Re: [sacm] Hackathon Goals and Stretch Goals
Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Mon, 22 May 2017 16:48 UTC
Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DD20126CF6 for <sacm@ietfa.amsl.com>; Mon, 22 May 2017 09:48:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v1wdMrh_HGl4 for <sacm@ietfa.amsl.com>; Mon, 22 May 2017 09:48:45 -0700 (PDT)
Received: from mailext.sit.fraunhofer.de (mailext.sit.fraunhofer.de [141.12.72.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51D4F126BF3 for <sacm@ietf.org>; Mon, 22 May 2017 09:48:43 -0700 (PDT)
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.14.4/8.14.4/Debian-2ubuntu2.1) with ESMTP id v4MGmdsU027731 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <sacm@ietf.org>; Mon, 22 May 2017 18:48:41 +0200
Received: from [192.168.16.50] (134.102.43.163) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 22 May 2017 18:48:34 +0200
To: sacm@ietf.org
References: <CACknUNUhqqdumk1wombsAha0TQS4O4dNpajUs2Ak4jWDWZHXaA@mail.gmail.com> <CACknUNUQ_sgw46GsU8LoOq1puEyo8DUnJ4599h0GE=+Nc2Hxow@mail.gmail.com> <MWHPR09MB1440A80762DE455376735978F0E10@MWHPR09MB1440.namprd09.prod.outlook.com> <CACknUNUA0YH5EXQrPJHMWqfp=PZcVc_FpeTR0T9SmRMsteSvhw@mail.gmail.com> <CAA=AuEf_7A4ObvoiGHHzhtzNTS2B3Wxiz+WcBjwc8dqh4z7h2g@mail.gmail.com> <DM5PR09MB1354402E944E81A585B279D1A5E60@DM5PR09MB1354.namprd09.prod.outlook.com> <90838fdd-07be-fdf8-300f-614425d360ec@sit.fraunhofer.de> <CACknUNU-kuGMi8Oass_JT+3CvpAgbm8PAb1_KDTwM6D2X1o-JQ@mail.gmail.com> <CAN40gStPGRW7P6m2m7QrO8awCuksjyQoga4QCD3BzFqa_GN26Q@mail.gmail.com> <DM5PR09MB1354F148919DE47F23F3F087A5F80@DM5PR09MB1354.namprd09.prod.outlook.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <653be99c-7502-210d-ccd1-5dc5811b8cee@sit.fraunhofer.de>
Date: Mon, 22 May 2017 18:48:32 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <DM5PR09MB1354F148919DE47F23F3F087A5F80@DM5PR09MB1354.namprd09.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Originating-IP: [134.102.43.163]
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/L7yPPeHELwqZQjTV8tfN4yacN6U>
Subject: Re: [sacm] Hackathon Goals and Stretch Goals
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2017 16:48:48 -0000
Hello all, I totally agree that the method employed in Collection Tasks should not use the inter-component mechanism/format of distributing SACM content with. E.g. if there is a SWID repository that is a database (there are open but not commonly or currently used examples for data base schemas in regard to the outdated 2009 version of SWID, as far as I know), of course an SQL query is used to collect them. In this example the acquisition method employed by a Collector is simply an SQL used by that data base. We SHOULD NOT build an alternative way to convey that information! Same goes for Attributes via IF-M to address Danny's example. Now, looking downstream, the information queried has to be composed into an actual tag. Most likely, a DB about tags will store the most important items to query tags in tables (e.g. tag_id, entity_id, package_name, version, etc.) and also the complete XML blob (if it fits into a DB value, they can be large if stored in native XML). This is the way that the only open source example that I actually personally know of does it, at least. If you finally have that tag (re-composed or queried en'blob) collected and it is about a vulnerable software package that is currently installed as software instances on target endpoints, how to convey that information to other downstream components is the interesting point here: Partial, or as a byte blob, or mapped to IE, at least in a way that is not surprising to any SACM component in general. If we do not use a common message encoding and msg structure (data model) here (may it even be so preliminary that we just learn to use sth else), how should interop with further components work? I was under the impression that is the point of the IM? If nobody has the time to do this (which might be the only concern?), I can whip up an example using XSD and CDDL, and even YANG for YANG event