "John Ronald Reuel Tolkien". Below are instances of this name, structured according to the personInfo definition. personInfo = (firstName="John", middleNames(middleName="Ronald", middleName="Reuel"), lastName="Tolkien") personInfo = (middleNames(middleName="Ronald", middleName=" Reuel"), lastName="Tolkien", firstName="John") The instance below is not legal with respect to the definition of personInfo because the order in middleNames is not preserved. personInfo = (firstName="John", middleNames(middleName=" Reuel", middleName="Ronald"), lastName="Tolkien") Figure 10: Example of Defining a Structured List Datatype 5.2.2. Enumeration Datatype SACM defines the following abstract enumeration datatype that is used to represent the restriction of an attribute value to a set of values. Waltermire, et al. Expires October 29, 2017 [Page 25] Internet-Draft SACM Information Model April 2017 name, hex-value, description -> -> ";" ";" -> [0-9a-zA-Z]+ -> 0x[0-9a-fA-F]+ -> [0-9a-zA-Z\.\,]+ Figure 11: Syntax for Defining an Enumeration Datatype Below is an example of a structured Information Element definition for an enumeration. Red ; 0x1 ; The color is red. Orange ; 0x2 ; The color is orange. Yellow ; 0x3 ; The color is yellow. Green ; 0x4 ; The color is green. ... Figure 12: Example of Defining a Structured Enumeration Datatype 5.2.3. Category Datatype SACM defines the following abstract category datatype that is used to represent a type-choice between a set of information elements. -> "category(" ")" -> ("|" )* -> [0-9a-zA-Z]+ Figure 13: Syntax for Defining an Category Datatype Below is an example of a structured Information Element definition for a category. targetEndpoint = category(targetEndpointIdentifier | targetEndpointLabel) Figure 14: Example of Defining a Structured Category Datatype 6. Information Model Assets In order to represent the Information Elements related to the areas listed in Section 3.1, the information model defines the information needs (or metadata about those information needs) related to following types of assets which are defined in [I-D.ietf-sacm-terminology] (and included below for convenience) which are of interest to SACM. Specifically: o Endpoint Waltermire, et al. Expires October 29, 2017 [Page 26] Internet-Draft SACM Information Model April 2017 o Software Component o Hardware Component o Identity o Guidance o Evaluation Results The following figure shows the make up of an Endpoint asset which contains zero or more hardware components and zero or more software components each of which may have zero or more instances running an endpoint at any given time as well as zero or more identities that act on behalf of the endpoint when interfacing with other endpoints, tools, or services. An endpoint may also contain other endpoints in the case of a virtualized environment. +---------+*______in>_______*+-----+ |Hardware | |! !| |Component| +---------+ |! !| +---------+ |Software |in> |! !| |Component|____|! !| +---------+* *|! !| 1| |! !| *| | | +----------+ +---------+ |End- |*_____*| Identity | |Software |in> |point| acts +----------+ |Instance |____| | for> +---------+* 1|! !| |! !| |! !| |! !| |! !|____ |! !|0..1| +-----+ | |* | |_______| in> Figure 15: Model of an Endpoint 6.1. Asset As defined in [RFC4949], an asset is a system resource that is (a) required to be protected by an information system's security policy, Waltermire, et al. Expires October 29, 2017 [Page 27] Internet-Draft SACM Information Model April 2017 (b) intended to be protected by a countermeasure, or (c) required for a system's mission. In the scope of SACM, an asset can be composed of other assets. Examples of Assets include: Endpoints, Software, Guidance, or Identity. Furthermore, an asset is not necessarily owned by an organization. 6.2. Endpoint From [RFC5209], an endpoint is any computing device that can be connected to a network. Such devices normally are associated with a particular link layer address before joining the network and potentially an IP address once on the network. This includes: laptops, desktops, servers, cell phones, or any device that may have an IP address. To further clarify, an endpoint is any physical or virtual device that may have a network address. Note that, network infrastructure devices (e.g. switches, routers, firewalls), which fit the definition, are also considered to be endpoints within this document. Physical endpoints are always composites that are composed of hardware components and software components. Virtual endpoints are composed entirely of software components and rely on software components that provide functions equivalent to hardware components. The SACM architecture differentiates two essential categories of endpoints: Endpoints whose security posture is intended to be assessed (target endpoints) and endpoints that are specifically excluded from endpoint posture assessment (excluded endpoints). 6.3. Hardware Component Hardware components are the distinguishable physical components that compose an endpoint. The composition of an endpoint can be changed over time by adding or removing hardware components. In essence, every physical endpoint is potentially a composite of multiple hardware components, typically resulting in a hierarchical composition of hardware components. The composition of hardware components is based on interconnects provided by specific hardware types (e.g. mainboard is a hardware type that provides local busses as an interconnect). In general, a hardware component can be distinguished by its serial number. Examples of a hardware components include: motherboards, network interfaces, graphics cards, hard drives, etc. Waltermire, et al. Expires October 29, 2017 [Page 28] Internet-Draft SACM Information Model April 2017 6.4. Software Component A software package installed on an endpoint (including the operating system) as well as a unique serial number if present (e.g. a text editor associated with a unique license key). It should be noted that this includes both benign and harmful software packages. Examples of benign software components include: applications, patches, operating system kernel, boot loader, firmware, code embedded on a webpage, etc. Examples of malicious software components include: malware, trojans, viruses, etc. 6.4.1. Software Instance A running instance of the software component (e.g. on a multi-user system, one logged-in user has one instance of a text editor running and another logged-in user has another instance of the same text editor running, or on a single-user system, a user could have multiple independent instances of the same text editor running). 6.5. Identity Any mechanism that can be used to identify an asset during an authentication process. Examples include usernames, user and device certificates, etc. Note, that this is different than the identity of assets in the context of designation as described in Section 11.1. 6.6. Guidance Guidance is input instructions to processes and tasks, such as collection or evaluation. Guidance influences the behavior of a SACM component and is considered content of the management plane. Guidance can be manually or automatically generated or provided. Typically, the tasks that provide guidance to SACM components have a low-frequency and tend to be sporadic. A prominent example of guidance are target endpoint profiles,but guidance can have many forms, including: Configuration, e.g. a SACM component's name, or a CMDB's IPv6 address. Profiles, e.g. a set of expected states for network behavior associated with target endpoints employed by specific users. Policies, e.g. an interval to refresh the registration of a SACM component, or a list of required capabilities for SACM components in a specific location. Waltermire, et al. Expires October 29, 2017 [Page 29] Internet-Draft SACM Information Model April 2017 6.6.1. Collection Guidance A collector may need guidance to govern what it collects and when. Collection Guidance provides instructions for a Collector that specifies which endpoint attributes to collect, when to collect them, and how to collect them. Collection Guidance is composed of Target Endpoint Attribute Guidance, Frequency Guidance, and Method Guidance. o Target Endpoint Attribute Guidance: Set of endpoint attributes that are supposed to be collected from a target endpoint. The definition of the set of endpoint attributes is typically based on an endpoint characterization record. o Frequency Guidance: Specifies when endpoint attributes are to be collected. o Method Guidance: Indicates how endpoint attributes are to be collected. 6.6.2. Evaluation Guidance An evaluator typically needs guidance to govern what it considers to be a good or bad security posture. Evaluation Guidance provides instructions for an Evaluator that specifies which endpoint attributes to evaluate, the desired state of those endpoint attributes, and any special requirements that enable an Evaluator to determine if the endpoint attributes can be used in the evaluation (e.g. freshness of data, how it was collected, etc.). Evaluation Guidance is composed of Target Endpoint Attribute Guidance, Expected Endpoint Attribute Value Guidance, and Frequency Guidance. o Target Endpoint Attribute Guidance: Set of target endpoint attributes that are supposed to be used in an evaluation as well as any requirements on the endpoint attributes. The definition of the set of endpoint attributes is typically based on an endpoint characterization record. o Expected Endpoint Attribute Value Guidance: The expected values of the endpoint attributes described in the Target Endpoint Attribute Guidance. o Frequency Guidance: Specifies when endpoint attributes are to be evaluated. o Method Guidance: Indicates how endpoint attributes are to be collected. Waltermire, et al. Expires October 29, 2017 [Page 30] Internet-Draft SACM Information Model April 2017 6.6.3. Classification Guidance A SACM Component carrying out the Target Endpoint Classification Task may need guidance on how to classify an endpoint. Specifically, how to associate endpoint classes with a specific target endpoint characterization record. Target Endpoint Classes function as guidance for collection, evaluation, remediation and security posture assessment in general. Classification Guidance is composed of Target Endpoint Attribute Guidance and Class Guidance. o Target Endpoint Attribute Guidance: Set of target endpoint attributes that are supposed to be used to identify the endpoint characterization record. o Class Guidance: A list of target endpoint classes that are to be associated with the identified target endpoint characterization record. 6.6.4. Storage Guidance An SACM Component typically needs guidance to govern what information it should store and where. Storage Guidance provides instructions for a SACM Component that specifies which security automation information should be stored, for how long, and on which endpoint. Storage Guidance is composed of Target Endpoint Attribute Guidance, Expected Security Automation Information Guidance, and Retention Guidance. o Target Endpoint Attribute Guidance: Set of target endpoint attributes that are supposed to be used to identify the endpoint where the security automation information is to be stored. o Expected Security Automation Information Guidance: The security automation information that is expected to be stored (guidance, collected posture attributes, results, etc.). o Retention Guidance: Specifies how long the security automation information should be stored. 6.6.5. Evaluation Results Evaluation Results are the output of comparing the actual state of an endpoint against the expected state of an endpoint. In addition to the actual results of the comparison, Evaluation Results should include the Evaluation Guidance and actual target endpoint attributes values used to perform the evaluation. Waltermire, et al. Expires October 29, 2017 [Page 31] Internet-Draft SACM Information Model April 2017 7. Information Model Elements This section defines the specific Information Elements and relationships that will be implemented by data models and transported between SACM Components. 7.1. sacmStatement elementId: TBD name: sacmStatement dataType: orderedList status: current description: Associates SACM Statement Metadata which provides data origin information about the providing SACM Component with one or more SACM Content Elements that contain security automation information. structure: orderedList(sacmStatementMetadata, sacmContentElement+) 7.2. sacmStatementMetadata elementId: TBD name: sacmStatementMetadata dataType: orderedList status: current description: Contains IEs that provide information about the data origin of the providing SACM Component as well as the information necessary for other SACM Components to understand the type of security automation information in the SACM Statement's SACM Content Element(s). structure: orderedList(publicationTimestamp, dataOrigin, anyIE*) 7.3. sacmContentElement elementId: TBD name: sacmContentElement dataType: list status: current description: Associates SACM Content Element Metadata which provides information about the data source and type of security automation information with the actual security automation information. structure: TODO Waltermire, et al. Expires October 29, 2017 [Page 32] Internet-Draft SACM Information Model April 2017 7.4. sacmContentElementMetadata elementId: TBD name: sacmContentElementMetadata dataType: orderedList status: current description: Contains IEs that provide information about the data source and type of security automation information such that other SACM Components are able to parse and understand the security automation information contained within the SACM Statement's SACM Content Element(s). structure: orderedList(collectionTimestamp, targetEndpoint, anyIE*) 7.5. targetEndpoint elementId: TBD name: targetEndpoint dataType: category status: current description: Information that identifies a target endpoint on the network. This may be a set of attributes that can be used to identify an endpoint on the network or a label that is unique to a SACM domain. structure: category(targetEndpointIdentifier | targetEndpointLabel) 7.6. targetEndpointIdentifier elementId: TBD name: targetEndpointIdentifier dataType: list status: current description: A set of attributes that uniquely identify a target endpoint on the network. structure: list(anyIE+) 7.7. targetEndpointLabel elementId: TBD name: targetEndpointLabel dataType: string status: current description: A label that uniquely identifies a target endpoint on SACM domain. Waltermire, et al. Expires October 29, 2017 [Page 33] Internet-Draft SACM Information Model April 2017 7.8. anyIE elementId: TBD name: anyIE dataType: category status: current description: This category is a placeholder for any information element defined within the SACM Information Model. Its purpose is to provide an extension point in other information elements that enable them to support the specific needs of an enterprise, user, product, or service. 7.9. accessPrivilegeType elementId: TBD name: accessPrivilegeType dataType: string status: current description: A set of types that represent access privileges (read, write, none, etc.). 7.10. accountName elementId: TBD name: accountName dataType: string status: current description: A label that uniquely identifies an account that can require some form of (user) authentication to access. 7.11. administrativeDomainType elementId: TBD name: administrativeDomainType dataType: string status: current description: A label the is supposed to uniquely identify an administrative domain. 7.12. addressAssociationType Waltermire, et al. Expires October 29, 2017 [Page 34] Internet-Draft SACM Information Model April 2017 elementId: TBD name: addressAssociationType dataType: string status: current description: A label the is supposed to uniquely identify an administrative domain. 7.13. addressMaskValue elementId: TBD name: addressMaskValue dataType: string status: current description: A value that expresses a generic address subnetting bitmask. 7.14. addressType elementId: TBD name: addressType dataType: string status: current description: A set of types that specifies the type of address that is expressed in an address subject (e.g. ethernet, modbus, zigbee). 7.15. addressValue elementId: TBD name: addressValue dataType: string status: current description: A value that expresses a generic network address. 7.16. applicationComponent elementId: TBD name: applicationComponent dataType: string status: current description: A label that references a "sub"-application that is part of the application (e.g. an add-on, a cipher-suite, a library). Waltermire, et al. Expires October 29, 2017 [Page 35] Internet-Draft SACM Information Model April 2017 7.17. applicationLabel elementId: TBD name: applicationLabel dataType: string status: current description: A label that is supposed to uniquely reference an application. 7.18. applicationType elementId: TBD name: applicationType dataType: string status: current description: A set of types (FIXME maybe a finite set is not realistic here - value not enumerator?) that identifies the type of (user-space) application (e.g. text-editor, policy-editor, service-client, service-server, calendar, rouge-like RPG). 7.19. applicationManufacturer elementId: TBD name: applicationManufacturer dataType: string status: current description: The name of the vendor that created the application. 7.20. authenticator elementId: TBD name: authenticator dataType: string status: current description: A label that references a SACM component that can authenticate target endpoints (can be used in a target-endpoint subject to express that the target endpoint was authenticated by that SACM component. 7.21. authenticationType Waltermire, et al. Expires October 29, 2017 [Page 36] Internet-Draft SACM Information Model April 2017 elementId: TBD name: authenticationType dataType: string status: current description: A set of types that express which type of authentication was used to enable a network interaction/connection. 7.22. birthdate elementId: TBD name: birthdate dataType: string status: current description: A label for the registered day of birth of a natural person (e.g. the date of birth of a person as an ISO date string). references: http://rs.tdwg.org/ontology/voc/Person#birthdate 7.23. bytesReceived elementId: TBD name: bytesReceived dataType: string status: current description: A value that represents a number of octets received on a network interface. 7.24. bytesReceived elementId: TBD name: bytesReceived dataType: string status: current description: A value that represents the number of octets received on a network interface. 7.25. bytesSent elementId: TBD name: bytesSent dataType: string status: current description: A value that represents the number of octets sent on a network interface. Waltermire, et al. Expires October 29, 2017 [Page 37] Internet-Draft SACM Information Model April 2017 7.26. certificate elementId: TBD name: certificate dataType: string status: current description: A value that expresses a certificate that can be collected from a target endpoint. 7.27. collectionTaskType elementId: TBD name: collectionTaskType dataType: string status: current description: A set of types that defines how collected SACM content was acquired (e.g. network-observation, remote-acquisition, self-reported, derived, authority, verified). 