-
Notifications
You must be signed in to change notification settings - Fork 0
/
draft-ietf-sacm-arch.xml
2181 lines (2172 loc) · 164 KB
/
draft-ietf-sacm-arch.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
<!ENTITY nbsp " ">
<!ENTITY zwsp "​">
<!ENTITY nbhy "‑">
<!ENTITY wj "⁠">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.5.16 -->
<?rfc toc="yes"?>
<?rfc sortrefs="yes"?>
<?rfc symrefs="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-sacm-arch-14" category="std" obsoletes="" updates="" submissionType="IETF" xml:lang="en" tocInclude="true" sortRefs="true" symRefs="true" version="3">
<!-- xml2rfc v2v3 conversion 3.11.1 -->
<front>
<title abbrev="SACM Architecture">Security Automation and Continuous Monitoring (SACM) Architecture</title>
<seriesInfo name="Internet-Draft" value="draft-ietf-sacm-arch-14"/>
<author initials="A." surname="Montville" fullname="Adam W. Montville">
<organization abbrev="CIS">Center for Internet Security</organization>
<address>
<postal>
<street>31 Tech Valley Drive</street>
<city>East Greenbush</city>
<region>NY</region>
<code>12061</code>
<country>USA</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author initials="B." surname="Munyan" fullname="Bill Munyan">
<organization abbrev="CIS">Center for Internet Security</organization>
<address>
<postal>
<street>31 Tech Valley Drive</street>
<city>East Greenbush</city>
<region>NY</region>
<code>12061</code>
<country>USA</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<date year="2021" month="November" day="04"/>
<area>Security</area>
<workgroup>SACM Working Group</workgroup>
<keyword>Internet-Draft</keyword>
<abstract>
<t>This document defines an architecture enabling a cooperative Security Automation and Continuous Monitoring (SACM) ecosystem. This work is predicated upon information gleaned from SACM Use Cases and Requirements (<xref target="RFC7632" format="default"/> and <xref target="RFC8248" format="default"/> respectively), and terminology as found in <xref target="I-D.ietf-sacm-terminology" format="default"/>.</t>
<t>WORKING GROUP: The source for this draft is maintained in GitHub. Suggested changes should be submitted as pull requests at https://github.com/sacmwg/ietf-mandm-sacm-arch/. Instructions are on that page as well.</t>
</abstract>
</front>
<middle>
<section anchor="introduction" numbered="true" toc="default">
<name>Introduction</name>
<t>The purpose of this draft is to define an architectural approach for a SACM Domain, based on the spirit of use cases found in <xref target="RFC7632" format="default"/> and requirements found in <xref target="RFC8248" format="default"/>. This approach gains the most advantage by supporting a variety of collection systems, and intends to enable a cooperative ecosystem of tools from disparate sources with minimal operator configuration.</t>
<section anchor="requirements-notation" numbered="true" toc="default">
<name>Requirements notation</name>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC
2119, BCP 14 <xref target="RFC2119" format="default"/>.</t>
</section>
</section>
<section anchor="terms-and-definitions" numbered="true" toc="default">
<name>Terms and Definitions</name>
<dl>
<dt>
Assessment: </dt>
<dd>
<t>Defined in <xref target="RFC5209" format="default"/> as "the process of collecting posture for a set of capabilities on the endpoint (e.g., host-based firewall) such that the appropriate validators may evaluate the posture against compliance policy."</t>
</dd>
<dt>
Asset: </dt>
<dd>
<t>Is a system resource, as defined in <xref target="RFC4949" format="default"/>, that may be composed of other assets.</t>
</dd>
<dt/>
<dd>
<t>Examples of Assets include: Endpoints, Software, Guidance, or X.509 public key certificates. An asset is not necessarily owned by an organization.</t>
</dd>
<dt>
Asset Management: </dt>
<dd>
<t>The IT process by which assets are provisioned, updated, maintained and deprecated.</t>
</dd>
<dt>
Attribute: </dt>
<dd>
<t>Is a data element, as defined in <xref target="RFC5209" format="default"/>, that is atomic.</t>
</dd>
<dt/>
<dd>
<t>In the context of SACM, attributes are "atomic" information elements and an equivalent to attribute-value-pairs. Attributes can be components of Subjects.</t>
</dd>
<dt>
Capability: </dt>
<dd>
<t>A set of features that are available from a SACM Component.</t>
</dd>
<dt/>
<dd>
<t>See also "capability" in <xref target="I-D.ietf-i2nsf-terminology" format="default"/>.</t>
</dd>
<dt>
Collector: </dt>
<dd>
<t>A piece of software that acquires information about one or more target endpoints by conducting collection tasks.</t>
</dd>
<dt/>
<dd>