notification, if I find more than one or two consecutive hours... Viele Grüße, Henk On 05/22/2017 04:16 PM, Haynes, Dan wrote: > It’s probably also worth pointing out that if we are using existing > protocols such as NEA, it may not make sense to directly change the > fields in its over-the-wire format to match the SACM IM (e.g. > communications between endpoint and server), rather, provide a mapping. > Then, when the server receives the data, it can use the mapping to store > the data in the repository such that it aligns with the data described > in the IM. This approach will likely be required when we want to > leverage existing protocols where we may not have the ability to change > them (e.g. Apple MDM and Configuration Profiles, Windows PowerShell > Desired State Configuration, etc.). With all that said, the explicit > approach may be more desirable when we are developing our own protocols > or have significant influence and support to change existing protocols. > I guess I am just trying to say we probably want to support both > approaches :). > > > > Thanks, > > Danny > > > > *From:*sacm [mailto:sacm-bounces@ietf.org] *On Behalf Of *Ira McDonald > *Sent:* Friday, May 19, 2017 2:39 PM > *To:* Adam Montville <adam.w.montville@gmail.com>; Ira McDonald > <blueroofmusic@gmail.com> > *Cc:* Henk Birkholz <henk.birkholz@sit.fraunhofer.de>; sacm@ietf.org > *Subject:* Re: [sacm] Hackathon Goals and Stretch Goals > > > > Hi Adam, > > Chiming in below on one point raised in this Hackathon goals conversation. > > Cheers, > > - Ira > > > > On Tue, May 16, 2017 at 2:47 PM, Adam Montville > <adam.w.montville@gmail.com <mailto:adam.w.montville@gmail.com>> wrote: > > Hi Henk. I'll try inline. > > On Tue, May 16, 2017 at 11:04 AM Henk Birkholz > <henk.birkholz@sit.fraunhofer.de > <mailto:henk.birkholz@sit.fraunhofer.de>> wrote: > > <...snip...> > > > Also, I noticed conflicting notions about how important it is to > prepare > a message format to convey information between components. While it > might not be as critical as "having actual component code to > work with", > interoperability is key. And if we would agree on a preliminary data > structure (probably derived from the current IM), before we > start the > hackathon, we could save some time during the f2f on-site. It's > probably > a low hanging fruit also, as I am not talking about every IE to be > conveyed, but about the general message structure ("the > container") and > the corresponding encoding for data in motion. > > > > [AWM] There are differing perspectives on this front. Yes, having a > common structure could be useful, but it may not be necessary for > the purposes of this effort. This effort is somewhat different from > others that I've heard of, in that we are not implementing a > solution as much as we are discovering one. I do expect that we will > discover the structures we need as we develop the solution. What do > others think about this? Do we need to have this information up > front, or is it something we can discover as we go? > > > > <ira> For message wire format for the Hackathon, please consider taking > the SACM > Information Model verbatim and using that XSD for XML wire format. > Efficiency is > > totally irrelevant. So is elegance. You're trying to do a proof of > concept. Defining > > the Hackathon wire format interactively in the room is a time waster > idea, IMO. > > > > > Thoughts? > > > Viele Grüße, > > Henk > > > > > On 05/16/2017 05:12 PM, Haynes, Dan wrote: > > Seems like a reasonable story to focus around, for the > hackathon, to me. > > > > > > > > Thanks, > > > > Danny > > > > > > > > *From:*sacm [mailto:sacm-bounces@ietf.org > <mailto:sacm-bounces@ietf.org>] *On Behalf Of *Jerome Athias > > *Sent:* Monday, May 15, 2017 11:12 PM > > *To:* Adam Montville <adam.w.montville@gmail.com > <mailto:adam.w.montville@gmail.com>>; Waltermire, David A. > > (Fed) <david.waltermire@nist.gov > <mailto:david.waltermire@nist.gov>>; sacm@ietf.org > <mailto:sacm@ietf.org> > > *Subject:* Re: [sacm] Hackathon Goals and Stretch Goals > > > > > > > > I