7.28. confidence elementId: TBD name: confidence dataType: string status: current description: A representation of the subjective probability that the assessed value is correct. If no confidence value is given, it is assumed that the confidence is 1. Acceptable values are between 0 and 1. 7.29. contentAction elementId: TBD name: contentAction dataType: string status: current description: A set of types that express a type of action (e.g. add, delete, update). It can be associated, for instance, with an event subject or with a network observation. 7.30. countryCode Waltermire, et al. Expires October 29, 2017 [Page 38] Internet-Draft SACM Information Model April 2017 elementId: TBD name: countryCode dataType: string status: current description: A set of types according to ISO 3166-1. 7.31. dataOrigin elementId: TBD name: dataOrigin dataType: string status: current description: A label that uniquely identifies a SACM component in and across SACM domains. 7.32. dataSource elementId: TBD name: dataSource dataType: string status: current description: A label that is supposed to uniquely identify the data source (e.g. a target endpoint or sensor) that provided an initial endpoint attribute record. 7.33. default-depth elementId: TBD name: default-depth dataType: string status: current description: A value that expresses how often a circular reference of subject is allowed to repeat, or how deep a recursive nesting may occur, respectively. 7.34. discoverer elementId: TBD name: discoverer dataType: string status: current description: A label that refers to the SACM component that discovered a target endpoint (can be used in a target-endpoint subject to express, for example, that the target endpoint was authenticated by that SACM component). Waltermire, et al. Expires October 29, 2017 [Page 39] Internet-Draft SACM Information Model April 2017 7.35. emailAddress elementId: TBD name: emailAddress dataType: string status: current description: A value that expresses an email-address. 7.36. eventType elementId: TBD name: eventType dataType: string status: current description: a set of types that define the categories of an event (e.g. access-level-change, change-of-privilege, change-of-authorization, environmental-event, or provisioning-event). 7.37. eventThreshold elementId: TBD name: eventThreshold dataType: string status: current description: If applicable, a value that can be included in an event subject to indicate what numeric threshold value was crossed to trigger that event. 7.38. eventThresholdName elementId: TBD name: eventThresholdName dataType: string status: current description: If an event is created due to a crossed threshold, the threshold might have a name associated with it that can be expressed via this value. 7.39. eventTrigger elementId: TBD name: eventTrigger dataType: string status: current description: This value is used to express more complex trigger conditions that may cause the creation of an event. Waltermire, et al. Expires October 29, 2017 [Page 40] Internet-Draft SACM Information Model April 2017 7.40. firmwareId elementId: TBD name: firmwareId dataType: string status: current description: A label that represents the BIOS or firmware ID of a specific target endpoint. 7.41. hostName elementId: TBD name: hostName dataType: string status: current description: A label typically associated with an endpoint, but, not always intended to be unique given scope. 7.42. interfaceLabel elementId: TBD name: interfaceLabel dataType: string status: current description: A unique label that can be used to reference a network interface. 7.43. ipv6AddressSubnetMask elementId: TBD name: ipv6AddressSubnetMask dataType: string status: current description: An IPv6 subnet bitmask. 7.44. ipv6AddressSubnetMaskCidrNotation elementId: TBD name: ipv6AddressSubnetMaskCidrNotation dataType: string status: current description: An IPv6 subnet bitmask in CIDR notation. Waltermire, et al. Expires October 29, 2017 [Page 41] Internet-Draft SACM Information Model April 2017 7.45. ipv6AddressValue elementId: TBD name: ipv6AddressValue dataType: ipv6Address status: current description: An IPv6 subnet bitmask in CIDR notation. 7.46. ipv4AddressSubnetMask elementId: TBD name: ipv4AddressSubnetMask dataType: string status: current description: An IPv4 subnet bitmask. 7.47. ipv4AddressSubnetMaskCidrNotation elementId: TBD name: ipv4AddressSubnetMaskCidrNotation dataType: string status: current description: An IPv4 subnet bitmask in CIDR notation. 7.48. ipv4AddressValue elementId: TBD name: ipv4AddressValue dataType: ipv4Address status: current description: An IPv4 address value. 7.49. layer2InterfaceType elementId: TBD name: layer2InterfaceType dataType: string status: current description: A set of types referenced by IANA ifType. 7.50. layer4PortAddress Waltermire, et al. Expires October 29, 2017 [Page 42] Internet-Draft SACM Information Model April 2017 elementId: TBD name: layer4PortAddress dataType: unsigned32 status: current description: A layer 4 port address typically associated with TCP and UDP protocols. 7.51. layer4Protocol elementId: TBD name: layer4Protocol dataType: string status: current description: A set of types that express a layer 4 protocol (e.g. UDP or TCP). 7.52. locationName elementId: TBD name: locationName dataType: string status: current description: A value that represents a named region of physical space. 7.53. networkZoneLocation elementId: TBD name: networkZoneLocation dataType: string status: current description: The zone location of an endpoint on the network (e.g. internet, enterprise DMZ, enterprise WAN, enclave DMZ, enclave). 7.54. layer2NetworkLocation elementId: TBD name: layer2NetworkLocation dataType: string status: current description: The location of a layer-2 interface on the network (e.g. link-layer neighborhood, shared broadcast domain). Waltermire, et al. Expires October 29, 2017 [Page 43] Internet-Draft SACM Information Model April 2017 7.55. layer3NetworkLocation elementId: TBD name: layer3NetworkLocation dataType: string status: current description: The location of a layer-3 interface on the network (e.g. next-hop routing neighbor). 7.56. macAddressValue elementId: TBD name: macAddressValue dataType: string status: current description: A value that expresses an Ethernet address. 7.57. methodLabel elementId: TBD name: methodLabel dataType: string status: current description: A label that references a specific method registered and used in a SACM domain (e.g. method to match and re-identify target endpoints via identifying attributes). 7.58. methodRepository elementId: TBD name: methodRepository dataType: string status: current description: A label that references a SACM component methods can be registered at and that can provide guidance in the form of registered methods to other SACM components. 7.59. networkAccessLevelType elementId: TBD name: networkAccessLevelType dataType: string status: current description: A set of types that express categories of network access-levels (e.g. block, quarantine, etc.). Waltermire, et al. Expires October 29, 2017 [Page 44] Internet-Draft SACM Information Model April 2017 7.60. networkId elementId: TBD name: networkId dataType: string status: current description: Most networks such as AS, OSBF domains, or VLANs can have an ID. 7.61. networkInterfaceName elementId: TBD name: networkInterfaceName dataType: string status: current description: A label that uniquely identifies an interface associated with a distinguishable endpoint. 7.62. networkLayer elementId: TBD name: networkLayer dataType: string status: current description: A set of layers that expresses the specific network layer an interface operates on. 7.63. networkName elementId: TBD name: networkName dataType: string status: current description: A label that is associated with a network. Some networks, for example, effective layer2-broadcast-domains are difficult to "grasp" and therefore quite difficult to name. 7.64. organizationId elementId: TBD name: organizationId dataType: string status: current description: A label that uniquely identifies an organization via a PEN. Waltermire, et al. Expires October 29, 2017 [Page 45] Internet-Draft SACM Information Model April 2017 7.65. patchId elementId: TBD name: patchId dataType: string status: current description: A label that uniquely identifies a specific software patch. 7.66. patchName elementId: TBD name: patchName dataType: string status: current description: The vendor's name of a software patch. 7.67. personFirstName elementId: TBD name: personFirstName dataType: string status: current description: The first name of a natural person. 7.68. personLastName elementId: TBD name: personLastName dataType: string status: current description: The last name of a natural person. 7.69. personMiddleName elementId: TBD name: personMiddleName dataType: string status: current description: The middle name of a natural person. 7.70. phoneNumber Waltermire, et al. Expires October 29, 2017 [Page 46] Internet-Draft SACM Information Model April 2017 elementId: TBD name: phoneNumber dataType: string status: current description: A label that expresses the U.S. national phone number (e.g. pattern value="((\d{3}) )?\d{3}-\d{4}"). 7.71. phoneNumberType elementId: TBD name: phoneNumberType dataType: string status: current description: A set of types that express the type of a phone number (e.g. DSN, Fax, Home, Mobile, Pager, Secure, Unsecure, Work, Other). 7.72. privilegeName elementId: TBD name: privilegeName dataType: string status: current description: The attribute name of the privilege represented as an AVP. 7.73. privilegeValue elementId: TBD name: privilegeValue dataType: string status: current description: The value content of the privilege represented as an AVP. 7.74. protocol elementId: TBD name: protocol dataType: string status: current description: A set of types that defines specific protocols above layer 4 (e.g. http, https, dns, ipp, or unknown). Waltermire, et al. Expires October 29, 2017 [Page 47] Internet-Draft SACM Information Model April 2017 7.75. publicKey elementId: TBD name: publicKey dataType: string status: current description: The value of a public key (regardless of its method of creation, crypto-system, or signature scheme) that can be collected from a target endpoint. 7.76. relationshipContentElementGuid elementId: TBD name: relationshipContentElementGuid dataType: string status: current description: A reference to a specific content element used in a relationship subject. 7.77. relationshipStatementElementGuid elementId: TBD name: relationshipStatementElementGuid dataType: string status: current description: A reference to a specific SACM statement used in a relationship subject. 7.78. relationshipObjectLabel elementId: TBD name: relationshipObjectLabel dataType: string status: current description: A reference to a specific label used in content (e.g. a te-label or a user-id). This reference is typically used if matching content attribute can be done efficiantly and can also be included in addition to a relationship-content-element-guid reference. 7.79. relationshipType Waltermire, et al. Expires October 29, 2017 [Page 48] Internet-Draft SACM Information Model April 2017 elementId: TBD name: relationshipType dataType: string status: current description: A set of types that is in every instance of a relationship subject to highlight what kind of relationship exists between the subject the relationship is included in (e.g. associated_with_user, applies_to_session, seen_on_interface, associated_with_flow, contains_virtual_device). 7.80. roleName elementId: TBD name: roleName dataType: string status: current description: A label that references a collection of privileges assigned to a specific entity. 7.81. sessionStateType elementId: TBD name: sessionStateType dataType: string status: current description: A set of types a discernible session (an ongoing network interaction) can be in (e.g. Authenticating, Authenticated, Postured, Started, Disconnected). 7.82. statementGuid elementId: TBD name: statementGuid dataType: string status: current description: A label that expresses a global unique ID referencing a specific SACM statement that was produced by a SACM component. 7.83. statementType Waltermire, et al. Expires October 29, 2017 [Page 49] Internet-Draft SACM Information Model April 2017 elementId: TBD name: statementType dataType: string status: current description: A set of types that define the type of content that is included in a SACM statement (e.g. Observation, DirectoryContent, Correlation, Assessment, Guidance, Event). 7.84. status elementId: TBD name: status dataType: string status: current description: A set of types that defines possible result values for a finding in general (e.g. true, false, error, unknown, not applicable, not evaluated). 7.85. subAdministrativeDomain elementId: TBD name: subAdministrativeDomain dataType: string status: current description: A label for related child domains an administrative domain can be composed of (used in the subject administrativeDomain). 7.86. subInterfaceLabel elementId: TBD name: subInterfaceLabel dataType: string status: current description: A unique label a sub network interface (e.g. a tagged vlan on a trunk) can be referenced with. 7.87. superAdministrativeDomain elementId: TBD name: superAdministrativeDomain dataType: string status: current description: a label for related parent domains an administrative domain is part of (used in the subject administrativeDomain). Waltermire, et al. Expires October 29, 2017 [Page 50] Internet-Draft SACM Information Model April 2017 7.88. superInterfaceLabel elementId: TBD name: superInterfaceLabel dataType: string status: current description: a unique label a super network interface (e.g. a physical interface a tunnel interface terminates on) can be referenced with. 7.89. teAssessmentState elementId: TBD name: teAssessmentState dataType: string status: current description: a set of types that defines the state of assessment of a target-endpoint (e.g. in-discovery, discovered, in-classification, classified, in-assessment, assessed). 7.90. teLabel elementId: TBD name: teLabel dataType: string status: current description: an identifying label created from a set of identifying attributes used to reference a specific target endpoint. 7.91. teId elementId: TBD name: teId dataType: string status: current description: an identifying label that is created randomly, is supposed to be unique, and used to reference a specific target endpoint. 7.92. timestampType Waltermire, et al. Expires October 29, 2017 [Page 51] Internet-Draft SACM Information Model April 2017 elementId: TBD name: timestampType dataType: string status: current description: a set of types that express what type of action or event happened at that point of time (e.g. discovered, classified, collected, published). Can be included in a generic timestamp subject. 7.93. unitsReceived elementId: TBD name: unitsReceived dataType: string status: current description: a value that represents a number of units (e.g. frames, packets, cells or segments) received on a network interface. 7.94. unitsSent elementId: TBD name: unitsSent dataType: string status: current description: a value that represents a number of units (e.g. frames, packets, cells or segments) sent on a network interface. 7.95. userDirectory elementId: TBD name: userDirectory dataType: string status: current description: a label that identifies a specific type of user-directory (e.g. ldap, active-directory, local-user). 7.96. sacmUserId elementId: TBD name: sacmUserId dataType: string status: current description: a label that references a specific user known in a SACM domain. Waltermire, et al. Expires October 29, 2017 [Page 52] Internet-Draft SACM Information Model April 2017 7.97. webSite elementId: TBD name: webSite dataType: string status: current description: a URI that references a web-site. 7.98. WGS84Longitude elementId: TBD name: WGS84Longitude dataType: float64 status: current description: a label that represents WGS 84 rev 2004 longitude. 7.99. WGS84Latitude elementId: TBD name: WGS84Latitude dataType: float64 status: current description: a label that represents WGS 84 rev 2004 latitude. 7.100. WGS84Altitude elementId: TBD name: WGS84Altitude dataType: float64 status: current description: a label that represents WGS 84 rev 2004 altitude. 7.101. hardwareSerialNumber elementId: TBD name: hardwareSerialNumber dataType: string status: current description: A globally unique identifier for a particular piece of hardware assigned by the vendor. Waltermire, et al. Expires October 29, 2017 [Page 53] Internet-Draft SACM Information Model April 2017 7.102. interfaceName elementId: TBD name: interfaceName dataType: string status: current description: A short name uniquely describing an interface, e.g. "Eth1/0". See [RFC2863] for the definition of the ifName object. 7.103. interfaceIndex elementId: TBD name: interfaceIndex dataType: unsigned32 status: current description: The index of an interface installed on an endpoint. The value matches the value of managed object 'ifIndex' as defined in [RFC2863]. Note that ifIndex values are not assigned statically to an interface and that the interfaces may be renumbered every time the device's management system is re-initialized, as specified in [RFC2863]. 7.104. interfaceMacAddress elementId: TBD name: interfaceMacAddress dataType: macAddress status: current description: The IEEE 802 MAC address associated with a network interface on an endpoint. 7.105. interfaceType elementId: TBD name: interfaceType dataType: unsigned32 status: current description: The type of a network interface. The value matches the value of managed object 'ifType' as defined in [IANA registry ianaiftype-mib]. 7.106. interfaceFlags Waltermire, et al. Expires October 29, 2017 [Page 54] Internet-Draft SACM Information Model April 2017 elementId: TBD name: interfaceFlags dataType: unsigned16 status: current description: This information element specifies the flags associated with a network interface. Possible values include: structure: Up ; 0x1 ; Interface is up. Broadcast ; 0x2 ; Broadcast address valid. Debug ; 0x4 ; Turn on debugging. Loopback ; 0x8 ; Is a loopback net. Point-to-point ; 0x10 ; Interface is point-to-point link. No trailers ; 0x20 ; Avoid use of trailers. Resources allocated ; 0x40 ; Resources allocated. No ARP ; 0x80 ; No address resolution protocol. Receive all ; 0x100 ; Receive all packets. 7.107. networkInterface elementId: TBD name: networkInterface dataType: orderedList status: current description: Information about a network interface installed on an endpoint. The following high-level digram describes the structure of networkInterface information element. structure: orderedList(interfaceName, interfaceIndex, macAddress, interfaceType, flags) 7.108. softwareIdentifier elementId: TBD name: softwareIdentifier dataType: string status: current description: A globally unique identifier for a particular software application. 7.109. softwareTitle Waltermire, et al. Expires October 29, 2017 [Page 55] Internet-Draft SACM Information Model April 2017 elementId: TBD name: softwareTitle dataType: string status: current description: The title of the software application. 7.110. softwareCreator elementId: TBD name: softwareCreator dataType: string status: current description: The software developer (e.g., vendor or author). 