<t>A collector can be distributed across multiple endpoints, e.g. across a target endpoint and a SACM component. The separate parts of the collector can communicate with a specialized protocol, such as PA-TNC [RFC5792]. At least one part of a distributed collector has to take on the role of a provider of information by providing SACM interfaces to propagate capabilities and to provide SACM content in the form of collection results.</t>
</dd>
<dt>
Configuration: </dt>
<dd>
<t>A non-volatile subset of the endpoint attributes of a endpoint that is intended to be unaffected by a normal reboot-cycle.</t>
</dd>
<dt/>
<dd>
<t>Configuration is a type of imperative guidance that is stored in files (files dedicated to contain configuration and/ or files that are software components), directly on block devices, or on specific hardware components that can be accessed via corresponding software components. Modification of configuration can be conducted manually or automatically via management (plane) interfaces that support management protocols, such as SNMP or WMI. A change of configuration can occur during both run-time and down- time of an endpoint. It is common practice to scheduled a change of configuration during or directly after the completion of a boot-cycle via corresponding software components located on the target endpoint itself.</t>
</dd>
<dt>
Consumer: </dt>
<dd>
<t>A SACM Role that requires a SACM Component to include SACM Functions enabling it to receive information from other SACM Components.</t>
</dd>
<dt>
Endpoint: </dt>
<dd>
<t>Defined in <xref target="RFC5209" format="default"/> as "any computing device that can be connected to a network."</t>
</dd>
<dt/>
<dd>
<t>Additional Information - The <xref target="RFC5209" format="default"/> definition continues, "Such devices normally are associated with a particular link layer address before joining the network and potentially an IP address once on the network. This includes: laptops, desktops, servers, cell phones, or any device that may have an IP address."</t>
</dd>
<dt/>
<dd>
<t>To further clarify the <xref target="RFC5209" format="default"/> definition, an endpoint is any physical or virtual device that may have a network address. Note that, network infrastructure devices (e.g. switches, routers, firewalls), which fit the definition, are also considered to be endpoints within this document.</t>
</dd>
<dt/>
<dd>
<t>Physical endpoints are always composites that are composed of hardware components and software components. Virtual endpoints are composed entirely of software components and rely on software components that provide functions equivalent to hardware components.</t>
</dd>
<dt/>
<dd>
<t>The SACM architecture differentiates two essential categories of endpoints: Endpoints whose security posture is intended to be assessed (target endpoints) and endpoints that are specifically excluded from endpoint posture assessment (excluded endpoints).</t>
</dd>
<dt/>
<dd>
<t>Based on the definition of an asset, an endpoint is a type of asset.</t>
</dd>
<dt>
Endpoint Attribute: </dt>
<dd>
<t>Is a discreet endpoint characteristic that is computably observable.</t>
</dd>
<dt/>
<dd>
<t>Endpoint Attributes typically constitute Attributes that can be bundled into Subject (e.g. information about a specific network interface can be represented via a set of multiple AVP).</t>
</dd>
<dt>
Endpoint Characteristics: </dt>
<dd>
<t>The state, configuration and composition of the software components and (virtual) hardware components a target endpoint is composed of, including observable behavior, e.g. sys-calls, log-files, or PDU emission on a network.</t>
</dd>
<dt/>
<dd>
<t>In SACM work-flows, (Target) Endpoint Characteristics are represented via Information Elements.</t>
</dd>
<dt>
Posture: </dt>
<dd>
<t>Defined in <xref target="RFC5209" format="default"/> as "configuration and/or status of hardware or software on an endpoint as it pertains to an organization's security policy."</t>
</dd>
<dt/>
<dd>
<t>This term is used within the scope of SACM to represent the configuration and state information that is collected from a target endpoint in the form of endpoint attributes (e.g. software/hardware inventory, configuration settings, dynamically assigned addresses). This information may constitute one or more posture attributes.</t>
</dd>
<dt>
Posture Attributes: </dt>
<dd>
<t>Defined in <xref target="RFC5209" format="default"/> as "attributes describing the configuration or status (posture) of a feature of the endpoint. A Posture Attribute represents a single property of an observed state. For example, a Posture Attribute might describe the version of the operating system installed on the system."</t>
</dd>
<dt/>
<dd>
<t>Within this document this term represents a specific assertion about endpoint configuration or state (e.g. configuration setting, installed software, hardware) represented via endpoint attributes. The phrase "features of the endpoint" highlighted above refers to installed software or software components.</t>
