Re: [scap_interest] Checking language needs
Adam Montville <amontville@tripwire.com> Tue, 14 February 2012 20:50 UTC
Return-Path: <amontville@tripwire.com>
X-Original-To: scap_interest@ietfa.amsl.com
Delivered-To: scap_interest@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC7BE21E8100 for <scap_interest@ietfa.amsl.com>; Tue, 14 Feb 2012 12:50:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.799
X-Spam-Level:
X-Spam-Status: No, score=-5.799 tagged_above=-999 required=5 tests=[AWL=-2.800, BAYES_00=-2.599, J_CHICKENPOX_25=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gmpjnKHpsk18 for <scap_interest@ietfa.amsl.com>; Tue, 14 Feb 2012 12:50:37 -0800 (PST)
Received: from AM1EHSOBE003.bigfish.com (am1ehsobe003.messaging.microsoft.com [213.199.154.206]) by ietfa.amsl.com (Postfix) with ESMTP id 3D2F021E80FA for <scap_interest@ietf.org>; Tue, 14 Feb 2012 12:50:37 -0800 (PST)
Received: from mail85-am1-R.bigfish.com (10.3.201.236) by AM1EHSOBE003.bigfish.com (10.3.204.23) with Microsoft SMTP Server id 14.1.225.23; Tue, 14 Feb 2012 20:50:32 +0000
Received: from mail85-am1 (localhost [127.0.0.1]) by mail85-am1-R.bigfish.com (Postfix) with ESMTP id 3FD3EA03D2; Tue, 14 Feb 2012 20:50:36 +0000 (UTC)
X-SpamScore: -34
X-BigFish: VPS-34(zz9371I9f17R98dKzz1202hzz1033IL8275bh8275dhz2dh2a8h668h839h946h)
X-Forefront-Antispam-Report: CIP:174.47.84.216; KIP:(null); UIP:(null); IPV:NLI; H:PDXHB01.tripwire.com; RD:174-47-84-216.static.twtelecom.net; EFVD:NLI
Received: from mail85-am1 (localhost.localdomain [127.0.0.1]) by mail85-am1 (MessageSwitch) id 1329252634640596_27097; Tue, 14 Feb 2012 20:50:34 +0000 (UTC)
Received: from AM1EHSMHS020.bigfish.com (unknown [10.3.201.247]) by mail85-am1.bigfish.com (Postfix) with ESMTP id 8E598160045; Tue, 14 Feb 2012 20:50:34 +0000 (UTC)
Received: from PDXHB01.tripwire.com (174.47.84.216) by AM1EHSMHS020.bigfish.com (10.3.206.23) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 14 Feb 2012 20:50:27 +0000
Received: from PDXHB01.tripwire.com (172.30.0.53) by PDXED01.tripwire.com (192.168.192.5) with Microsoft SMTP Server (TLS) id 14.1.355.2; Tue, 14 Feb 2012 12:59:15 -0800
Received: from PDXMB02.tripwire.com ([fe80::f997:7b65:8e64:438e]) by PDXHB01.tripwire.com ([fe80::d495:98d2:7df4:2154%11]) with mapi id 14.01.0355.002; Tue, 14 Feb 2012 12:50:28 -0800
From: Adam Montville <amontville@tripwire.com>
To: "Kent_Landfield@McAfee.com" <Kent_Landfield@McAfee.com>, "karen@scarfonecybersecurity.com" <karen@scarfonecybersecurity.com>
Thread-Topic: [scap_interest] Checking language needs
Thread-Index: AczrU3qhQ1uuVmZpSYC1yTv2HOynqAARGTqAAACqxYD//396gA==
Date: Tue, 14 Feb 2012 20:50:27 +0000
Message-ID: <CB6004F2.918D%amontville@tripwire.com>
In-Reply-To: <CB601FB1.2C503%kent_landfield@mcafee.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.14.0.111121
x-originating-ip: [172.16.97.166]
x-exclaimer-md-config: 79afcaa7-fdf4-4fa6-abe0-afeaa4640a4f
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <D0A1D653A780784F8CDFDFCB9C58A751@tripwire.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tripwire.com
Cc: "scap_interest@ietf.org" <scap_interest@ietf.org>
Subject: Re: [scap_interest] Checking language needs
X-BeenThere: scap_interest@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <scap_interest.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/scap_interest>
List-Post: <mailto:scap_interest@ietf.org>
List-Help: <mailto:scap_interest-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2012 20:50:39 -0000
Kent, I think scheduling should be a separate concern, but can see targeting being embedded in the checking system, much as it is today in OVAL (in a way, the inventory definitions perform the targeting for technical checks). If we were to leverage Asset Identification, the targeting could be handled in some cases with a simple ai:asset reference – a person is targeted as the owner of the given system. Adam From: kent_landfield <kent_landfield@mcafee.com<mailto:kent_landfield@mcafee.com>> Date: Tue, 14 Feb 2012 14:30:27 -0600 To: <karen@scarfonecybersecurity.com<mailto:karen@scarfonecybersecurity.com>> Cc: <scap_interest@ietf.org<mailto:scap_interest@ietf.org>> Subject: Re: [scap_interest] Checking language needs Thanks Karen! I'll take you up on that! >From the standpoint of what should be included beyond the actual integration issues, should this document, in addition to integration, discuss issues such as targeting and scheduling for interrogative checking systems like OCIL or would folks consider that a separate issue to be dealt with somewhere else? Thoughts? Kent Landfield Director