7.111. simpleSoftwareVersion elementId: TBD name: simpleSoftwareVersion dataType: string status: current description: The version string for a software application that conforms to the format of a list of hierarchical non-negative integers separated by a single character delimiter format. 7.112. rpmSoftwareVersion elementId: TBD name: rpmSoftwareVersion dataType: string status: current description: The version string for a software application that conforms to the EPOCH:VERSION-RELEASE format. 7.113. ciscoTrainSoftwareVersion elementId: TBD name: ciscoTrainSoftwareVersion dataType: string status: current description: The version string for a software application that conforms to the Cisco IOS Train string format. 7.114. softwareVersion Waltermire, et al. Expires October 29, 2017 [Page 56] Internet-Draft SACM Information Model April 2017 elementId: TBD name: softwareVerison dataType: category status: current description: The version of the software application. Software applications may be versioned using a number of schemas. The following high-level digram describes the structure of the softwareVersion information element. structure: category(simpleSoftwareVersion | rpmSoftwareVersion | ciscoTrainSoftwareVersion) 7.115. softwareLastUpdated elementId: TBD name: softwareLastUpdated dataType: dateTimeSeconds status: current description: The date and time when the software instance was last updated on the system (e.g., new version instlalled or patch applied) 7.116. softwareClass Waltermire, et al. Expires October 29, 2017 [Page 57] Internet-Draft SACM Information Model April 2017 elementId: TBD name: softwareClass dataType: enumeration status: current description: The class of the software instance. structure: Unknown ; 0x1 ; The class is not known. Other ; 0x2 ; The class is known, but, something other than a value listed in the enumeration. Driver ; 0x3 ; The class is a device driver. Configuration Software ; 0x4 ; The class is configuration software. Application Software ; 0x5 ; The class is application software. Instrumentation ; 0x6 ; The class is instrumentation. Diagnostic Software ; 0x8 ; The class is diagnostic software. Operating System ; 0x9 ; The class is operating system. Middleware ; 0xA ; The class is middleware. Firmware ; 0xB ; The class is firmware. BIOS/FCode ; 0xC ; The class is BIOS or FCode. Support/Service Pack ; 0xD ; The class is a support or service pack. Software Bundle ; 0xE ; The class is a software bundle. References: See Classifications of the DMTF CIM_SoftwareIdentity schema. 7.117. softwareInstance elementId: TBD name: softwareInstance dataType: orderedList status: current description: Information about an instance of software installed on an endpoint. The following high-level digram describes the structure of the softwareInstance information element. structure: orderedList(softwareIdentifier, softwareTitle, softwareCreator, softwareVersion, softwareLastUpdated, softwareClass) Waltermire, et al. Expires October 29, 2017 [Page 58] Internet-Draft SACM Information Model April 2017 7.118. globallyUniqueIdentifier elementId: TBD name: globallyUniqueIdentifier dataType: unsigned8 status: current description: TODO. 7.119. creationTimestamp elementId: TBD name: creationTimestamp dataType: dateTimeSeconds status: current description: The date and time when the posture information was created by a SACM Component. 7.120. collectionTimestamp elementId: TBD name: collectionTimestamp dataType: dateTimeSeconds status: current description: The date and time when the posture information was collected or observed by a SACM Component. 7.121. publicationTimestamp elementId: TBD name: publicationTimestamp dataType: dateTimeSeconds status: current description: The date and time when the posture information was published. 7.122. relayTimestamp elementId: TBD name: relayTimestamp dataType: dateTimeSeconds status: current description: The date and time when the posture information was relayed to another SACM Component. Waltermire, et al. Expires October 29, 2017 [Page 59] Internet-Draft SACM Information Model April 2017 7.123. storageTimestamp elementId: TBD name: storageTimestamp dataType: dateTimeSeconds status: current description: The date and time when the posture information was stored in a Repository. 7.124. type elementId: TBD name: type dataType: enumeration status: current description: The type of data model use to represent some set of endpoint information. The following table lists the set of data models supported by SACM. structure: TBD 7.125. protocolIdentifier elementId: TBD name: protocolIdentifier dataType: unsigned8 status: current description: The value of the protocol number in the IP packet header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry. In Internet Protocol version 4 (IPv4), this is carried in the Protocol field. In Internet Protocol version 6 (IPv6), this is carried in the Next Header field in the last extension header of the packet. 7.126. sourceTransportPort elementId: TBD name: sourceTransportPort dataType: unsigned16 status: current description: The source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the source port number given in the respective header. This field MAY also be used for future transport protocols that have 16-bit source port identifiers. Waltermire, et al. Expires October 29, 2017 [Page 60] Internet-Draft SACM Information Model April 2017 7.127. sourceIPv4PrefixLength elementId: TBD name: sourceIPv4PrefixLength dataType: unsigned8 status: current description: The number of contiguous bits that are relevant in the sourceIPv4Prefix Information Element. 7.128. ingressInterface elementId: TBD name: ingressInterface dataType: unsigned32 status: current description: The index of the IP interface where packets of this Flow are being received. The value matches the value of managed object 'ifIndex' as defined in [RFC2863]. Note that ifIndex values are not assigned statically to an interface and that the interfaces may be renumbered every time the device's management system is re-initialized, as specified in [RFC2863]. 7.129. destinationTransportPort elementId: TBD name: destinationTransportPort dataType: unsigned16 status: current description: The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header. This field MAY also be used for future transport protocols that have 16-bit destination port identifiers. 7.130. sourceIPv6PrefixLength elementId: TBD name: sourceIPv6PrefixLength dataType: unsigned8 status: current description: The number of contiguous bits that are relevant in the sourceIPv6Prefix Information Element. Waltermire, et al. Expires October 29, 2017 [Page 61] Internet-Draft SACM Information Model April 2017 7.131. sourceIPv4Prefix elementId: TBD name: sourceIPv4Prefix dataType: ipv4Address status: current description: IPv4 source address prefix. 7.132. destinationIPv4Prefix elementId: TBD name: destinationIPv4Prefix dataType: ipv4Address status: current description: IPv4 destination address prefix. 7.133. sourceMacAddress elementId: TBD name: sourceMacAddress dataType: macAddress status: current description: The IEEE 802 source MAC address field. 7.134. ipVersion elementId: TBD name: ipVersion dataType: unsigned8 status: current description: The IP version field in the IP packet header. 7.135. interfaceDescription elementId: TBD name: interfaceDescription dataType: string status: current description: The description of an interface, e.g. "FastEthernet 1/0" or "ISP connection". 7.136. applicationDescription elementId: TBD name: applicationDescription dataType: string status: current description: Specifies the description of an application. Waltermire, et al. Expires October 29, 2017 [Page 62] Internet-Draft SACM Information Model April 2017 7.137. applicationId elementId: TBD name: applicationId dataType: octetArray status: current description: Specifies an Application ID per [RFC6759]. 7.138. applicationName elementId: TBD name: applicationName dataType: string status: current description: Specifies the name of an application. 7.139. exporterIPv4Address elementId: TBD name: exporterIPv4Address dataType: ipv4Address status: current description: The IPv4 address used by the Exporting Process. This is used by the Collector to identify the Exporter in cases where the identity of the Exporter may have been obscured by the use of a proxy. 7.140. exporterIPv6Address elementId: TBD name: exporterIPv6Address dataType: ipv6Address status: current description: The IPv6 address used by the Exporting Process. This is used by the Collector to identify the Exporter in cases where the identity of the Exporter may have been obscured by the use of a proxy. 7.141. portId Waltermire, et al. Expires October 29, 2017 [Page 63] Internet-Draft SACM Information Model April 2017 elementId: TBD name: portId dataType: unsigned32 status: current description: An identifier of a line port that is unique per IPFIX Device hosting an Observation Point. Typically, this Information Element is used for limiting the scope of other Information Elements. 7.142. templateId elementId: TBD name: templateId dataType: unsigned16 status: current description: An identifier of a Template that is locally unique within a combination of a Transport session and an Observation Domain. Template IDs 0-255 are reserved for Template Sets, Options Template Sets, and other reserved Sets yet to be created. Template IDs of Data Sets are numbered from 256 to 65535. Typically, this Information Element is used for limiting the scope of other Information Elements. Note that after a re-start of the Exporting Process Template identifiers may be re-assigned. 7.143. collectorIPv4Address elementId: TBD name: collectorIPv4Address dataType: ipv4Address status: current description: An IPv4 address to which the Exporting Process sends Flow information. 7.144. collectorIPv6Address elementId: TBD name: collectorIPv6Address dataType: ipv6Address status: current description: An IPv6 address to which the Exporting Process sends Flow information. Waltermire, et al. Expires October 29, 2017 [Page 64] Internet-Draft SACM Information Model April 2017 7.145. informationElementIndex elementId: TBD name: informationElementIndex dataType: unsigned16 status: current description: A zero-based index of an Information Element referenced by informationElementId within a Template referenced by templateId; used to disambiguate scope for templates containing multiple identical Information Elements. 7.146. informationElementId elementId: TBD name: informationElementId dataType: unsigned16 status: current description: This Information Element contains the ID of another Information Element. 7.147. informationElementDataType elementId: TBD name: informationElementDataType dataType: unsigned8 status: current description: A description of the abstract data type of an IPFIX information element.These are taken from the abstract data types defined in section 3.1 of the IPFIX Information Model [RFC5102]; see that section for more information on the types described in the informationElementDataType sub-registry. These types are registered in the IANA IPFIX Information Element Data Type subregistry. This subregistry is intended to assign numbers for type names, not to provide a mechanism for adding data types to the IPFIX Protocol, and as such requires a Standards Action [RFC5226] to modify. 7.148. informationElementDescription Waltermire, et al. Expires October 29, 2017 [Page 65] Internet-Draft SACM Information Model April 2017 elementId: TBD name: informationElementDescription dataType: string status: current description: A UTF-8 [RFC3629] encoded Unicode string containing a human-readable description of an Information Element. The content of the informationElementDescription MAY be annotated with one or more language tags [RFC4646], encoded in-line [RFC2482] within the UTF-8 string, in order to specify the language in which the description is written. Description text in multiple languages MAY tag each section with its own language tag; in this case, the description information in each language SHOULD have equivalent meaning. In the absence of any language tag, the "i-default" [RFC2277] language SHOULD be assumed. See the Security Considerations section for notes on string handling for Information Element type records. 7.149. informationElementName elementId: TBD name: informationElementName dataType: string status: current description: A UTF-8 [RFC3629] encoded Unicode string containing the name of an Information Element, intended as a simple identifier. See the Security Considerations section for notes on string handling for Information Element type records. 7.150. informationElementRangeBegin elementId: TBD name: informationElementRangeBegin dataType: unsigned64 status: current description: Contains the inclusive low end of the range of acceptable values for an Information Element. 7.151. informationElementRangeEnd Waltermire, et al. Expires October 29, 2017 [Page 66] Internet-Draft SACM Information Model April 2017 elementId: TBD name: informationElementRangeEnd dataType: unsigned64 status: current description: Contains the inclusive high end of the range of acceptable values for an Information Element. 7.152. informationElementSemantics elementId: TBD name: informationElementSemantics dataType: unsigned8 status: current description: A description of the semantics of an IPFIX Information Element. These are taken from the data type semantics defined in section 3.2 of the IPFIX Information Model [RFC5102]; see that section for more information on the types defined in the informationElementSemantics sub-registry. This field may take the values in Table ; the special value 0x00 (default) is used to note that no semantics apply to the field; it cannot be manipulated by a Collecting Process or File Reader that does not understand it a priori. These semantics are registered in the IANA IPFIX Information Element Semantics subregistry. This subregistry is intended to assign numbers for semantics names, not to provide a mechanism for adding semantics to the IPFIX Protocol, and as such requires a Standards Action [RFC5226] to modify. 7.153. informationElementUnits Waltermire, et al. Expires October 29, 2017 [Page 67] Internet-Draft SACM Information Model April 2017 elementId: TBD name: informationElementUnits dataType: unsigned16 status: current description: A description of the units of an IPFIX Information Element. These correspond to the units implicitly defined in the Information Element definitions in section 5 of the IPFIX Information Model [RFC5102]; see that section for more information on the types described in the informationElementsUnits sub-registry. This field may take the values in Table 3 below; the special value 0x00 (none) is used to note that the field is unitless. These types are registered in the IANA IPFIX Information Element Units subregistry; new types may be added on a First Come First Served [RFC5226] basis. 7.154. applicationCategoryName elementId: TBD name: applicationCategoryName dataType: string status: current description: An attribute that provides a first level categorization for each Application ID. 7.155. mibObjectValueInteger elementId: TBD name: mibObjectValueInteger dataType: signed64 status: current description: An IPFIX Information Element which denotes that the integer value of a MIB object will be exported. The MIB Object Identifier ("mibObjectIdentifier") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with the Base Syntax of Integer32 and INTEGER with IPFIX Reduced Size Encoding used as required. The value is encoded as per the standard IPFIX Abstract Data Type of signed64. Waltermire, et al. Expires October 29, 2017 [Page 68] Internet-Draft SACM Information Model April 2017 7.156. mibObjectValueOctetString elementId: TBD name: mibObjectValueOctetString dataType: octetArray status: current description: An IPFIX Information Element which denotes that an Octet String or Opaque value of a MIB object will be exported. The MIB Object Identifier ("mibObjectIdentifier") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with the Base Syntax of OCTET STRING and Opaque. The value is encoded as per the standard IPFIX Abstract Data Type of octetArray. 7.157. mibObjectValueOID elementId: TBD name: mibObjectValueOID dataType: octetArray status: current description: An IPFIX Information Element which denotes that an Object Identifier or OID value of a MIB object will be exported. The MIB Object Identifier ("mibObjectIdentifier") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with the Base Syntax of OBJECT IDENTIFIER. Note - In this case the "mibObjectIdentifier" will define which MIB object is being exported while the value contained in this Information Element will be an OID as a value. The mibObjectValueOID Information Element is encoded as ASN.1/BER [BER] in an octetArray. 7.158. mibObjectValueBits Waltermire, et al. Expires October 29, 2017 [Page 69] Internet-Draft SACM Information Model April 2017 elementId: TBD name: mibObjectValueBits dataType: octetArray status: current description: An IPFIX Information Element which denotes that a set of Enumerated flags or bits from a MIB object will be exported. The MIB Object Identifier ("mibObjectIdentifier") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with the Base Syntax of BITS. The flags or bits are encoded as per the standard IPFIX Abstract Data Type of octetArray, with sufficient length to accommodate the required number of bits. If the number of bits is not an integer multiple of octets then the most significant bits at end of the octetArray MUST be set to zero. 7.159. mibObjectValueIPAddress elementId: TBD name: mibObjectValueIPAddress dataType: ipv4Address status: current description: An IPFIX Information Element which denotes that the IPv4 Address of a MIB object will be exported. The MIB Object Identifier ("mibObjectIdentifier") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with the Base Syntax of IPaddress. The value is encoded as per the standard IPFIX Abstract Data Type of ipv4Address. 7.160. mibObjectValueCounter Waltermire, et al. Expires October 29, 2017 [Page 70] Internet-Draft SACM Information Model April 2017 elementId: TBD name: mibObjectValueCounter dataType: unsigned64 status: current description: An IPFIX Information Element which denotes that the counter value of a MIB object will be exported. The MIB Object Identifier ("mibObjectIdentifier") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with the Base Syntax of Counter32 or Counter64 with IPFIX Reduced Size Encoding used as required. The value is encoded as per the standard IPFIX Abstract Data Type of unsigned64. 7.161. mibObjectValueGauge elementId: TBD name: mibObjectValueGauge dataType: unsigned32 status: current description: An IPFIX Information Element which denotes that the Gauge value of a MIB object will be exported. The MIB Object Identifier ("mibObjectIdentifier") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with the Base Syntax of Gauge32. The value is encoded as per the standard IPFIX Abstract Data Type of unsigned64. This value will represent a non-negative integer, which may increase or decrease, but shall never exceed a maximum value, nor fall below a minimum value. 