</dd>
<dt>
Provider: </dt>
<dd>
<t>A provider is a SACM role assigned to a SACM component that provides role-specific functions to provide information to other SACM components.</t>
</dd>
<dt>
Repository: </dt>
<dd>
<t>A repository is a controller that contains functions to consume, store and provide information of a particular kind.</t>
</dd>
<dt/>
<dd>
<t>Such information is typically data transported on the data plane, but potentially also data and metadata from the control and management plane. A single repository may provide the functions of more than one specific repository type (i.e. configuration baseline repository, assessment results repository, etc.)</t>
</dd>
<dt>
Security Automation: </dt>
<dd>
<t>The process of which security alerts can be automated through the use of different components to monitor, analyze and assess endpoints and network traffic for the purposes of detecting misconfigurations, misbehaviors or threats.</t>
</dd>
<dt/>
<dd>
<t>Security Automation is intended to identify target endpoints that cannot be trusted (see "trusted" in <xref target="RFC4949" format="default"/>. This goal is achieved by creating and processing evidence (assessment statements) that a target endpoint is not a trusted system <xref target="RFC4949" format="default"/>.</t>
</dd>
<dt>
SIEM: </dt>
<dd>
<t>NIST defines SIEM as an "application that provides the ability to gather security data from information system components and present that data as actionalbe information via a single interface" <xref target="NISTSIEM" format="default"/>.</t>
</dd>
<dt>
SOAR: </dt>
<dd>
<t>Commonly known as Security Orchestration, Automation, and Response. SOAR is an holistic enterprise capability that exists when threat management, automation of security operations, and incident response are well-coordinated across all security program components in a manner minimizing the need for human intervention.</t>
</dd>
<dt>
State: </dt>
<dd>
<t>A volatile set of endpoint attributes of a (target) endpoint that is affected by a reboot-cycle.</t>
</dd>
<dt/>
<dd>
<t>Local state is created by the interaction of components with other components via the control plane, via processing data plane payload, or via the functional properties of local hardware and software components. Dynamic configuration (e.g. IP address distributed dynamically via an address distribution and management services, such as DHCP) is considered state that is the result of the interaction with another component (e.g. provided by a DHCP server with a specific configuration).</t>
</dd>
<dt>
Target Endpoint: </dt>
<dd>
<t>Is an endpoint that is under assessment at some point in, or region of, time.</t>
</dd>
<dt/>
<dd>
<t>Every endpoint that is not specifically designated as an excluded endpoint is a target endpoint. A target endpoint is not part of a SACM domain unless it contains a SACM component (e.g. a SACM component that publishes collection results coming from an internal collector).</t>
</dd>
<dt/>
<dd>
<t>A target endpoint is similar to a device that is a Target of Evaluation (TOE) as defined in Common Criteria and as referenced by <xref target="RFC4949" format="default"/>.</t>
</dd>
<dt>
Vulnerability Assessment: </dt>
<dd>
<t>An assessment specifically tailored to determining whether a set of endpoints is vulnerable according to the information contained in the vulnerability description information.</t>
</dd>
<dt>
Workflow: </dt>
<dd>
<t>A workflow is a modular composition of tasks that can contain loops, conditionals, multiple starting points and multiple endpoints.</t>
</dd>
<dt/>
<dd>
<t>The most prominent workflow in SACM is the assessment workflow.</t>
</dd>
</dl>
<t>--></t>
</section>
<section anchor="architectural-overview" numbered="true" toc="default">
<name>Architectural Overview</name>
<t>The generic approach proposed herein recognizes the need to obtain information from existing and future state collection systems, and makes every attempt to respect <xref target="RFC7632" format="default"/> and <xref target="RFC8248" format="default"/>. At the foundation of any architecture are entities, or components, that need to communicate. They communicate by sharing information, where, in a given flow, one or more components are consumers of information and one or more components are providers of information. Different roles within a cooperative ecosystem may act as both Producers and Consumers of SACM-relevant information.</t>
<figure anchor="fig-basic">
<name>Basic Architectural Structure</name>
<artwork name="" type="" align="left" alt=""><![CDATA[
+----------------+
| SACM Component |
| (Producer) |
+-------+--------+
|
|
+--------------v----------------+