Content Strategy, Architecture and Standards McAfee | An Intel Company 5000 Headquarters Dr. Plano, Texas 75024 Direct: +1.972.963.7096 Mobile: +1.817.637.8026 Web: www.mcafee.com<http://www.mcafee.com/> From: Karen Scarfone <karen@scarfonecybersecurity.com<mailto:karen@scarfonecybersecurity.com>> Date: Tue, 14 Feb 2012 14:11:21 -0600 To: Kent Landfield <kent_landfield@mcafee.com<mailto:kent_landfield@mcafee.com>> Cc: "scap_interest@ietf.org<mailto:scap_interest@ietf.org>" <scap_interest@ietf.org<mailto:scap_interest@ietf.org>> Subject: Re: [scap_interest] Checking language needs Kent, I'd be happy to help with the publication/editing side of specification development. Karen On Tue, Feb 14, 2012 at 3:02 PM, <Kent_Landfield@mcafee.com<mailto:Kent_Landfield@mcafee.com>> wrote: All, One of the missing pieces we have right now is a standardized approach to developing new checking languages. Within fielded XCCDF-enabled products today there are multiple checking languages in use. One of them grew up with XCCDF (OVAL) and another (OCIL) was developed without much concern for how it might be called and used from XCCDF. The later's adoption rate has been seriously impacted because of that. Additionally, vendors have at times introduced their own checking mechanisms to support customer needs that could not be supported with the existing checking languages. Scripting is also being done directly from XCCDF benchmarks by multiple vendor products. As we are starting to expand security automation uses, it is important we enable innovative approaches to check execution. Not everything can be done using the existing model and existing means. Continuous monitoring uses are going to require more flexibility by requiring different means to check certain areas than exist today. Forcing implementers to have to dig thru the XCCDF specification to have to figure out how to properly integrate with it is an inhibitor. We need to foster alternative means so integrating into the the existing security automation architectures and products is not so daunting. Even in areas where something as simple as scripting is used, I would be very surprised if two existing implementations could execute the same script content because of incompatible implementation approaches. Yes, OVAL is interoperable today but we need to make sure additional checking languages have that same potential for interoperability. >From my perspective, the key to the success in fielding a useful framework is assuring the right building blocks are in place. We need to be able to leverage those building blocks to expand standards based security automation. It is important we document the proper way to develop new checking mechanisms if we are to have content and solutions that interoperate effectively. By specifying the practices and items new checking languages need to support, we can expand what is possible with security automation using already fielded tools and environments. I am looking for interest here and for those that might want to help me in producing this draft specification. Kent Landfield Director Content Strategy, Architecture and Standards McAfee | An Intel Company 5000 Headquarters Dr. Plano, Texas 75024 Direct: +1.972.963.7096 Mobile: +1.817.637.8026 Web: www.mcafee.com<http://www.mcafee.com/> _______________________________________________ scap_interest mailing list scap_interest@ietf.org<mailto:scap_interest@ietf.org> https://www.ietf.org/mailman/listinfo/scap_interest -- Karen Scarfone, Principal Consultant, Scarfone Cybersecurity karen@scarfonecybersecurity.com<mailto:karen@scarfonecybersecurity.com> (703)401-1018 _______________________________________________ scap_interest mailing list scap_interest@ietf.org<mailto:scap_interest@ietf.org> https://www.ietf.org/mailman/listinfo/scap_interest
- [scap_interest] Checking language needs Kent_Landfield
- Re: [scap_interest] Checking language needs Karen Scarfone
- Re: [scap_interest] Checking language needs Kent_Landfield
- Re: [scap_interest] Checking language needs Luis Nunez
- Re: [scap_interest] Checking language needs Luis Nunez
- Re: [scap_interest] Checking language needs Adam Montville
- Re: [scap_interest] Checking language needs matthew.coles
- Re: [scap_interest] Checking language needs Waltermire, David A.
- Re: [scap_interest] Checking language needs matthew.coles
- Re: [scap_interest] Checking language needs Kent_Landfield
- Re: [scap_interest] Checking language needs Kent_Landfield
- Re: [scap_interest] Checking language needs matthew.coles
- Re: [scap_interest] Checking language needs Waltermire, David A.