7.162. mibObjectValueTimeTicks elementId: TBD name: mibObjectValueTimeTicks dataType: unsigned32 status: current description: An IPFIX Information Element which denotes that the TimeTicks value of a MIB object will be exported. The MIB Object Identifier ("mibObjectIdentifier") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with the Base Syntax of TimeTicks. The value is encoded as per the standard IPFIX Abstract Data Type of unsigned32. Waltermire, et al. Expires October 29, 2017 [Page 71] Internet-Draft SACM Information Model April 2017 7.163. mibObjectValueUnsigned elementId: TBD name: mibObjectValueUnsigned dataType: unsigned64 status: current description: An IPFIX Information Element which denotes that an unsigned integer value of a MIB object will be exported. The MIB Object Identifier ("mibObjectIdentifier") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with the Base Syntax of unsigned64 with IPFIX Reduced Size Encoding used as required. The value is encoded as per the standard IPFIX Abstract Data Type of unsigned64. 7.164. mibObjectValueTable elementId: TBD name: mibObjectValueTable dataType: orderedList status: current description: An IPFIX Information Element which denotes that a complete or partial conceptual table will be exported. The MIB Object Identifier ("mibObjectIdentifier") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with a SYNTAX of SEQUENCE. This is encoded as a subTemplateList of mibObjectValue Information Elements. The template specified in the subTemplateList MUST be an Options Template and MUST include all the Objects listed in the INDEX clause as Scope Fields. structure: orderedList(mibObjectValueRow+) 7.165. mibObjectValueRow Waltermire, et al. Expires October 29, 2017 [Page 72] Internet-Draft SACM Information Model April 2017 elementId: TBD name: mibObjectValueRow dataType: orderedList status: current description: An IPFIX Information Element which denotes that a single row of a conceptual table will be exported. The MIB Object Identifier ("mibObjectIdentifier") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with a SYNTAX of SEQUENCE. This is encoded as a subTemplateList of mibObjectValue Information Elements. The subTemplateList exported MUST contain exactly one row (i.e., one instance of the subtemplate). The template specified in the subTemplateList MUST be an Options Template and MUST include all the Objects listed in the INDEX clause as Scope Fields. structure: orderedList(mibObjectValue+) 7.166. mibObjectIdentifier elementId: TBD name: mibObjectIdentifier dataType: octetArray status: current description: An IPFIX Information Element which denotes that a MIB Object Identifier (MIB OID) is exported in the (Options) Template Record. The mibObjectIdentifier Information Element contains the OID assigned to the MIB Object Type Definition encoded as ASN.1/BER [BER]. 7.167. mibSubIdentifier elementId: TBD name: mibSubIdentifier dataType: unsigned32 status: current description: A non-negative sub-identifier of an Object Identifier (OID). 7.168. mibIndexIndicator Waltermire, et al. Expires October 29, 2017 [Page 73] Internet-Draft SACM Information Model April 2017 elementId: TBD name: mibIndexIndicator dataType: unsigned64 status: current description: This set of bit fields is used for marking the Information Elements of a Data Record that serve as INDEX MIB objects for an indexed Columnar MIB object. Each bit represents an Information Element in the Data Record with the n-th bit representing the n-th Information Element. A bit set to value 1 indicates that the corresponding Information Element is an index of the Columnar Object represented by the mibFieldValue. A bit set to value 0 indicates that this is not the case. If the Data Record contains more than 64 Information Elements, the corresponding Template SHOULD be designed such that all INDEX Fields are among the first 64 Information Elements, because the mibIndexIndicator only contains 64 bits. If the Data Record contains less than 64 Information Elements, then the extra bits in the mibIndexIndicator for which no corresponding Information Element exists MUST have the value 0, and must be disregarded by the Collector. This Information Element may be exported with IPFIX Reduced Size Encoding. 7.169. mibCaptureTimeSemantics Waltermire, et al. Expires October 29, 2017 [Page 74] Internet-Draft SACM Information Model April 2017 elementId: TBD name: mibCaptureTimeSemantics dataType: unsigned8 status: current description: Indicates when in the lifetime of the flow the MIB value was retrieved from the MIB for a mibObjectIdentifier. This is used to indicate if the value exported was collected from the MIB closer to flow creation or flow export time and will refer to the Timestamp fields included in the same record. This field SHOULD be used when exporting a mibObjectValue that specifies counters or statistics. If the MIB value was sampled by SNMP prior to the IPFIX Metering Process or Exporting Process retrieving the value (i.e., the data is already stale) and it's important to know the exact sampling time, then an additional observationTime* element should be paired with the OID using structured data. Similarly, if different mibCaptureTimeSemantics apply to different mibObject elements within the Data Record, then individual mibCaptureTimeSemantics should be paired with each OID using structured data. Values: 0. undefined 1. begin - The value for the MIB object is captured from the MIB when the Flow is first observed 2. end - The value for the MIB object is captured from the MIB when the Flow ends 3. export - The value for the MIB object is captured from the MIB at export time 4. average - The value for the MIB object is an average of multiple captures from the MIB over the observed life of the Flow 7.170. mibContextEngineID elementId: TBD name: mibContextEngineID dataType: octetArray status: current description: A mibContextEngineID that specifies the SNMP engine ID for a MIB field being exported over IPFIX. Definition as per [RFC3411] section 3.3. Waltermire, et al. Expires October 29, 2017 [Page 75] Internet-Draft SACM Information Model April 2017 7.171. mibContextName elementId: TBD name: mibContextName dataType: string status: current description: This Information Element denotes that a MIB Context Name is specified for a MIB field being exported over IPFIX. Reference [RFC3411] section 3.3. 7.172. mibObjectName elementId: TBD name: mibObjectName dataType: string status: current description: The name (called a descriptor in [RFC2578] of an object type definition. 7.173. mibObjectDescription elementId: TBD name: mibObjectDescription dataType: string status: current description: The value of the DESCRIPTION clause of an MIB object type definition. 7.174. mibObjectSyntax elementId: TBD name: mibObjectSyntax dataType: string status: current description: The value of the SYNTAX clause of an MIB object type definition, which may include a Textual Convention or Subtyping. See [RFC2578]. 7.175. mibModuleName elementId: TBD name: mibModuleName dataType: string status: current description: The textual name of the MIB module that defines a MIB Object. Waltermire, et al. Expires October 29, 2017 [Page 76] Internet-Draft SACM Information Model April 2017 7.176. interface elementId: TBD name: interface dataType: list structure: list (interfaceName, hwAddress, inetAddr, netmask) status: current description: Represents an interface and its configuration options. 7.177. iflisteners elementId: TBD name: iflisteners dataType: list structure: list (interfaceName, physicalProtocol, hwAddress, programName, pid, userId) status: current description: Stores the results of checking for applications that are bound to an ethernet interface on the system. 7.178. physicalProtocol elementId: TBD name: physicalProtocol dataType: enumeration structure: ETH_P_LOOP ; 0x1 ; Ethernet loopback packet. ETH_P_PUP ; 0x2 ; Xerox PUP packet. ETH_P_PUPAT ; 0x3 ; Xerox PUP Address Transport packet. ETH_P_IP ; 0x4 ; Internet protocol packet. ETH_P_X25 ; 0x5 ; CCITT X.25 packet. ETH_P_ARP ; 0x6 ; Address resolution packet. ETH_P_BPQ ; 0x7 ; G8BPQ AX.25 ethernet packet. ETH_P_IEEEPUP ; 0x8 ; Xerox IEEE802.3 PUP packet. ETH_P_IEEEPUPAT ; 0x9 ; Xerox IEEE802.3 PUP address transport packet. ETH_P_DEC ; 0xA ; DEC assigned protocol. ETH_P_DNA_DL ; 0xB ; DEC DNA Dump/Load. ETH_P_DNA_RC ; 0xC ; DEC DNA Remote Console. ETH_P_DNA_RT ; 0xD ; DEC DNA Routing. ETH_P_LAT ; 0xE ; DEC LAT. ETH_P_DIAG ; 0xF ; DEC Diagnostics. ETH_P_CUST ; 0x10 ; DEC Customer use. ETH_P_SCA ; 0x11 ; DEC Systems Comms Arch. ETH_P_RARP ; 0x12 ; Reverse address resolution packet. ETH_P_ATALK ; 0x13 ; Appletalk DDP. ETH_P_AARP ; 0x14 ; Appletalk AARP. Waltermire, et al. Expires October 29, 2017 [Page 77] Internet-Draft SACM Information Model April 2017 ETH_P_8021Q ; 0x15 ; 802.1Q VLAN Extended Header. ETH_P_IPX ; 0x16 ; IPX over DIX. ETH_P_IPV6 ; 0x17 ; IPv6 over bluebook. ETH_P_SLOW ; 0x18 ; Slow Protocol. See 802.3ad 43B. ETH_P_WCCP ; 0x19 ; Web-cache coordination protocol. ETH_P_PPP_DISC ; 0x1A ; PPPoE discovery messages. ETH_P_PPP_SES ; 0x1B ; PPPoE session messages. ETH_P_MPLS_UC ; 0x1C ; MPLS Unicast traffic. ETH_P_MPLS_MC ; 0x1D ; MPLS Multicast traffic. ETH_P_ATMMPOA ; 0x1E ; MultiProtocol Over ATM. ETH_P_ATMFATE ; 0x1F ; Frame-based ATM Transport over Ethernet. ETH_P_AOE ; 0x20 ; ATA over Ethernet. ETH_P_TIPC ; 0x21 ; TIPC. ETH_P_802_3 ; 0x22 ; Dummy type for 802.3 frames. ETH_P_AX25 ; 0x23 ; Dummy protocol id for AX.25. ETH_P_ALL ; 0x24 ; Every packet. ETH_P_802_2 ; 0x25 ; 802.2 frames. ETH_P_SNAP ; 0x26 ; Internal only. ETH_P_DDCMP ; 0x27 ; DEC DDCMP: Internal only ETH_P_WAN_PPP ; 0x28 ; Dummy type for WAN PPP frames. ETH_P_PPP_MP ; 0x29 ; Dummy type for PPP MP frames. ETH_P_PPPTALK ; 0x2A ; Dummy type for Atalk over PPP. ETH_P_LOCALTALK ; 0x2B ; Localtalk pseudo type. ETH_P_TR_802_2 ; 0x2C ; 802.2 frames. ETH_P_MOBITEX ; 0x2D ; Mobitex. ETH_P_CONTROL ; 0x2E ; Card specific control frames. ETH_P_IRDA ; 0x2F ; Linux-IrDA. ETH_P_ECONET ; 0x30 ; Acorn Econet. ETH_P_HDLC ; 0x31 ; HDLC frames. ETH_P_ARCNET ; 0x32 ; 1A for ArcNet. ; 0x33 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: The physical layer protocol used by the AF_PACKET socket. 7.179. hwAddress elementId: TBD name: hwAddress dataType: string status: current description: The hardware address associated with the interface. Waltermire, et al. Expires October 29, 2017 [Page 78] Internet-Draft SACM Information Model April 2017 7.180. programName elementId: TBD name: programName dataType: string status: current description: The name of the communicating program. 7.181. userId elementId: TBD name: userId dataType: unsigned32 status: current description: The numeric user id. 7.182. inetlisteningserver elementId: TBD name: inetlisteningserver dataType: list structure: list (transportProtocol, localAddress, localPort, localFullAddress, programName, foreignAddress, foreignPort, foreignFullAddress, pid, userId) status: current description: Stores the results of checking for network servers currently active on a system. It holds information pertaining to a specific protocol-address-port combination. 7.183. transportProtocol elementId: TBD name: transportProtocol dataType: string status: current description: The transport-layer protocol (tcp or udp). 7.184. localAddress elementId: TBD name: localAddress dataType: ipAddress status: current description: This is the IP address being listened to. Note that the IP address can be IPv4 or IPv6. Waltermire, et al. Expires October 29, 2017 [Page 79] Internet-Draft SACM Information Model April 2017 7.185. localPort elementId: TBD name: localPort dataType: unsigned32 status: current description: This is the TCP or UDP port being listened to. 7.186. localFullAddress elementId: TBD name: localFullAddress dataType: string status: current description: The IP address and network port on which the program listens, including the local address and the local port. Note that the IP address can be IPv4 or IPv6. 7.187. foreignAddress elementId: TBD name: foreignAddress dataType: ipAddress status: current description: The IP address with which the program is communicating, or with which it will communicate. Note that the IP address can be IPv4 or IPv6. 7.188. foreignFullAddress elementId: TBD name: foreignFullAddress dataType: ipAddress status: current description: The IP address and network port to which the program is communicating or will accept communications from, including the foreign address and foreign port. Note that the IP address can be IPv4 or IPv6. 7.189. selinuxboolean Waltermire, et al. Expires October 29, 2017 [Page 80] Internet-Draft SACM Information Model April 2017 elementId: TBD name: selinuxboolean dataType: list structure: list (selinuxName, currentStatus, pendingStatus) status: current description: Describes the current and pending status of a SELinux boolean. 7.190. selinuxName elementId: TBD name: selinuxName dataType: string status: current description: The name of the SELinux boolean. 7.191. currentStatus elementId: TBD name: currentStatus dataType: boolean status: current description: Indicates current state of the specified SELinux boolean. 7.192. pendingStatus elementId: TBD name: pendingStatus dataType: boolean status: current description: Indicates the pending state of the specified SELinux boolean. 7.193. selinuxsecuritycontext elementId: TBD name: selinuxsecuritycontext dataType: list structure: list (filepath, path, filename, pid, username, role, domainType, lowSensitivity, lowCategory, highSensitivity, highCategory, rawlowSensitivity, rawlowCategory, rawhighSensitivity, rawhighCategory) status: current description: Describes the SELinux security context of a file or process on the local system. Waltermire, et al. Expires October 29, 2017 [Page 81] Internet-Draft SACM Information Model April 2017 7.194. filepath elementId: TBD name: filepath dataType: string status: current description: Specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. 7.195. path elementId: TBD name: path dataType: string status: current description: Specifies the directory component of the absolute path to a file on the machine. 7.196. filename elementId: TBD name: filename dataType: string status: current description: The name of the file. 7.197. pid elementId: TBD name: pid dataType: unsigned32 status: current description: The process ID of the process. 7.198. role elementId: TBD name: role dataType: string status: current description: Specifies the types that a process may transition to (domain transitions). Waltermire, et al. Expires October 29, 2017 [Page 82] Internet-Draft SACM Information Model April 2017 7.199. domainType elementId: TBD name: domainType dataType: string status: current description: Specifies the domain in which the file is accessible or the domain in which a process executes. 7.200. lowSensitivity elementId: TBD name: lowSensitivity dataType: string status: current description: Specifies the current sensitivity of a file or process. 7.201. lowCategory elementId: TBD name: lowCategory dataType: string status: current description: Specifies the set of categories associated with the low sensitivity. 7.202. highSensitivity elementId: TBD name: highSensitivity dataType: string status: current description: Specifies the maximum range for a file or the clearance for a process. 7.203. highCategory elementId: TBD name: highCategory dataType: string status: current description: Specifies the set of categories associated with the high sensitivity. Waltermire, et al. Expires October 29, 2017 [Page 83] Internet-Draft SACM Information Model April 2017 7.204. rawlowSensitivity elementId: TBD name: rawlowSensitivity dataType: string status: current description: Specifies the current sensitivity of a file or process but in its raw context. 7.205. rawlowCategory elementId: TBD name: rawlowCategory dataType: string status: current description: Specifies the set of categories associated with the low sensitivity but in its raw context. 7.206. rawhighSensitivity elementId: TBD name: rawhighSensitivity dataType: string status: current description: Specifies the maximum range for a file or the clearance for a process but in its raw context. 7.207. rawhighCategory elementId: TBD name: rawhighCategory dataType: string status: current description: Specifies the set of categories associated with the high sensitivity but in its raw context. 7.208. systemdunitdependency elementId: TBD name: systemdunitdependency dataType: list structure: list (unit, dependency) status: current description: Stores the dependencies of the systemd unit. Waltermire, et al. Expires October 29, 2017 [Page 84] Internet-Draft SACM Information Model April 2017 7.209. unit elementId: TBD name: unit dataType: string status: current description: Refers to the full systemd unit name, which has a form of "$name.$type". For example "cupsd.service". This name is usually also the filename of the unit configuration file. 7.210. dependency elementId: TBD name: dependency dataType: string status: current description: Refers to the name of a unit that was confirmed to be a dependency of the given unit. 7.211. systemdunitproperty elementId: TBD name: systemdunitproperty dataType: list structure: list (unit, property, systemdunitValue) status: current description: Stores the properties and values of a systemd unit. 7.212. property elementId: TBD name: property dataType: string status: current description: The property associated with a systemd unit. 7.213. systemdunitValue elementId: TBD name: systemdunitValue dataType: string status: current description: The value of the property associated with a systemd unit. Exactly one value shall be used for all property types except dbus arrays - each array element shall be represented by one value. Waltermire, et al. Expires October 29, 2017 [Page 85] Internet-Draft SACM Information Model April 2017 7.214. file elementId: TBD name: file dataType: list structure: list (filepath, path, filename, fileType, userId, aTime, cTime, mTime, size) status: current description: The metadata associated with a file on the endpoint. 7.215. fileType elementId: TBD name: fileType dataType: string status: current description: The file's type (e.g., regular file (regular), directory, named pipe (fifo), symbolic link, socket or block special.) 7.216. groupId elementId: TBD name: groupId dataType: unsigned32 status: current description: The group owner of the file, by group number. 7.217. aTime elementId: TBD name: aTime dataType: dateTimeSeconds status: current description: The time that the file was last accessed. 7.218. cTime elementId: TBD name: cTime dataType: dateTimeSeconds status: current description: The time of the last change to the file's inode. Waltermire, et al. Expires October 29, 2017 [Page 86] Internet-Draft SACM Information Model April 2017 7.219. mTime elementId: TBD name: mTime dataType: dateTimeSeconds status: current description: The time of the last change to the file's contents. 7.220. size elementId: TBD name: size dataType: unsigned32 status: current description: This is the size of the file in bytes. 7.221. suid elementId: TBD name: suid dataType: boolean status: current description: Indicates whether the program runs with the uid (thus privileges) of the file's owner, rather than the calling user. 7.222. sgid elementId: TBD name: sgid dataType: boolean status: current description: Indicates whether the program runs with the gid (thus privileges) of the file's group owner, rather than the calling user's group. 