| Integration Service |
+--------------+----------------+
|
|
+-------v--------+
| SACM Component |
| (Consumer) |
+----------------+
]]></artwork>
</figure>
<section anchor="producer" numbered="true" toc="default">
<name>Producer</name>
<t>A Producer can be described as an abstraction that refers to an entity capable of sending SACM-relevant information to one or many Consumers. In general, information (a "payload") is produced to a particular topic, subscribed to by one or more Consumers. Producers need not be concerned about any specifics of the payload it is providing to a given topic. A Producer may, for example, publish posture collection instructions to collector topics.</t>
</section>
<section anchor="consumer" numbered="true" toc="default">
<name>Consumer</name>
<t>A Consumer can be described as an abstraction that refers to an entity capable of receiving SACM-relevant information from one or many Producers. A Consumer acts as a subscriber to a given topic (or set of topics), enabling it to receive event notifications when a Producer provides a payload to that topic or topics. Consumers receive payloads and act upon them according to their capabilities. A Consumer may, for example, subscribe to a posture collection topic to receive and act upon, collection instructions.</t>
</section>
<section anchor="integration-service" numbered="true" toc="default">
<name>Integration Service</name>
<t>The Integration Service acts as the broker between Producers and Consumers; acting as the destination for Producers to publish payloads, and as the source for Consumers subscribing to those payloads.</t>
<t>SACM Components are intended to interact with other SACM Components. These interactions can be thought of, at the architectural level, as the combination of interfaces with their supported operations. Each interaction will convey a classified payload of information. This classification of payload information allows Consumers to subscribe to only the classifications to which they are capable of handling. The payload information should contain subdomain-specific characteristics and/or instructions.</t>
</section>
<section anchor="payloadmessage" numbered="true" toc="default">
<name>Payload/Message</name>
<t>The payload (sometimes referred to as a "message" or "message payload") is the unit of data involved in any given interaction between two SACM components. The payload MAY be used to convey the semantic meaning of the operation to be performed. Protocols such as <xref target="RFC6120" format="default"/> achieves this meaning through XML namespace identification within a <tt><message/></tt> or <tt><iq/></tt> stanza. Topic-centric protocols such as <xref target="MQTT" format="default"/> convey the meaning of payloads through topic naming techniques. Both methods require connected components to verify message payloads according to their respective capabilities.</t>
<t>With respect to the Integration Service, the payload is simply an array of bytes, so the data contained within it is not required to convey a specific format or meaning to the Integration Service. The serialization of the payload combined with the payload categorization provides meaning within the SACM context.</t>
</section>
<section anchor="payload-categorization" numbered="true" toc="default">
<name>Payload Categorization</name>
<t>Within the SACM ecosystem, categorization of payloads and their transport provide the context through which various capabilities are achieved. Two types of payload categorization can be described.</t>
<section anchor="topic-centric" numbered="true" toc="default">
<name>Topic-centric</name>
<t>Topic-centric payload categorization allows for a broad spectrum of payloads by characterizing those payloads through the Integration Service topic. In this categorization, the topic name becomes a label attached to the payload to which the Integration Service matches against known subscriptions. The topic becomes the operational context for the payload. Topic-centric categorization allows for any payload to be sent to any topic, but requires that SACM consumers parse the payloads to determine whether or not they have the capability to act on those payloads.</t>
<t>When interacting using a topic-centric payload categorization, topic naming conventions SHOULD provide an adequate amount of information to be deterministic regarding the purpose of the interaction. For example, a topic named <tt>/notification/collection/oval</tt> would indicate that (a) the topic is a broadcast/notification (publish/subscribe) topic, (b) subscribers to this topic are performing a "collection" action, and (c) the payloads published to the topic are represented using the OVAL serialization format.</t>
</section>
<section anchor="payload-centric" numbered="true" toc="default">