think it's a good idea too. > > > > I don't know who is supposed to participate to this hackathon? > > > > Potentially you could market it by capitalizing on real known > events, > > (without trolling) let's say "new critical vulnerability", "for > > preventing ransomware" "FictitousCorp needs to Respond quickly > and have > > a system to Identify and Protect its endpoints..." > > > > > > > > > > > > On Tue, 16 May 2017 at 00:30, Adam Montville > <adam.w.montville@gmail.com <mailto:adam.w.montville@gmail.com> > > <mailto:adam.w.montville@gmail.com > <mailto:adam.w.montville@gmail.com>>> wrote: > > > > I think that's a good idea. How do folks feel about this > story? Is > > it lacking anything? Is it too specific? What would you > change about > > it if you could? > > > > > > > > On Mon, May 15, 2017 at 12:57 PM Waltermire, David A. (Fed) > > <david.waltermire@nist.gov > <mailto:david.waltermire@nist.gov> > <mailto:david.waltermire@nist.gov > <mailto:david.waltermire@nist.gov>>> wrote: > > > > I was thinking that it would be useful to have a user > story to > > implement against for the Hackathon. How about > something like > > the following that maps to our goals: > > > > > > > > A vendor identifies a vulnerability in their software > product. > > They produce a new version of their software and publish a > > vulnerability bulletin that indicates customers should > upgrade > > to the new version to address the vulnerability. The > product > > versions have both a SWID tag and a CoSWID tag. As a > customer of > > this vendor that uses the affected products, we need > to build a > > vulnerability assessment system that is capable of > detecting > > what version of the software is installed and > determine if that > > version is vulnerable using the vendor provided > information. The > > Collector will be capable of gathering software inventory > > information from one or more target endpoints by: > > > > > > > > 1) Requesting software inventory information for the > > affected software based on an ad-hoc request. > > > > 2) Reporting the software inventory as software > changes occur > > > > > > > > Collected software inventory information will be > stored in the > > Assessment Results Repository and will be compared to > > vulnerability detection data retrieved from the > Vulnerability > > Detection Data Repository. The vulnerability detection > data will > > be derived from the vendor provided information in > some useful > > way to be determined by the Vulnerability Assessor. > > > > > > > > How does this look? > > > > > > > > Regards, > > > > Dave > > > > > > > > *From:*sacm [mailto:sacm-bounces@ietf.org > <mailto:sacm-bounces@ietf.org> > > <mailto:sacm-bounces@ietf.org > <mailto:sacm-bounces@ietf.org>>] *On Behalf Of *Adam Montville > > *Sent:* Tuesday, May 09, 2017 3:30 PM > > *To:* sacm@ietf.org <mailto:sacm@ietf.org> > <mailto:sacm@ietf.org <mailto:sacm@ietf.org>> > > *Subject:* Re: [sacm] Hackathon Goals and Stretch Goals > > > > > > > > All: > > > > > > > > This week Dave and I have had an opportunity to > discuss these a > > bit further. We've come up with the following set of > goals and > > outcomes: > > > > > > > > GOAL: Running code demonstrating the communication > needs between > > identified components as they pertain to the on-request > > collection case through the scenario, where that case is > > described > > at > https://trac.ietf.org/trac/sacm/wiki/SacmVulnerabilityAssessmentScenario. > > OUTCOME: We will have specific understanding of > components' > > boundaries and the necessary information flows (including > > information being communicated) between them. > > > > > > > > GOAL: Leverage existing collected data in a data > repository. > > OUTCOME: Demonstrate that previously collected data can be > > reused to support vulnerability assessment > > > > > > > > GOAL: Running code to extend that base case to include a > > mechanism capable of monitoring a given set of endpoint > > attributes for change. OUTCOME: We will have specific > > understanding of additional architectural > considerations