7.223. sticky elementId: TBD name: sticky dataType: boolean status: current description: Indicates whether users can delete each other's files in this directory, when said directory is writable by those users. Waltermire, et al. Expires October 29, 2017 [Page 87] Internet-Draft SACM Information Model April 2017 7.224. hasExtendedAcl elementId: TBD name: hasExtendedAcl dataType: boolean status: current description: Indicates whether the file or directory hasACL permissions applied to it. If a system supports ACLs and the file or directory doesn't have an ACL, or it matches the standard UNIX permissions, the entity will have a status of 'exists' and a value of 'false'. If the system supports ACLs and the file or directory has an ACL, the entity will have a status of 'exists' and a value of 'true'. Lastly, if a system doesn't support ACLs, the entity will have a status of 'does not exist'. 7.225. inetd elementId: TBD name: inetd dataType: list structure: list (serviceProtocol, serviceName, serverProgram, serverArguments, inetdEndpointType, execAsUser, waitStatus) status: current description: Holds information associated with different Internet services. 7.226. serverProgram elementId: TBD name: serverProgram dataType: string status: current description: Either the pathname of a server program to be invoked by inetd to perform the requested service, or the value internal if inetd itself provides the service. 7.227. inetdEndpointType Waltermire, et al. Expires October 29, 2017 [Page 88] Internet-Draft SACM Information Model April 2017 elementId: TBD name: inetdEndpointType dataType: enumeration structure: stream ; 0x1 ; The stream value is used to describe a stream socket. dgram ; 0x2 ; The dgram value is used to describe a datagram socket. raw ; 0x3 ; The raw value is used to describe a raw socket. seqpacket ; 0x4 ; The seqpacket value is used to describe a sequenced packet socket. tli ; 0x5 ; The tli value is used to describe all TLI endpoints. sunrpc_tcp ; 0x6 ; The sunrpc_tcp value is used to describe all SUNRPC TCP endpoints. sunrpc_udp ; 0x7 ; The sunrpc_udp value is used to describe all SUNRPC UDP endpoints. ; 0x8 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: The endpoint type (aka, socket type) associated with the service. 7.228. execAsUser elementId: TBD name: execAsUser dataType: string status: current description: The user id of the user the server program should run under. 7.229. waitStatus Waltermire, et al. Expires October 29, 2017 [Page 89] Internet-Draft SACM Information Model April 2017 elementId: TBD name: waitStatus dataType: enumeration structure: wait ; 0x1 ; The value of 'wait' specifies that the server that is invoked by inetd will take over the listening socket associated with the service, and once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests. nowait ; 0x2 ; The value of 'nowait' specifies that the server that is invoked by inetd will not wait for any existing server to finish before taking over the listening socket associated with the service. ; 0x3 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: Specifies whether the server that is invoked by inetd will take over the listening socket associated with the service, and whether once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests. The legal values are "wait" or "nowait". 7.230. inetAddr elementId: TBD name: inetAddr dataType: ipAddress status: current description: The IP address of the specific interface. Note that the IP address can be IPv4 or IPv6. 7.231. netmask elementId: TBD name: netmask dataType: ipAddress status: current description: The bitmask used to calculate the interface's IP network. 7.232. passwordInfo Waltermire, et al. Expires October 29, 2017 [Page 90] Internet-Draft SACM Information Model April 2017 elementId: TBD name: passwordInfo dataType: list structure: list (username, password, userId, groupId, gcos, homeDir, loginShell, lastLogin) status: current description: Describes user account information for a system. 7.233. username elementId: TBD name: username dataType: string status: current description: The name of the user. 7.234. password elementId: TBD name: password dataType: string status: current description: The encrypted version of the user's password. 7.235. gcos elementId: TBD name: gcos dataType: string status: current description: 7.236. homeDir elementId: TBD name: homeDir dataType: string status: current description: The user's home directory. 7.237. loginShell Waltermire, et al. Expires October 29, 2017 [Page 91] Internet-Draft SACM Information Model April 2017 elementId: TBD name: loginShell dataType: string status: current description: The user's shell program. 7.238. lastLogin elementId: TBD name: lastLogin dataType: unsigned32 status: current description: The date and time when the last login occurred. 7.239. process elementId: TBD name: process dataType: list structure: list (commandLine, pid, ppid, priority, startTime) status: current description: Information about a process running on an endpoint. 7.240. commandLine elementId: TBD name: commandLine dataType: string status: current description: The string used to start the process. This includes any parameters that are part of the command line. 7.241. ppid elementId: TBD name: ppid dataType: unsigned32 status: current description: The process ID of the process's parent process. Waltermire, et al. Expires October 29, 2017 [Page 92] Internet-Draft SACM Information Model April 2017 7.242. priority elementId: TBD name: priority dataType: unsigned32 status: current description: The scheduling priority with which the process runs. 7.243. startTime elementId: TBD name: startTime dataType: string status: current description: The time of day the process started. 7.244. routingtable elementId: TBD name: routingtable dataType: list structure: list (destination, gateway, flags, interfaceName) status: current description: Holds information about an individual routing table entry found in a system's primary routing table. 7.245. destination elementId: TBD name: destination dataType: ipAddress status: current description: The destination IP address prefix of the routing table entry. 7.246. gateway elementId: TBD name: gateway dataType: ipAddress status: current description: The gateway of the specified routing table entry. Waltermire, et al. Expires October 29, 2017 [Page 93] Internet-Draft SACM Information Model April 2017 7.247. runlevelInfo elementId: TBD name: runlevelInfo dataType: list structure: list (serviceName, runlevel, start, kill) status: current description: Information about the start or kill state of a specified service at a given runlevel. 7.248. runlevel elementId: TBD name: runlevel dataType: string status: current description: Specifies the system runlevel associated with a service. 7.249. start elementId: TBD name: start dataType: boolean status: current description: Specifies whether the service is scheduled to start at the runlevel. 7.250. kill elementId: TBD name: kill dataType: boolean status: current description: Specifies whether the service is scheduled to be killed at the runlevel. 7.251. shadowItem elementId: TBD name: shadowItem dataType: list structure: list (username, password, chgLst, chgAllow, chgReq, expWarn, expInact, expDate, flags, encryptMethod) status: current description: Waltermire, et al. Expires October 29, 2017 [Page 94] Internet-Draft SACM Information Model April 2017 7.252. chgLst elementId: TBD name: chgLst dataType: dateTimeSeconds status: current description: The date of the last password change. 7.253. chgAllow elementId: TBD name: chgAllow dataType: unsigned32 status: current description: Specifies how often in days a user may change their password. It can also be thought of as the minimum age of a password. 7.254. chgReq elementId: TBD name: chgReq dataType: unsigned32 status: current description: Describes how long a user can keep a password before the system forces her to change it. 7.255. expWarn elementId: TBD name: expWarn dataType: unsigned32 status: current description: Describes how long before password expiration the system begins warning the user. 7.256. expInact elementId: TBD name: expInact dataType: unsigned32 status: current description: Describes how many days of account inactivity the system will wait after a password expires before locking the account. Waltermire, et al. Expires October 29, 2017 [Page 95] Internet-Draft SACM Information Model April 2017 7.257. expDate elementId: TBD name: expDate dataType: dateTimeSeconds status: current description: Specifies when will the account's password expire. 7.258. encryptMethod elementId: TBD name: encryptMethod dataType: enumeration structure: DES ; 0x1 ; The DES method corresponds to the (none) prefix. BSDi ; 0x2 ; The BSDi method corresponds to BSDi modified DES or the '_' prefix. MD5 ; 0x3 ; The MD5 method corresponds to MD5 for Linux/BSD or the $1$ prefix. Blowfish ; 0x4 ; The Blowfish method corresponds to Blowfish (OpenBSD) or the $2$ or $2a$ prefixes. Sun MD5 ; 0x5 ; The Sun MD5 method corresponds to the $md5$ prefix. SHA-256 ; 0x6 ; The SHA-256 method corresponds to the $5$ prefix. SHA-512 ; 0x7 ; The SHA-512 method corresponds to the $6$ prefix. ; 0x8 ; The empty string value is permitted here to allow for empty elements associated with variable references. status: current description: Describes method that is used for hashing passwords. 7.259. symlink elementId: TBD name: symlink dataType: list structure: list (symlinkFilepath, canonicalPath) status: current description: Identifies the result generated for a symlink. 7.260. symlinkFilepath Waltermire, et al. Expires October 29, 2017 [Page 96] Internet-Draft SACM Information Model April 2017 elementId: TBD name: symlinkFilepath dataType: string status: current description: Specifies the filepath to the subject symbolic link file. 7.261. canonicalPath elementId: TBD name: canonicalPath dataType: string status: current description: Specifies the canonical path for the target of the symbolic link file specified by the filepath. 7.262. sysctl elementId: TBD name: sysctl dataType: list structure: list (kernelParameterName, kernelParameterValue+, uname, machineClass, nodeName, osName, osRelease, osVersion, processorType) status: current description: Stores information retrieved from the local system about a kernel parameter and its respective value(s). 7.263. kernelParameterName elementId: TBD name: kernelParameterName dataType: string status: current description: The name of a kernel parameter that was collected from the local system. 7.264. kernelParameterValue elementId: TBD name: kernelParameterValue dataType: string status: current description: The current value(s) for the specified kernel parameter on the local system. Waltermire, et al. Expires October 29, 2017 [Page 97] Internet-Draft SACM Information Model April 2017 7.265. uname elementId: TBD name: uname dataType: list structure: list (machineClass, nodeName, osName, osRelease, osVersion, processorType) status: current description: Information about the hardware the machine is running on. 7.266. machineClass elementId: TBD name: machineClass dataType: string status: current description: Specifies the machine hardware name. 7.267. nodeName elementId: TBD name: nodeName dataType: string status: current description: Specifies the host name. 7.268. osName elementId: TBD name: osName dataType: string status: current description: Specifies the operating system name. 7.269. osRelease elementId: TBD name: osRelease dataType: string status: current description: Specifies the build version. Waltermire, et al. Expires October 29, 2017 [Page 98] Internet-Draft SACM Information Model April 2017 7.270. processorType elementId: TBD name: processorType dataType: string status: current description: Specifies the processor type. 7.271. internetService elementId: TBD name: internetService dataType: list structure: list (serviceProtocol, serviceName, flags, noAccess, onlyFrom, port, server, serverArguments, socketType, registeredServiceType, user, wait, disabled) status: current description: Holds information associated with Internet services. 7.272. serviceProtocol elementId: TBD name: serviceProtocol dataType: string status: current description: Specifies the protocol that is used by the service. 7.273. serviceName elementId: TBD name: serviceName dataType: string status: current description: Specifies the name of the service. 7.274. flags elementId: TBD name: flags dataType: string status: current description: Specifies miscellaneous settings associated with the service with executing a program. Waltermire, et al. Expires October 29, 2017 [Page 99] Internet-Draft SACM Information Model April 2017 7.275. noAccess elementId: TBD name: noAccess dataType: string status: current description: Specifies the remote hosts to which the service is unavailable. 7.276. onlyFrom elementId: TBD name: onlyFrom dataType: ipAddress status: current description: Specifies the remote hosts to which the service is available. 7.277. port elementId: TBD name: port dataType: unsigned32 status: current description: The port entity specifies the port used by the service. 7.278. server elementId: TBD name: server dataType: string status: current description: Specifies the executable that is used to launch the service. 7.279. serverArguments elementId: TBD name: serverArguments dataType: string status: current description: Specifies the arguments that are passed to the executable when launching the service. Waltermire, et al. Expires October 29, 2017 [Page 100] Internet-Draft SACM Information Model April 2017 7.280. socketType elementId: TBD name: socketType dataType: string status: current description: Specifies the type of socket that is used by the service. Possible values include: stream, dgram, raw, or seqpacket. 7.281. registeredServiceType elementId: TBD name: registeredServiceType dataType: enumeration structure: INTERNAL ; 0x1 ; The INTERNAL type is used to describe services like echo, chargen, and others whose functionality is supplied by xinetd itself. RPC ; 0x2 ; The RPC type is used to describe services that use remote procedure call ala NFS. UNLISTED ; 0x3 ; The UNLISTED type is used to describe services that aren't listed in /etc/protocols or /etc/rpc. TCPMUX ; 0x4 ; The TCPMUX type is used to describe services that conform to RFC 1078. This type indiciates that the service is responsible for handling the protocol handshake. TCPMUXPLUS ; 0x5 ; The TCPMUXPLUS type is used to describe services that conform to RFC 1078. This type indicates that xinetd is responsible for handling the protocol handshake. ; 0x6 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: Specifies the type of internet service. 7.282. wait elementId: TBD name: wait dataType: boolean status: current description: Specifies whether or not the service is single-threaded or multi-threaded and whether or not xinetd accepts the connection or the service accepts the connection. A value of 'true' indicates that the service is single-threaded and the service will accept the connection. A value of 'false' indicates that the service is multi- threaded and xinetd will accept the connection. Waltermire, et al. Expires October 29, 2017 [Page 101] Internet-Draft SACM Information Model April 2017 7.283. disabled elementId: TBD name: disabled dataType: boolean status: current description: Specifies whether or not the service is disabled. A value of 'true' indicates that the service is disabled and will not start. A value of 'false' indicates that the service is not disabled. 7.284. windowsView elementId: TBD name: windowsView dataType: enumeration structure: 32_bit ; 0x1 ; Indicates the 32_bit windows view. 64_bit ; 0x2 ; Indicates the 64_bit windows view. ; 0x3 ; The empty string value is permitted here to allow for empty elements associated with error conditions. status: current description: Indicates from which view (32-bit or 64-bit), the information was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. 7.285. fileauditedpermissions elementId: TBD name: fileauditedpermissions dataType: list structure: list (filepath, path, filename, trusteeSid, trusteeName, auditStandardDelete, auditStandardReadControl, auditStandardWriteDac, auditStandardWriteOwner, auditStandardSynchronize, auditAccessSystemSecurity, auditGenericRead, auditGenericWrite, auditGenericExecute, auditGenericAll, auditFileReadData, auditFileWriteData, auditFileAppendData, auditFileReadEa, auditFileWriteEa, auditFileExecute, auditFileDeleteChild, auditFileReadAttributes, auditFileWriteAttributes, windowsView) status: current description: Stores the audited access rights of a file that a system access control list (SACL) structure grants to a specified trustee. The trustee's audited access rights are determined checking all access control entries (ACEs) in the SACL. Waltermire, et al. Expires October 29, 2017 [Page 102] Internet-Draft SACM Information Model April 2017 7.286. trusteeName elementId: TBD name: trusteeName dataType: string status: current description: Specifies the trustee name. A trustee can be a user, group, or program (such as a Windows service). 7.287. auditStandardDelete elementId: TBD name: auditStandardDelete dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: The right to delete the object. 7.288. auditStandardReadControl Waltermire, et al. Expires October 29, 2017 [Page 103] Internet-Draft SACM Information Model April 2017 elementId: TBD name: auditStandardReadControl dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: The right to read the information in the object's security descriptor, not including the information in the SACL. 7.289. auditStandardWriteDac elementId: TBD name: auditStandardWriteDac dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: The right to modify the DACL in the object's security descriptor. 7.290. auditStandardWriteOwner Waltermire, et al. Expires October 29, 2017 [Page 104] Internet-Draft SACM Information Model April 2017 elementId: TBD name: auditStandardWriteOwner dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: The right to change the owner in the object's security descriptor. 7.291. auditStandardSynchronize elementId: TBD name: auditStandardSynchronize dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. 7.292. auditAccessSystemSecurity Waltermire, et al. Expires October 29, 2017 [Page 105] Internet-Draft SACM Information Model April 2017 elementId: TBD name: auditAccessSystemSecurity dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: Indicates access to a system access control list (SACL). 7.293. auditGenericRead elementId: TBD name: auditGenericRead dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: Read access. 7.294. auditGenericWrite Waltermire, et al. Expires October 29, 2017 [Page 106] Internet-Draft SACM Information Model April 2017 elementId: TBD name: auditGenericWrite dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: Write access. 7.295. auditGenericExecute elementId: TBD name: auditGenericExecute dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: Execute access. 7.296. auditGenericAll Waltermire, et al. Expires October 29, 2017 [Page 107] Internet-Draft SACM Information Model April 2017 elementId: TBD name: auditGenericAll dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: Read, write, and execute access. 