<name>Payload-centric</name>
<t>Payload-centric categorization encapsulates the intent of an interaction within the message payload itself, using an identifying token, tag, or namespace identifier. This method allows for the limitation of message types, and therefore increases the extensibility of message payloads.</t>
<t>Payload-centric categorization allows for modularization and specification of extensions, and for plugin-based support of capabilities based the categorization. XMPP is an example of utilization of payload-centric categorization, allowing only three distinct "stanzas" (<tt><message/></tt>, <tt><presence/></tt>, and <tt><iq/></tt>), using payloads defined by the various extension protocols maintained by the XMPP standards foundation.</t>
</section>
</section>
<section anchor="capabilities" numbered="true" toc="default">
<name>Capabilities</name>
<t>SACM components interact with each other based on their capacity to perform specific actions. In advertising its capabilities, a SACM component indicates its competence to understand message payloads, perform any payload translation or normalization, and act upon that message. For example, an Orchestration component receives a message to initiate posture attribute collection. The Orchestrator may then normalize those instructions to a particular collection system's serialization. The normalized instructions are then published to the Integration Service, notifying the appropriate subscribers.</t>
<t>Capabilities are described using Uniform Resource Names (URNs), which will be maintained and enhanced via IANA tables (IANA Considerations). Using topic-centric categorization of message payloads, capability URNs SHOULD be associated with Integration Service topics to which publishers, subscribers, and service handlers, will interact. Topic naming conventions are considered implementation details and are not considered for standardization. Given a payload-centric categorization of message payloads, capability URNs SHOULD be used as the identifying token, tag, or namespace in order to distinguish specific payloads.</t>
</section>
<section anchor="interaction-categories" numbered="true" toc="default">
<name>Interaction Categories</name>
<t>Two categories of interactions SHOULD be supported by the Integration Service: broadcast and directed. Broadcast interactions are asynchronous by default, and directed interactions may be invoked either synchronously or asynchronously.</t>
<section anchor="broadcast" numbered="true" toc="default">
<name>Broadcast</name>
<t>A broadcast interaction, commonly referred to as publish/subscribe, allows for a wider distribution of a message payload. When a payload is published to the Integration Service, all subscribers to that payload are alerted and may consume the message payload. This category of interaction can also be described as a "unicast" interaction when only a single subscriber exists. An example of a broadcast interaction could be to publish Linux OVAL objects to a posture collection topic. Subscribing consumers receive the notification, and proceed to collect endpoint configuration posture based on the supplied message payload.</t>
</section>
<section anchor="directed" numbered="true" toc="default">
<name>Directed</name>
<t>The intent of a directed interaction is to enable point-to-point communications between a producer and consumer, through the standard interfaces provided by the Integration Service. The provider component indicates which consumer is intended to receive the payload, and the Integration Service routes the payload directly to that consumer. Two "styles" of directed interaction exist, differing only by the response from the consumer.</t>
<section anchor="synchronous" numbered="true" toc="default">
<name>Synchronous</name>
<t>Synchronous, request/response style interaction requires that the requesting component block and wait for the receiving component to respond, or to time out when that response is delayed past a given time threshold. A synchronous interaction example may be querying a CMDB for posture attribute information in order to perform an evaluation.</t>
</section>
<section anchor="asynchronous" numbered="true" toc="default">
<name>Asynchronous</name>
<t>An asynchronous interaction involves the payload producer directing the message to a consumer, but not blocking or waiting for an immediate response. This style of interaction allows the producer to continue on to other activities without the need to wait for responses. This style is particularly useful when the interaction payload invokes a potentially long-running task, such as data collection, report generation, or policy evaluation. The receiving component may reply later via callbacks or further interactions, but it is not mandatory.</t>