for > > handling monitoring vs. on-request collection, as well > as any > > additional information flows required. > > > > > > > > Does anyone care to bash these goal-ouctome pairs in > the context > > of our hackathon plans? If so, please do so over the > next day > > or two, otherwise these will become the stated goals > for our > > hackathon. > > > > > > > > Kind regards, > > > > > > > > Adam > > > > > > > > On Tue, May 2, 2017 at 4:40 PM Adam Montville > > <adam.w.montville@gmail.com > <mailto:adam.w.montville@gmail.com> > <mailto:adam.w.montville@gmail.com > <mailto:adam.w.montville@gmail.com>>> > > wrote: > > > > All: > > > > > > > > Last week Dave sent a list of milestones to the > list. The > > first of which was for the WG to define some goals > for the > > IETF 99 hackathon. I can see at least one primary > goal with > > at least one stretch goal. The primary goal is to have > > running code demonstrating the basic/ideal case > through our > > vulnerability scenario, where a new vulnerability is > > discovered and we need to reach out all the way to the > > endpoint to determine whether it is in fact > vulnerable. A > > stretch goal might be to have running code > demonstrating a > > "monitor for this vulnerability from now on" > capability (I'm > > sure I'm not stating that as well as I could). > > > > > > > > Does anyone have additional goals? Or, are there > better ways > > to state these particular goals (there probably are)? > > > > > > > > Kind regards, > > > > > > > > Adam > > > > _______________________________________________ > > sacm mailing list > > sacm@ietf.org <mailto:sacm@ietf.org> <mailto:sacm@ietf.org > <mailto:sacm@ietf.org>> > > https://www.ietf.org/mailman/listinfo/sacm > > > > > > > > _______________________________________________ > > sacm mailing list > > sacm@ietf.org <mailto:sacm@ietf.org> > > https://www.ietf.org/mailman/listinfo/sacm > > > > _______________________________________________ > sacm mailing list > sacm@ietf.org <mailto:sacm@ietf.org> > https://www.ietf.org/mailman/listinfo/sacm > > > _______________________________________________ > sacm mailing list > sacm@ietf.org <mailto:sacm@ietf.org> > https://www.ietf.org/mailman/listinfo/sacm > > > > > > _______________________________________________ > sacm mailing list > sacm@ietf.org > https://www.ietf.org/mailman/listinfo/sacm >
- [sacm] Hackathon Goals and Stretch Goals Adam Montville
- Re: [sacm] Hackathon Goals and Stretch Goals Adam Montville
- Re: [sacm] Hackathon Goals and Stretch Goals Waltermire, David A. (Fed)
- Re: [sacm] Hackathon Goals and Stretch Goals Adam Montville
- Re: [sacm] Hackathon Goals and Stretch Goals Jerome Athias
- Re: [sacm] Hackathon Goals and Stretch Goals Tim Harrison
- Re: [sacm] Hackathon Goals and Stretch Goals Tim Harrison
- Re: [sacm] Hackathon Goals and Stretch Goals Adam Montville
- Re: [sacm] Hackathon Goals and Stretch Goals Waltermire, David A. (Fed)
- Re: [sacm] Hackathon Goals and Stretch Goals Kathleen Moriarty
- Re: [sacm] Hackathon Goals and Stretch Goals Haynes, Dan
- Re: [sacm] Hackathon Goals and Stretch Goals Henk Birkholz
- Re: [sacm] Hackathon Goals and Stretch Goals Waltermire, David A. (Fed)
- Re: [sacm] Hackathon Goals and Stretch Goals Adam Montville
- Re: [sacm] Hackathon Goals and Stretch Goals Adam Montville
- Re: [sacm] Hackathon Goals and Stretch Goals Ira McDonald
- Re: [sacm] Hackathon Goals and Stretch Goals Adam Montville
- Re: [sacm] Hackathon Goals and Stretch Goals Waltermire, David A. (Fed)
- Re: [sacm] Hackathon Goals and Stretch Goals Haynes, Dan
- Re: [sacm] Hackathon Goals and Stretch Goals Adam Montville
- Re: [sacm] Hackathon Goals and Stretch Goals Henk Birkholz
- Re: [sacm] Hackathon Goals and Stretch Goals Henk Birkholz
- Re: [sacm] Hackathon Goals and Stretch Goals Jerome Athias
- Re: [sacm] Hackathon Goals and Stretch Goals Nancy Cam-Winget (ncamwing)
- Re: [sacm] Hackathon Goals and Stretch Goals Adam Montville
- Re: [sacm] Hackathon Goals and Stretch Goals Jessica Fitzgerald-McKay
- Re: [sacm] Hackathon Goals and Stretch Goals Adam Montville