7.297. auditFileReadData elementId: TBD name: auditFileReadData dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: Grants the right to read data from the file. 7.298. auditFileWriteData Waltermire, et al. Expires October 29, 2017 [Page 108] Internet-Draft SACM Information Model April 2017 elementId: TBD name: auditFileWriteData dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: Grants the right to write data to the file. 7.299. auditFileAppendData elementId: TBD name: auditFileAppendData dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: Grants the right to append data to the file. 7.300. auditFileReadEa Waltermire, et al. Expires October 29, 2017 [Page 109] Internet-Draft SACM Information Model April 2017 elementId: TBD name: auditFileReadEa dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: Grants the right to read extended attributes. 7.301. auditFileWriteEa elementId: TBD name: auditFileWriteEa dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: Grants the right to write extended attributes. 7.302. auditFileExecute Waltermire, et al. Expires October 29, 2017 [Page 110] Internet-Draft SACM Information Model April 2017 elementId: TBD name: auditFileExecute dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: Grants the right to execute a file. 7.303. auditFileDeleteChild elementId: TBD name: auditFileDeleteChild dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: Right to delete a directory and all the files it contains (its children), even if the files are read-only. 7.304. auditFileReadAttributes Waltermire, et al. Expires October 29, 2017 [Page 111] Internet-Draft SACM Information Model April 2017 elementId: TBD name: auditFileReadAttributes dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: Grants the right to read file attributes. 7.305. auditFileWriteAttributes elementId: TBD name: auditFileWriteAttributes dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: Grants the right to change file attributes. 7.306. fileeffectiverights Waltermire, et al. Expires October 29, 2017 [Page 112] Internet-Draft SACM Information Model April 2017 elementId: TBD name: fileeffectiverights dataType: list structure: list (filepath, path, filename, trusteeSid, trusteeName, standardDelete, standardReadControl, standardWriteDac, standardWriteOwner, standardSynchronize, accessSystemSecurity, genericRead, genericWrite, genericExecute, genericAll, fileReadData, fileWriteData, fileAppendData, fileReadEa, fileWriteEa, fileExecute, fileDeleteChild, fileReadAttributes, fileWriteAttributes, windowsView) status: current description: Stores the effective rights of a file that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. 7.307. standardDelete elementId: TBD name: standardDelete dataType: boolean status: current description: The right to delete the object. 7.308. standardReadControl elementId: TBD name: standardReadControl dataType: boolean status: current description: The right to read the information in the object's security descriptor, not including the information in the SACL. 7.309. standardWriteDac elementId: TBD name: standardWriteDac dataType: boolean status: current description: The right to modify the DACL in the object's security descriptor. Waltermire, et al. Expires October 29, 2017 [Page 113] Internet-Draft SACM Information Model April 2017 7.310. standardWriteOwner elementId: TBD name: standardWriteOwner dataType: boolean status: current description: The right to change the owner in the object's security descriptor. 7.311. standardSynchronize elementId: TBD name: standardSynchronize dataType: boolean status: current description: The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. 7.312. accessSystemSecurity elementId: TBD name: accessSystemSecurity dataType: boolean status: current description: Indicates access to a system access control list (SACL). 7.313. genericRead elementId: TBD name: genericRead dataType: boolean status: current description: Read access. 7.314. genericWrite elementId: TBD name: genericWrite dataType: boolean status: current description: Write access. Waltermire, et al. Expires October 29, 2017 [Page 114] Internet-Draft SACM Information Model April 2017 7.315. genericExecute elementId: TBD name: genericExecute dataType: boolean status: current description: Execute access. 7.316. genericAll elementId: TBD name: genericAll dataType: boolean status: current description: Read, write, and execute access. 7.317. fileReadData elementId: TBD name: fileReadData dataType: boolean status: current description: Grants the right to read data from the file 7.318. fileWriteData elementId: TBD name: fileWriteData dataType: boolean status: current description: Grants the right to write data to the file. 7.319. fileAppendData elementId: TBD name: fileAppendData dataType: boolean status: current description: Grants the right to append data to the file. Waltermire, et al. Expires October 29, 2017 [Page 115] Internet-Draft SACM Information Model April 2017 7.320. fileReadEa elementId: TBD name: fileReadEa dataType: boolean status: current description: Grants the right to read extended attributes. 7.321. fileWriteEa elementId: TBD name: fileWriteEa dataType: boolean status: current description: Grants the right to write extended attributes. 7.322. fileExecute elementId: TBD name: fileExecute dataType: boolean status: current description: Grants the right to execute a file. 7.323. fileDeleteChild elementId: TBD name: fileDeleteChild dataType: boolean status: current description: Right to delete a directory and all the files it contains (its children), even if the files are read-only. 7.324. fileReadAttributes elementId: TBD name: fileReadAttributes dataType: boolean status: current description: Grants the right to read file attributes. Waltermire, et al. Expires October 29, 2017 [Page 116] Internet-Draft SACM Information Model April 2017 7.325. fileWriteAttributes elementId: TBD name: fileWriteAttributes dataType: boolean status: current description: Grants the right to change file attributes. 7.326. groupInfo elementId: TBD name: groupInfo dataType: list structure: list (group, username, subgroup) status: current description: Specifies the different users and subgroups, that directly belong to specific groups. 7.327. group elementId: TBD name: group dataType: string status: current description: Represents the name of a particular group. 7.328. subgroup elementId: TBD name: subgroup dataType: string status: current description: Represents the name of a particular subgroup in the specified group. 7.329. groupSidInfo elementId: TBD name: groupSidInfo dataType: list structure: list (groupSid, userSid, subgroupSid) status: current description: Specifies the different users and subgroups, that directly belong to specific groups (identified by SID). Waltermire, et al. Expires October 29, 2017 [Page 117] Internet-Draft SACM Information Model April 2017 7.330. userSidInfo elementId: TBD name: userSidInfo dataType: list structure: list (userSid, enabled, groupSid, lastLogon) status: current description: Specifies the different groups (identified by SID) that a user belongs to. 7.331. userSid elementId: TBD name: userSid dataType: string status: current description: Represents the SID of a particular user. 7.332. subgroupSid elementId: TBD name: subgroupSid dataType: string status: current description: Represents the SID of a particular subgroup. 7.333. lockoutpolicy elementId: TBD name: lockoutpolicy dataType: list structure: list (forceLogoff, lockoutDuration, lockoutObservationWindow, lockoutThreshold) status: current description: Specifies various attributes associated with lockout information for users and global groups in the security database. 7.334. forceLogoff Waltermire, et al. Expires October 29, 2017 [Page 118] Internet-Draft SACM Information Model April 2017 elementId: TBD name: forceLogoff dataType: unsigned32 status: current description: Specifies, in seconds, the amount of time between the end of the valid logon time and the time when the user is forced to log off the network. 7.335. lockoutDuration elementId: TBD name: lockoutDuration dataType: unsigned32 status: current description: Specifies, in seconds, how long a locked account remains locked before it is automatically unlocked. 7.336. lockoutObservationWindow elementId: TBD name: lockoutObservationWindow dataType: unsigned32 status: current description: Specifies the maximum time, in seconds, that can elapse between any two failed logon attempts before lockout occurs. 7.337. lockoutThreshold elementId: TBD name: lockoutThreshold dataType: unsigned32 status: current description: Specifies the number of invalid password authentications that can occur before an account is marked "locked out." 7.338. passwordpolicy Waltermire, et al. Expires October 29, 2017 [Page 119] Internet-Draft SACM Information Model April 2017 elementId: TBD name: passwordpolicy dataType: list structure: list (maxPasswdAge, minPasswdAge, minPasswdLen, passwordHistLen, passwordComplexity, reversibleEncryption) status: current description: Specifies policy information associated with passwords. 7.339. maxPasswdAge elementId: TBD name: maxPasswdAge dataType: unsigned32 status: current description: Specifies, in seconds (from a DWORD), the maximum allowable password age. A value of TIMEQ_FOREVER (max DWORD value, 4294967295) indicates that the password never expires. The minimum valid value for this element is ONE_DAY (86400). See the USER_MODALS_INFO_0 structure returned by a call to NetUserModalsGet(). 7.340. minPasswdAge elementId: TBD name: minPasswdAge dataType: unsigned32 status: current description: Specifies the minimum number of seconds that can elapse between the time a password changes and when it can be changed again. A value of zero indicates that no delay is required between password updates. 7.341. minPasswdLen elementId: TBD name: minPasswdLen dataType: unsigned32 status: current description: Specifies the minimum allowable password length. Valid values for this element are zero through PWLEN. Waltermire, et al. Expires October 29, 2017 [Page 120] Internet-Draft SACM Information Model April 2017 7.342. passwordHistLen elementId: TBD name: passwordHistLen dataType: unsigned32 status: current description: Specifies the length of password history maintained. A new password cannot match any of the previous usrmod0_password_hist_len passwords. Valid values for this element are zero through DEF_MAX_PWHIST. 7.343. passwordComplexity elementId: TBD name: passwordComplexity dataType: boolean status: current description: Indicates whether passwords must meet the complexity requirements put forth by the operating system. 7.344. reversibleEncryption elementId: TBD name: reversibleEncryption dataType: boolean status: current description: Indicates whether or not passwords are stored using reversible encryption. 7.345. portInfo elementId: TBD name: portInfo dataType: list structure: list (localAddress, localPort, transportProtocol, pid, foreignAddress, foreignPort) status: current description: Information about open listening ports. 7.346. foreignPort elementId: TBD name: foreignPort dataType: string status: current description: The TCP or UDP port to which the program communicates. Waltermire, et al. Expires October 29, 2017 [Page 121] Internet-Draft SACM Information Model April 2017 7.347. printereffectiverights elementId: TBD name: printereffectiverights dataType: list structure: list (printerName, trusteeSid, standardDelete, standardReadControl, standardWriteDac, standardWriteOwner, standardSynchronize, accessSystemSecurity, genericRead, genericWrite, genericExecute, genericAll, printerAccessAdminister, printerAccessUse, jobAccessAdminister, jobAccessRead) status: current description: Stores the effective rights of a printer that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. 7.348. printerName elementId: TBD name: printerName dataType: string status: current description: Specifies the name of the printer. 7.349. printerAccessAdminister elementId: TBD name: printerAccessAdminister dataType: boolean status: current description: 7.350. printerAccessUse elementId: TBD name: printerAccessUse dataType: boolean status: current description: 7.351. jobAccessAdminister Waltermire, et al. Expires October 29, 2017 [Page 122] Internet-Draft SACM Information Model April 2017 elementId: TBD name: jobAccessAdminister dataType: boolean status: current description: 7.352. jobAccessRead elementId: TBD name: jobAccessRead dataType: boolean status: current description: 7.353. registry elementId: TBD name: registry dataType: list structure: list (registryHive, registryKey, registryKeyName, lastWriteTime, registryKeyType, registryKeyValue, windowsView) status: current description: Specifies information that can be collected about a particular registry key. 7.354. registryHive Waltermire, et al. Expires October 29, 2017 [Page 123] Internet-Draft SACM Information Model April 2017 elementId: TBD name: registryHive dataType: enumeration structure: HKEY_CLASSES_ROOT ; 0x1 ; This registry subtree contains information that associates file types with programs and configuration data for automation (e.g. COM objects and Visual Basic Programs). HKEY_CURRENT_CONFIG ; 0x2 ; This registry subtree contains configuration data for the current hardware profile. HKEY_CURRENT_USER ; 0x3 ; This registry subtree contains the user profile of the user that is currently logged into the system. HKEY_LOCAL_MACHINE ; 0x4 ; This registry subtree contains information about the local system. HKEY_USERS ; 0x5 ; This registry subtree contains user-specific data. ; 0x6 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: The hive that the registry key belongs to. 7.355. registryKey elementId: TBD name: registryKey dataType: string status: current description: Describes the registry key. Note that the hive portion of the string should not be included, as this data can be found under the hive element. 7.356. registryKeyName elementId: TBD name: registryKeyName dataType: string status: current description: Describes the name of a registry key. 7.357. lastWriteTime Waltermire, et al. Expires October 29, 2017 [Page 124] Internet-Draft SACM Information Model April 2017 elementId: TBD name: lastWriteTime dataType: unsigned64 status: current description: The last time that the key or any of its value entries were modified. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). Last write time can be queried on any key, with hives being classified as a type of key. When collecting only information about a registry hive or key the last write time will be the time the key or any of its entries were modified. When collecting only information about a registry name the last write time will be the time the containing key was modified. Thus when collecting information about a registry name, the last write time does not correlate directly to the specified name. See the RegQueryInfoKey function lpftLastWriteTime. 7.358. registryKeyType elementId: TBD name: registryKeyType dataType: enumeration structure: reg_binary ; 0x1 ; The reg_binary type is used by registry keys that specify binary data in any form. reg_dword ; 0x2 ; The reg_dword type is used by registry keys that specify an unsigned 32-bit integer. reg_dword_little_endian ; 0x3 ; The reg_dword_little_endian type is used by registry keys that specify an unsigned 32-bit little-endian integer. It is designed to run on little-endian computer architectures. reg_dword_big_endian ; 0x4 ; The reg_dword_big_endian type is used by registry keys that specify an unsigned 32-bit big-endian integer. It is designed to run on big-endian computer architectures. reg_expand_sz ; 0x5 ; The reg_expand_sz type is used by registry keys to specify a null-terminated string that contains unexpanded references to environment variables (for example, "%PATH%"). reg_link ; 0x6 ; The reg_link type is used by the registry keys for null-terminated unicode strings. It is related to target path of a symbolic link created by the RegCreateKeyEx function. reg_multi_sz ; 0x7 ; The reg_multi_sz type is used by registry keys that specify an array of null-terminated strings, terminated by two null characters. Waltermire, et al. Expires October 29, 2017 [Page 125] Internet-Draft SACM Information Model April 2017 reg_none; 0x8 ; The reg_none type is used by registry keys that have no defined value type. reg_qword; 0x9 ; The reg_qword type is used by registry keys that specify an unsigned 64-bit integer. reg_qword_little_endian; 0xA ; The reg_qword_little_endian type is used by registry keys that specify an unsigned 64-bit integer in little-endian computer architectures. reg_sz; 0xB ; The reg_sz type is used by registry keys that specify a single null-terminated string. reg_resource_list; 0xC ; The reg_resource_list type is used by registry keys that specify a resource list. reg_full_resource_descriptor; 0xD ; The reg_full_resource_descriptor type is used by registry keys that specify a full resource descriptor. reg_resource_requirements_list; 0xE ; The reg_resource_requirements_list type is used by registry keys that specify a resource requirements list. ; 0xF ; The empty string value is permitted here to allow for detailed error reporting. status: current description: Specifies the type of data stored by the registry key. 7.359. registryKeyValue Waltermire, et al. Expires October 29, 2017 [Page 126] Internet-Draft SACM Information Model April 2017 elementId: TBD name: registryKeyValue dataType: string status: current description: Holds the actual value of the specified registry key. The representation of the value as well as the associated datatype attribute depends on type of data stored in the registry key. If the value being tested is of type REG_BINARY, then the datatype attribute should be set to 'binary' and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If the value being tested is of type REG_DWORD, REG_QWORD, REG_DWORD_LITTLE_ENDIAN, REG_DWORD_BIG_ENDIAN, or REG_QWORD_LITTLE_ENDIAN then the datatype attribute should be set to 'int' and the value entity should represent the data as an unsigned integer. DWORD and QWORD values represnt unsigned 32-bit and 64-bit integers, respectively. If the value being tested is of type REG_EXPAND_SZ, then the datatype attribute should be set to 'string' and the pre-expanded string should be represented by the value entity. If the value being tested is of type REG_MULTI_SZ, then only a single string (one of the multiple strings) should be tested using the value entity with the datatype attribute set to 'string'. In order to test multiple values, multiple OVAL registry tests should be used. If the specified registry key is of type REG_SZ, then the datatype should be 'string' and the value entity should be a copy of the string. If the value being tested is of type REG_LINK, then the datatype attribute should be set to 'string' and the null-terminated Unicode string should be represented by the value entity. 