</section>
</section>
</section>
</section>
<section anchor="sacm-role-based-architecture" numbered="true" toc="default">
<name>SACM Role-based Architecture</name>
<t>Within the cooperative SACM ecosystem, a number of roles act in coordination to provide relevant policy/guidance, perform data collection, storage, evaluation, and support downstream analytics and reporting.</t>
<figure anchor="fig-notional">
<name>Notional Role-based Architecture</name>
<artwork name="" type="" align="left" alt=""><![CDATA[
+-------------------------------------------+
| Manager |
+-------------------^-----------------------+
|
+-----------------+ | +--------------------+
| Orchestrator(s) | | | Repository(-ies) |
+---------^-------+ | +----------^---------+
| | | +--------------------+
| | | | Downstream Uses |
| | | | +----------------+ |
+---------v---------v-------------v---------+ | | Analytics | |
| Integration Service <------> +----------------+ |
+-----------^--------------------------^----+ | +----------------+ |
| | | | Reporting | |
| | | +----------------+ |
+-----------v-------------------+ | +--------------------+
| Collection Sub-Architecture | |
+-------------------------------+ |
+---------------v---------------+
| Evaluation Sub-Architecture |
+-------------------------------+
]]></artwork>
</figure>
<t>As shown in <xref target="fig-notional" format="default"/>, the SACM role-based architecture consists of some basic SACM Components communicating using an integration service. The integration service is expected to maximally align with the requirements described in <xref target="RFC8248" format="default"/>, which means that the integration service will support brokered (i.e. point-to-point) and proxied data exchange.</t>
<section anchor="architectural-rolescomponents" numbered="true" toc="default">
<name>Architectural Roles/Components</name>
<t>This document suggests a variety of players in a cooperative ecosystem; known as SACM Components. SACM Components may be composed of other SACM Components, and each SACM Component plays one, or more, of several roles relevant to the ecosystem. Roles may act as providers of information, consumers of information, or both provider and consumer. <xref target="fig-notional" format="default"/> depicts a number of SACM components which are architecturally significant and therefore warrant discussion and clarification. Each role depicted in <xref target="fig-notional" format="default"/> represents the interface to the component(s) fulfilling that role, not necessarily any specific implementation. For example, the "Repository" figure represents the interface to persistent storage, and not any particular persistent storage mechanism.</t>
<section anchor="manager" numbered="true" toc="default">
<name>Manager</name>
<t>The Manager acts as the control plane for the SACM ecosystem; a sort of high level component capable of coordinating the actions, notifications, and events between components. The manager controls the administrative interfaces with the various components of the ecosystem, acting as the central point to which all other components will register and advertise their capabilities. It is the responsibility of the manager to control a component's access to the ecosystem, maintain an inventory of components attached to the ecosystem, and to initiate the various workflows involved in the collection and/or evaluation of posture attributes.</t>
<t>The manager should maintain the master set of capabilities that can be supported within the ecosystem. These are the various collection, evaluation, and persistence capabilities with which components may register. The manager MAY be responsible for assigning topics for each of the capabilities that are supported, as registering components subsequently subscribe to, or configure service handlers for, those topics.</t>
<t>The manager may act as the user interface to the ecosystem, providing user dashboards, inventories, component management, or operational controls within the boundary of responsibility.</t>
</section>
<section anchor="orchestrators" numbered="true" toc="default">
<name>Orchestrator(s)</name>
<t>Orchestration components provide the manager with resources for delegating work across the SACM ecosystem. Orchestrators are responsible for receiving messages from the manager, e.g. posture attribute collection instructions, and routing those messages to the appropriate "actions". For example, an orchestrator may support the capability of translating posture collection instructions using the Open Vulnerability and Assessment Language (OVAL) and providing those instructions to OVAL collectors. An orchestrator may support the capability of initiating policy evaluation. Where the Manager is configured to ask a particular set of questions, those questions are delegated to Orchestrators, who are then capable of asking those questions using specific dialects.</t>