7.360. regkeyauditedpermissions Waltermire, et al. Expires October 29, 2017 [Page 127] Internet-Draft SACM Information Model April 2017 elementId: TBD name: regkeyauditedpermissions dataType: list structure: list (registryKey, trusteeSid, trusteeName, standardDelete, standardReadControl, standardWriteDac, standardWriteOwner, standardSynchronize, accessSystemSecurity, genericRead, genericWrite, genericExecute, genericAll, keyQueryValue, keySetValue, keyCreateSubKey, keyEnumerateSubKeys, keyNotify, keyCreateLink, keyWow6464Key, keyWow6432Key, keyWow64Res, windowsView) status: current description: Stores the audited access rights of a registry key that a system access control list (SACL) structure grants to a specified trustee. The trustee's audited access rights are determined checking all access control entries (ACEs) in the SACL. 7.361. auditKeyQueryValue elementId: TBD name: auditKeyQueryValue dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: 7.362. auditKeySetValue Waltermire, et al. Expires October 29, 2017 [Page 128] Internet-Draft SACM Information Model April 2017 elementId: TBD name: auditKeySetValue dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: 7.363. auditKeyCreateSubKey elementId: TBD name: auditKeyCreateSubKey dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: 7.364. auditKeyEnumerateSubKeys Waltermire, et al. Expires October 29, 2017 [Page 129] Internet-Draft SACM Information Model April 2017 elementId: TBD name: auditKeyEnumerateSubKeys dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: 7.365. auditKeyNotify elementId: TBD name: auditKeyNotify dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: 7.366. auditKeyCreateLink Waltermire, et al. Expires October 29, 2017 [Page 130] Internet-Draft SACM Information Model April 2017 elementId: TBD name: auditKeyCreateLink dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: 7.367. auditKeyWow6464Key elementId: TBD name: auditKeyWow6464Key dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: 7.368. auditKeyWow6432Key Waltermire, et al. Expires October 29, 2017 [Page 131] Internet-Draft SACM Information Model April 2017 elementId: TBD name: auditKeyWow6432Key dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: 7.369. auditKeyWow64Res elementId: TBD name: auditKeyWow64Res dataType: enumeration structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled. AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel all auditing options for the specified events. AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled. AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled. ; 0x5 ; The empty string value is permitted here to allow for detailed error reporting. status: current description: 7.370. regkeyeffectiverights Waltermire, et al. Expires October 29, 2017 [Page 132] Internet-Draft SACM Information Model April 2017 elementId: TBD name: regkeyeffectiverights dataType: list structure: list (registryHive, registryKey, trusteeSid, trusteeName, standardDelete, standardReadControl, standardWriteDac, standardWriteOwner, standardSynchronize, accessSystemSecurity, genericRead, genericWrite, genericExecute, genericAll, keyQueryValue, keySetValue, keyCreateSubKey, keyEnumerateSubKeys, keyNotify, keyCreateLink, keyWow6464Key, keyWow6432Key, keyWow64Res, windowsView) status: current description: Stores the effective rights of a registry key that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. 7.371. keyQueryValue elementId: TBD name: keyQueryValue dataType: boolean status: current description: Specifies whether or not permission is granted to query the key's value. 7.372. keySetValue elementId: TBD name: keySetValue dataType: boolean status: current description: Specifies whether or not permission is granted to set the key's value. 7.373. keyCreateSubKey elementId: TBD name: keyCreateSubKey dataType: boolean status: current description: Specifies whether or not permission is granted to create a subkey. Waltermire, et al. Expires October 29, 2017 [Page 133] Internet-Draft SACM Information Model April 2017 7.374. keyEnumerateSubKeys elementId: TBD name: keyEnumerateSubKeys dataType: boolean status: current description: Specifies whether or not permission is granted to list the subkeys associated with key. 7.375. keyNotify elementId: TBD name: keyNotify dataType: boolean status: current description: 7.376. keyCreateLink elementId: TBD name: keyCreateLink dataType: boolean status: current description: 7.377. keyWow6464Key elementId: TBD name: keyWow6464Key dataType: boolean status: current description: 7.378. keyWow6432Key elementId: TBD name: keyWow6432Key dataType: boolean status: current description: 7.379. keyWow64Res Waltermire, et al. Expires October 29, 2017 [Page 134] Internet-Draft SACM Information Model April 2017 elementId: TBD name: keyWow64Res dataType: boolean status: current description: 7.380. service elementId: TBD name: service dataType: list structure: list (serviceName, displayName, description, serviceType, startType, currentState, controlsAccepted, startName, path, pid, serviceFlag, dependencies) status: current description: Stores information about Windows services that are present on the system. 7.381. displayName elementId: TBD name: displayName dataType: string status: current description: Specifies the name of the service as specified in administrative tools. 7.382. description elementId: TBD name: description dataType: string status: current description: Specifies the description of the service. 7.383. serviceType Waltermire, et al. Expires October 29, 2017 [Page 135] Internet-Draft SACM Information Model April 2017 elementId: TBD name: serviceType dataType: enumeration structure: SERVICE_FILE_SYSTEM_DRIVER ; 0x1 ; The SERVICE_FILE_SYSTEM_DRIVER type means that the service is a file system driver. The DWORD value that this corresponds to is 0x00000002. SERVICE_KERNEL_DRIVER ; 0x2 ; The SERVICE_KERNEL_DRIVER type means that the service is a driver. The DWORD value that this corresponds to is 0x00000001. SERVICE_WIN32_OWN_PROCESS ; 0x3 ; The SERVICE_WIN32_OWN_PROCESS type means that the service runs in its own process. The DWORD value that this corresponds to is 0x00000010. SERVICE_WIN32_SHARE_PROCESS ; 0x4 ; The SERVICE_WIN32_SHARE_PROCESS type means that the service runs in a process with other services. The DWORD value that this corresponds to is 0x00000020. SERVICE_INTERACTIVE_PROCESS ; 0x5 ; The SERVICE_WIN32_SHARE_PROCESS type means that the service runs in a process with other services. The DWORD value that this corresponds to is 0x00000100. ; 0x6 ; The empty string value is permitted here to allow for empty elements associated with error conditions. status: current description: Specifies the type of the service. 7.384. startType Waltermire, et al. Expires October 29, 2017 [Page 136] Internet-Draft SACM Information Model April 2017 elementId: TBD name: startType dataType: enumeration structure: SERVICE_AUTO_START ; 0x1 ; The SERVICE_AUTO_START type means that the service is started automatically by the Service Control Manager (SCM) during startup. The DWORD value that this corresponds to is 0x00000002. SERVICE_BOOT_START ; 0x2 ; The SERVICE_BOOT_START type means that the driver service is started by the system loader. The DWORD value that this corresponds to is 0x00000000. SERVICE_DEMAND_START ; 0x3 ; The SERVICE_DEMAND_START type means that the service is started by the Service Control Manager (SCM) when StartService() is called. The DWORD value that this corresponds to is 0x00000003. SERVICE_DISABLED ; 0x4 ; The SERVICE_DISABLED type means that the service cannot be started. The DWORD value that this corresponds to is 0x00000004. SERVICE_SYSTEM_START ; 0x5 ; The SERVICE_SYSTEM_START type means that the service is a device driver started by IoInitSystem(). The DWORD value that this corresponds to is 0x00000001. ; 0x6 ; The empty string value is permitted here to allow for empty elements associated with error conditions. status: current description: Specifies when the service should be started. 7.385. currentState Waltermire, et al. Expires October 29, 2017 [Page 137] Internet-Draft SACM Information Model April 2017 elementId: TBD name: currentState dataType: enumeration structure: SERVICE_CONTINUE_PENDING ; 0x1 ; The SERVICE_CONTINUE_PENDING type means that the service has been sent a command to continue, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000005. SERVICE_PAUSE_PENDING ; 0x2 ; The SERVICE_PAUSE_PENDING type means that the service has been sent a command to pause, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000006. SERVICE_PAUSED ; 0x3 ; The SERVICE_PAUSED type means that the service is paused. The DWORD value that this corresponds to is 0x00000007. SERVICE_RUNNING ; 0x4 ; The SERVICE_RUNNING type means that the service is running. The DWORD value that this corresponds to is 0x00000004. SERVICE_START_PENDING ; 0x5 ; The SERVICE_START_PENDING type means that the service has been sent a command to start, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000002. SERVICE_STOP_PENDING ; 0x6 ; The SERVICE_STOP_PENDING type means that the service has been sent a command to stop, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000003. SERVICE_STOPPED ; 0x7 ; The SERVICE_STOPPED type means that the service is stopped. The DWORD value that this corresponds to is 0x00000001. ; 0x8 ; The empty string value is permitted here to allow for empty elements associated with error conditions. status: current description: Specifies the current state of the service. 7.386. controlsAccepted elementId: TBD name: controlsAccepted dataType: enumeration structure: SERVICE_ACCEPT_NETBINDCHANGE ; 0x1 ; The SERVICE_ACCEPT_NETBINDCHANGE type means that the service is a network component and can accept changes in its binding without being stopped or restarted. The DWORD value that this corresponds to is 0x00000010. SERVICE_ACCEPT_PARAMCHANGE ; 0x2 ; The SERVICE_ACCEPT_PARAMCHANGE Waltermire, et al. Expires October 29, 2017 [Page 138] Internet-Draft SACM Information Model April 2017 type means that the service can re-read its startup parameters without being stopped or restarted. The DWORD value that this corresponds to is 0x00000008. SERVICE_ACCEPT_PAUSE_CONTINUE ; 0x3 ; The SERVICE_ACCEPT_PAUSE_CONTINUE type means that the service can be paused or continued. The DWORD value that this corresponds to is 0x00000002. SERVICE_ACCEPT_PRESHUTDOWN ; 0x4 ; The SERVICE_ACCEPT_PRESHUTDOWN type means that the service can receive pre-shutdown notifications. The DWORD value that this corresponds to is 0x00000100. SERVICE_ACCEPT_SHUTDOWN ; 0x5 ; The SERVICE_ACCEPT_SHUTDOWN type means that the service can receive shutdown notifications. The DWORD value that this corresponds to is 0x00000004. SERVICE_ACCEPT_STOP ; 0x6 ; The SERVICE_ACCEPT_STOP type means that the service can be stopped. The DWORD value that this corresponds to is 0x00000001. SERVICE_ACCEPT_HARDWAREPROFILECHANGE ; 0x7 ; The SERVICE_ACCEPT_HARDWAREPROFILECHANGE type means that the service can receive notifications when the system's hardware profile changes. The DWORD value that this corresponds to is 0x00000020. SERVICE_ACCEPT_POWEREVENT ; 0x8 ; The SERVICE_ACCEPT_POWEREVENT type means that the service can receive notifications when the system's power status has changed. The DWORD value that this corresponds to is 0x00000040. SERVICE_ACCEPT_SESSIONCHANGE ; 0x9 ; The SERVICE_ACCEPT_SESSIONCHANGE type means that the service can receive notifications when the system's session status has changed. The DWORD value that this corresponds to is 0x00000080. SERVICE_ACCEPT_TIMECHANGE ; 0xA ; The SERVICE_ACCEPT_TIMECHANGE type means that the service can receive notifications when the system time changes. The DWORD value that this corresponds to is 0x00000200. SERVICE_ACCEPT_TRIGGEREVENT ; 0xB ; The SERVICE_ACCEPT_TRIGGEREVENT type means that the service can receive notifications when an event that the service has registered for occurs on the system. The DWORD value that this corresponds to is 0x00000400. ; 0xC ; The empty string value is permitted here to allow for empty elements associated with error conditions. status: current description: Specifies the control codes that a service will accept and process. Waltermire, et al. Expires October 29, 2017 [Page 139] Internet-Draft SACM Information Model April 2017 7.387. startName elementId: TBD name: startName dataType: string status: current description: Specifies the account under which the process should run. 7.388. serviceFlag elementId: TBD name: serviceFlag dataType: boolean status: current description: Specifies whether the service is in a system process that must always run (true) or if the service is in a non-system process or is not running (false). 7.389. dependencies elementId: TBD name: dependencies dataType: string status: current description: Specifies the dependencies of this service on other services. 7.390. serviceeffectiverights elementId: TBD name: serviceeffectiverights dataType: list structure: list (serviceName, trusteeSid, standardDelete, standardReadControl, standardWriteDac, standardWriteOwner, genericRead, genericWrite, genericExecute, serviceQueryConf, serviceChangeConf, serviceQueryStat, serviceEnumDependents, serviceStart, serviceStop, servicePause, serviceInterrogate, serviceUserDefined) status: current description: Stores the effective rights of a service that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined by checking all access-allowed and access-denied access control entries (ACEs) in the DACL. Waltermire, et al. Expires October 29, 2017 [Page 140] Internet-Draft SACM Information Model April 2017 7.391. trusteeSid elementId: TBD name: trusteeSid dataType: string status: current description: Specifies the SID that is associated with a user, group, system, or program (such as a Windows service). 7.392. serviceQueryConf elementId: TBD name: serviceQueryConf dataType: boolean status: current description: Specifies whether or not permission is granted to query the service configuration. 7.393. serviceChangeConf elementId: TBD name: serviceChangeConf dataType: boolean status: current description: Specifies whether or not permission is granted to change service configuration. 7.394. serviceQueryStat elementId: TBD name: serviceQueryStat dataType: boolean status: current description: Specifies whether or not permission is granted to query the service control manager about the status of the service. 7.395. serviceEnumDependents elementId: TBD name: serviceEnumDependents dataType: boolean status: current description: Specifies whether or not permission is granted to query for an enumeration of all the services dependent on the service. Waltermire, et al. Expires October 29, 2017 [Page 141] Internet-Draft SACM Information Model April 2017 7.396. serviceStart elementId: TBD name: serviceStart dataType: boolean status: current description: Specifies whether or not permission is granted to start the service. 7.397. serviceStop elementId: TBD name: serviceStop dataType: boolean status: current description: Specifies whether or not permission is granted to stop the service. 7.398. servicePause elementId: TBD name: servicePause dataType: boolean status: current description: Specifies whether or not permission is granted to pause or continue the service. 7.399. serviceInterrogate elementId: TBD name: serviceInterrogate dataType: boolean status: current description: Specifies whether or not permission is granted to request the service to report its status immediately. 7.400. serviceUserDefined elementId: TBD name: serviceUserDefined dataType: boolean status: current description: Specifies whether or not permission is granted to specify a user-defined control code. Waltermire, et al. Expires October 29, 2017 [Page 142] Internet-Draft SACM Information Model April 2017 7.401. sharedresourceauditedpermissions elementId: TBD name: sharedresourceauditedpermissions dataType: list structure: list (netname, trusteeSid, standardDelete, standardReadControl, standardWriteDac, standardWriteOwner, standardSynchronize, accessSystemSecurity, genericRead, genericWrite, genericExecute, genericAll) status: current description: Stores the audited access rights of a shared resource that a system access control list (SACL) structure grants to a specified trustee. The trustee's audited access rights are determined checking all access control entries (ACEs) in the SACL. 7.402. netname elementId: TBD name: netname dataType: string status: current description: Specifies the name associated with a particular shared resource. 7.403. sharedresourceeffectiverights elementId: TBD name: sharedresourceeffectiverights dataType: list structure: list (netname, trusteeSid, standardDelete, standardReadControl, standardWriteDac, standardWriteOwner, standardSynchronize, accessSystemSecurity, genericRead, genericWrite, genericExecute, genericAll) status: current description: Stores the effective rights of a shared resource that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. Waltermire, et al. Expires October 29, 2017 [Page 143] Internet-Draft SACM Information Model April 2017 7.404. user elementId: TBD name: user dataType: list structure: list (username, enabled, group, lastLogon) status: current description: Specifies the groups to which a user belongs. 7.405. enabled elementId: TBD name: enabled dataType: boolean status: current description: Represents whether the particular user is enabled or not. 7.406. lastLogon elementId: TBD name: lastLogon dataType: unsigned32 status: current description: The date and time when the last logon occurred. 7.407. groupSid elementId: TBD name: groupSid dataType: string status: current description: Represents the SID of a particular group. If the specified user belongs to more than one group, then multiple groupSid elements are applicable. If the specified user is not a member of a single group, then a single groupSid element should be incldued with a status of 'does not exist'. If there is an error determining the groups that the user belongs to, then a single groupSid element should be included with a status of 'error'. 7.408. endpointType Waltermire, et al. Expires October 29, 2017 [Page 144] Internet-Draft SACM Information Model April 2017 elementId: TBD name: endpointType dataType: enumeration status: current description: The possible types of endpoint in the enterprise. structure: workstation; 0x1; Workstation Endpoint printer; 0x2; Printer Endpoint router; 0x3; Router Endpoint tablet; 0x4; Tablet Endpoint 7.409. endpointPurpose elementId: TBD name: endpointPurpose dataType: string status: current description: A description of how the endpoint is used within the enterprise. Examples include end user system, and public web server. 7.410. endpointCriticality elementId: TBD name: endpointCriticality dataType: string status: current description: An enterprise-defined rating which indicates the criticality of the endpoint. The rating should be specific enough to assess the impact to the overall enterprise if the endpoint is attacked or lost. 7.411. ingestTimestamp elementId: TBD name: ingestTimestamp dataType: dateTimeSeconds status: current description: The point in time that the description of a vulnerability was received by the enterprise. Waltermire, et al. Expires October 29, 2017 [Page 145] Internet-Draft SACM Information Model April 2017 7.412. vulnerabilityVersion elementId: TBD name: vulnerabilityVersion dataType: string status: current description: The version or iteration of the vulnerability description information (reported by the author, if applicable). 7.413. vulnerabilityExternalId elementId: TBD name: vulnerabilityExternalId dataType: string status: current description: An external or third-party ID assigned to the vulnerability description. This could be multiple IDs in some cases (e.g., vendor bug ID, global ID, discoverer's local ID, third-party vulnerability database ID, etc.). 7.414. vulnerabilitySeverity elementId: TBD name: vulnerabilitySeverity dataType: string status: current description: The severity of the vulnerability (reported by the author, if applicable). 7.415. assessmentTimestamp elementId: TBD name: assessmentTimestamp dataType: dateTimeSeconds status: current description: The point in time that the assessment was performed against an endpoint. 7.416. vulnerableSoftware Waltermire, et al. Expires October 29, 2017 [Page 146] Internet-Draft SACM Information Model April 2017 elementId: TBD name: vulnerableSoftware dataType: list status: current description: A listing of software products installed on the endpoint which are known to have vulnerabilities. structure: list(softwareInstance*) 7.417. endpointVulnerabilityStatus elementId: TBD name: endpointVulnerabilityStatus dataType: enumeration status: current description: Overall vulnerability status of an enterprise endpoint. structure: Pass; 0x1; Endpoint passed the vulnerability test(s). Fail; 0x2; Endpoint failed the vulnerability test(s). 7.418. vulnerabilityDescription elementId: TBD name: vulnerabilityDescription dataType: string status: current description: A human-readable description of the vulnerability. 8. Acknowledgements Many of the specifications in this document have been developed in a public-private partnership with vendors and end-users. The hard work of the SCAP community is appreciated in advancing these efforts to their current level of adoption. Over the course of developing the initial draft, Brant Cheikes, Matt Hansbury, Daniel Haynes, Scott Pope, Charles Schmidt, and Steve Venema have contributed text to many sections of this document. Waltermire, et al. Expires October 29, 2017 [Page 147] Internet-Draft SACM Information Model April 2017 9. IANA Considerations This document specifies an initial set of Information Elements for SACM in Section 7. An Internet Assigned Numbers Authority (IANA) registry will be created and populated with the Information Elements in Section 7. New assignments for SACM Information Elements will be administered by IANA through Expert Review [RFC2434]. The designated experts MUST check the requested Information Elements for completeness and accuracy of the submission with respect to the template and requirements expressed in Section 4 and Section 4.1. Requests for Information Elements that duplicate the functionality of existing Information Elements SHOULD be declined. The smallest available Information Element identifier SHOULD be assigned to a new Information Element. The definition of new Information Elements MUST be published using a well-established and persistent publication medium. 10. Security Considerations Posture Assessments need to be performed in a safe and secure manner. In that regard, there are multiple aspects of security that apply to the communications between components as well as the capabilities themselves. This information model only contains an initial listing of items that need to be considered with respect to security and will need to be augmented as the model continues to be developed. Security considerations include: Authentication: Every SACM Component and asset needs to be able to identify itself and verify the identity of other SACM Components and assets. Confidentiality: Communications between SACM Components need to be protected from eavesdropping or unauthorized collection. Some communications between SACM Components and assets may need to be protected as well. Integrity: The information exchanged between SACM Components needs to be protected from modification. Some exchanges between assets and SACM Components will also have this requirement. Restricted Access: Access to the information collected, evaluated, reported, and stored should only be viewable and consumable to authenticated and authorized entities. Considerations with respect to the operational aspects of collection, evaluation, and storage security automation information can be found in Section 11. Waltermire, et al. Expires October 29, 2017 [Page 148] Internet-Draft SACM Information Model April 2017 Considerations concerning the privacy of security automation information can be found in Section 12. 11. Operational Considerations The following sections outline a series of operational considerations for SACM deployments within an organization. This section may be expanded to include other considerations as the WG gains additional operational experience with SACM deployments and extending the information model. 11.1. Endpoint Designation In order to successfully carry out endpoint posture assessment, it is necessary to be able to identify the endpoints on a network and track the changes to them over time. Specifically, enabling SACM Components to: o Tell whether two endpoint attribute assertions concern the same endpoint o Respond to compliance measurements, for example by reporting, remediating, and quarantining (SACM does not specify these responses, but SACM exists to enable them). Ideally, every endpoint would be identified by a unique identifier present on the endpoint, but, this is complicated due to different factors such as the variety of endpoints on a network, the ability of tools to reliably access such an identifer, and the ability of tools to correlate disparate identifiers. As a result, it is necessary for an endpoint to be identified by a set of attributes that uniquely identify it on a network. The set of attributes that uniquely identify an endpoint on a network will likely vary by organization; however, there are a number of properties to consider when selecting identifying attributes as some are better suited for identification purposes than others. Multiplicity: Is the attribute typically associated with a single endpoint or with multiple endpoints? If the attribute is associated with a single endpoint, it is better for identifying an endpoint on a network. Persistence: How likely is the attribute to change? Does it never change? Does it only change when the endpoint is reprovisioned? Does it only change due to an event? Does it change on an ad-hoc and often unpredictable basis? Does it constantly change? The less likely it is for an attribute to Waltermire, et al. Expires October 29, 2017 [Page 149] Internet-Draft SACM Information Model April 2017 change over time, the better it is for identifying an endpoint on a network. Immutability: How difficult is it to change the attribute? Is the attribute hardware rooted and never changes? Can the attribute be changed by a user/process with the appropriate access? Can the attribute be changed without controlled access. The less likely an attribute is to change over time, the better chance it will be usable to identify an endpoint over time. Verifiable: Can the attribute be corroborated? Can the attribute be externally verified with source authentication? Can the attribute be externally verified without source authentication? Is it impossible to externally verify the attribute. Attributes that can be externally verified are more likely to be accurate and are better for identifying endpoints on a network. With that said, requiring SACM Components and end users to constantly refer to a set of attributes to identify an endpoint, is particularly burdensome. As a result, SACM supports the concept of a target endpoint label which associates an identifier (unique to a SACM domain) with the set of attributes used by an organization to identify endpoints on a network. Once defined for an endpoint, the target endpoint label can be used in place of the set of identifying attributes. 11.2. Timestamp Accuracy An organization will likely have different collectors deployed across the network that will be configured to collect posture attributes on varying frequencies (periodic, ad-hoc, event-driven, on endpoint, off endpoint, etc.). Some collectors will detect changes as soon as they occur whereas others will detect them at a later point during a periodic scan or when an event has triggered the collection of posture attributes. Furthermore, some changes will be detected on the endpoint and others will be observed off of the endpoint. As a result of these differences, the accuracy of the timestamp associated with the collected information will vary. For example, if a collector is only running once every 12 hours, the change probably happened at some point in time prior to the scan and the timestamp is likely not accurate. Due to this, it is important for system administrators to determine if the accuracy of a timestamp is good enough for their intended purposes. Waltermire, et al. Expires October 29, 2017 [Page 150] Internet-Draft SACM Information Model April 2017 12. Privacy Considerations In the IETF, there are privacy concerns with respect to endpoint identity and monitoring. This is especially true when the activity on an endpoint can be linked to a particular person. For example, by correlating endpoint attributes such as usernames, certificates, etc. with browser activity, it may be possible to gain insight in to user behavior and trends beyond what is required to carry out endpoint posture assessments. In the hands of the wrong person, this information could be used to negatively influence a user's behavior or to plan attacks against the organization's infrastructure. As a result, SACM data models should incorporate a mechanism by which an organization can designate which endpoint attributes are considered sensitive with respect to privacy. This will allow SACM Components to handle endpoint attributes in a manner consistent with the organization's privacy policies. Furthermore, organization's should put the proper mechanism in place to ensure endpoint attributes are protected when transmitted, stored, and accessed to ensure only authorized parties are granted access. It should also be noted that some of this is often mitigated by organizational policies that require a user of an organization's network to consent to some level of monitoring in return for access to the network and other resources. The information that is monitored and collected will vary by organization and further highlights the need for a mechanism by which an organization can specify what constitutes privacy sensitive information for them. 13. References 13.1. Normative References [PEN] Internet Assigned Numbers Authority, "Private Enterprise Numbers", July 2016, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . 13.2. Informative References [I-D.ietf-sacm-requirements] Cam-Winget, N. and L. Lorenzin, "Secure Automation and Continuous Monitoring (SACM) Requirements", draft-ietf- sacm-requirements-01 (work in progress), October 2014. Waltermire, et al. Expires October 29, 2017 [Page 151] Internet-Draft SACM Information Model April 2017 [I-D.ietf-sacm-terminology] Waltermire, D., Montville, A., Harrington, D., and N. Cam- Winget, "Terminology for Security Assessment", draft-ietf- sacm-terminology-05 (work in progress), August 2014. [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", RFC 2434, DOI 10.17487/RFC2434, October 1998, . [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese, "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines", RFC 3580, DOI 10.17487/RFC3580, September 2003, . [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, . [RFC5209] Sangster, P., Khosravi, H., Mani, M., Narayan, K., and J. Tardo, "Network Endpoint Assessment (NEA): Overview and Requirements", RFC 5209, DOI 10.17487/RFC5209, June 2008, . [RFC7012] Claise, B., Ed. and B. Trammell, Ed., "Information Model for IP Flow Information Export (IPFIX)", RFC 7012, DOI 10.17487/RFC7012, September 2013, . [RFC7632] Waltermire, D. and D. Harrington, "Endpoint Security Posture Assessment: Enterprise Use Cases", RFC 7632, DOI 10.17487/RFC7632, September 2015, . Appendix A. Change Log A.1. Changes in Revision 01 Added some proposed normative text. For provenance: Added a class "Method" Added the produced-using relationship between an AVP and a method Waltermire, et al. Expires October 29, 2017 [Page 152] Internet-Draft SACM Information Model April 2017 Added the produced-by relationship between a Guidance and a SACM Component Added the hosted-by relationship between a SACM Component and an Endpoint asserted-by and summarized-by have been renamed to produced-by. "User" is now "Account". If a user has different credentials, SACM cannot know that they belong to the same user. But, per Kim W, many organizations do have accounts that associate credentials. The multiplicity of the based-on relationships has been corrected. More relationships now have labels, per UML convention. The diagram no longer has causal arrow. They had become redundant and were nonstandard and clutter. Renamed "credential" to "identity", following industry usage. A credential includes proof, such as a key or password. A username or a distinguished name is called an "identity". Removed Session, because an endpoint's network activity is not SACM's initial focus Removed Authorization, for the same reason Added many-to-many relationship between Hardware Component and Endpoint, for clarity Added many-to-many relationship between Software Component and Endpoint, for clarity Added "contains" relationship between Network Interface and Network Interface Removed relationship between Network Interface and Account. The endpoint knows the identity it used to gain network access. The PDP also knows that. But they probably do not know the account. Added relationship between Network Interface and Identity. The endpoint and the PDP will typically know the identity. Made identity-to-account a many-to-one relationship. Waltermire, et al. Expires October 29, 2017 [Page 153] Internet-Draft SACM Information Model April 2017 A.2. Changes in Revision 02 Added Section Identifying Attributes. Split the figure into Figure Model of Endpoint and Figure Information Elements. Added Figure Information Elements Take 2, proposing a triple-store model. Some editorial cleanup A.3. Changes in Revision 03 Moved Appendix A.1, Appendix A.2, and Mapping to SACM Use Cases into the Appendix. Added a reference to it in Section 1 Added the Section 4 section. Provided notes for the type of information we need to add in this section. Added the Section 6 section. Moved sections on Endpoint, Hardware Component, Software Component, Hardware Instance, and Software Instance there. Provided notes for the type of information we need to add in this section. Removed the Provenance of Information Section. SACM is not going to solve provenance rather give organizations enough information to figure it out. Updated references to the Endpoint Security Posture Assessment: Enterprise Use Cases document to reflect that it was published as an RFC. Fixed the formatting of a few figures. Included references to [RFC3580] where RADIUS is mentioned. A.4. Changes in Revision 04 Integrated the IPFIX [RFC7012] syntax into Section 4. Converted many of the existing SACM Information Elements to the IPFIX syntax. Included existing IPFIX Information Elements and datatypes that could likely be reused for SACM in Section 7 and Section 4 respectively. Waltermire, et al. Expires October 29, 2017 [Page 154] Internet-Draft SACM Information Model April 2017 Removed the sections related to reports as described in https://github.com/sacmwg/draft-ietf-sacm-information-model/ issues/30. Cleaned up other text throughout the document. A.5. Changes in Revision 05 Merged proposed changes from the I-D IM into the WG IM (https://github.com/sacmwg/draft-ietf-sacm-information-model/ issues/41). Fixed some formatting warnings. Removed a duplicate IE and added a few IE datatypes that were missing. A.6. Changes in Revision 06 Clarified that the SACM statement and content-element subjects are conceptual and that they do not need to be explicitly defined in a data model as long as the necessary information is provided. Updated the IPFIX syntax used to define Information Elements. There are still a couple of open issues that need to be resolved. Updated some of the Information Elements contained in Section 7 to use the revised IPFIX syntax. The rest of the Information Elements will be converted in a later revision. Performed various clean-up and refactoring in Sections 6 and 7. Still need to go through Section 8. Removed appendices that were not referenced in the body of the draft. The text from them is still available in previous revisions of this document if needed. A.7. Changes in Revision 07 Made various changes to the IPFIX syntax based on discussions at the IETF 96 Meeting. Changes included the addition of a structure property to the IE specification template, the creation of an enumeration datatype, and the specification of an IE naming convention. Provided text to define Collection Guidance, Evaluation Guidance, Classification Guidance, Storage Guidance, and Evaluation Results. Waltermire, et al. Expires October 29, 2017 [Page 155] Internet-Draft SACM Information Model April 2017 Included additional IEs related to software, configuration, and the vulnerability assessment scenario. Added text for the IANA considerations, security considerations, operational considerations, and privacy considerations sections. Performed various other editorial changes and clean-up. A.8. Changes in Revision 08 Clarified text that describes subjects and attributes. Clarified text that describes SACM Statements and Content Elements. Removed stray metadata property fields from the definitions of several IEs. Specified a syntax for defining category IEs. Added an anyCategory IE that represents any IE in the IM. Fixed several errors reported by the Travis-CI continuous integration service. Performed various other editorial changes and clean-up. A.9. Changes in Revision 09 Added "derived", "authority", and "verified" to the collectionTaskType IE (https://github.com/sacmwg/draft-ietf-sacm- information-model/issues/18). Updated IE examples that use content-type to use statement-type (https://github.com/sacmwg/draft-ietf-sacm-information-model/ issues/56). Added "networkZoneLocation", "layer2NetworkLocation", and "layer3NetworkLocation" IEs (https://github.com/sacmwg/draft-ietf- sacm-information-model/issues/9). Created a softwareClass attribute IE and added it to the softwareInstance subject IE. Also, removed the os* attribute IEs (https://github.com/sacmwg/draft-ietf-sacm-information-model/ issues/10). Waltermire, et al. Expires October 29, 2017 [Page 156] Internet-Draft SACM Information Model April 2017 A.10. Changes in Revision 10 Added several IEs necessary for the SACM Vulnerability Assessment Scenario (https://github.com/sacmwg/draft-ietf-sacm-information- model/issues/43). Fixed various typos and formatting issues. Authors' Addresses David Waltermire (editor) National Institute of Standards and Technology 100 Bureau Drive Gaithersburg, Maryland 20877 USA Email: david.waltermire@nist.gov Kim Watson United States Department of Homeland Security DHS/CS&C/FNR 245 Murray Ln. SW, Bldg 410 MS0613 Washington, DC 20528 USA Email: kimberly.watson@hq.dhs.gov Clifford Kahn Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA 95134 USA Email: cliffordk@pulsesecure.net Lisa Lorenzin Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA 95134 USA Email: llorenzin@pulsesecure.net Waltermire, et al. Expires October 29, 2017 [Page 157] Internet-Draft SACM Information Model April 2017 Michael Cokus The MITRE Corporation 903 Enterprise Parkway, Suite 200 Hampton, VA 23666 USA Email: msc@mitre.org Daniel Haynes The MITRE Corporation 202 Burlington Road Bedford, MA 01730 USA Email: dhaynes@mitre.org Henk Birkholz Fraunhofer SIT Rheinstrasse 75 Darmstadt 64295 Germany Email: henk.birkholz@sit.fraunhofer.de Waltermire, et al. Expires October 29, 2017 [Page 158]