</section>
<section anchor="repositories" numbered="true" toc="default">
<name>Repositories</name>
<t><xref target="fig-notional" format="default"/> only includes a single reference to "Repository(-ies)", but in practice, a number of separate data repositories may exist, including posture attribute repositories, policy repositories, local vulnerability definition data repositories, and state assessment results repositories. The diagrammed notion of a repository within the SACM context represents an interface in which payloads are provided (based on the capabilities of the producer), normalized, and persisted.</t>
<t>These data repositories may exist separately or together in a single representation, and the design of these repositories may be as distinct as their intended purpose, such as the use of relational database management systems (RDBMS), filesystem-based storage, or graph/map implementations. Each implementation of a SACM repository should focus on the relationships between data elements and implement the SACM information and data model(s).</t>
</section>
<section anchor="integration-service-1" numbered="true" toc="default">
<name>Integration Service</name>
<t>If each SACM component represents a set of capabilities, then the Integration Service represents the "fabric" by which SACM components are woven together. The Integration Service acts as a message broker, combining a set of common message categories and infrastructure to allow SACM components to communicate using a shared set of interfaces. The Integration Service's brokering capabilities enable the exchange of various information payloads, orchestration of component capabilities, message routing, and reliable delivery (within reason - either with persistent messaging mechanisms or by utilizing a timeout after a configurable period of time). The Integration Service minimizes the dependencies from one system to another through the loose coupling of applications through messaging. SACM components will "attach" to the Integration Service either through native support for the integration implementation, or through the use of "adapters" which provide a proxied attachment.</t>
<t>The Integration Service should provide mechanisms for both synchronous and asynchronous request/response-style messaging, and a publish/subscribe mechanism to implement an event-based architecture. It is the responsibility of the Integration Service to coordinate and manage the sending and receiving of messages. The Integration Service should allow components to directly connect and produce or consume messages, or connect via message translators which can act as a proxy, transforming messages from a component format to one implementing a SACM data model.</t>
<t>The Integration Service MUST provide routing capabilities for payloads between producers and consumers. The Integration Service MAY provide further capabilities within the payload delivery pipeline. Examples of these capabilities include, but are not limited to, intermediate processing, message transformation, type conversion, validation, or other enterprise integration patterns.</t>
</section>
</section>
<section anchor="downstream-uses" numbered="true" toc="default">
<name>Downstream Uses</name>
<t>As depicted by <xref target="fig-notional" format="default"/>, a number of downstream uses exist in the cooperative ecosystem. Each notional SACM component represents distinct sub-architectures which will exchange information via the integration services, using interactions described in this draft.</t>
<section anchor="reporting" numbered="true" toc="default">
<name>Reporting</name>
<t>The Reporting component represents capabilities outside of the SACM architecture scope dealing with the query and retrieval of collected posture attribute information, evaluation results, etc. in various display formats that are useful to a wide range of stakeholders.</t>
</section>
<section anchor="analytics" numbered="true" toc="default">
<name>Analytics</name>
<t>The Analytics component represents capabilities outside of the SACM architecture scope dealing with the discovery, interpretation, and communication of any meaningful patterns of data in order to inform effective decision making within the organization.</t>
</section>
</section>
<section anchor="sub-architectures" numbered="true" toc="default">
<name>Sub-Architectures</name>
<t><xref target="fig-notional" format="default"/> shows two components representing sub-architectural roles involved in a cooperative ecosystem of SACM components for the purpose of posture assessment: Collection and Evaluation.</t>
<section anchor="collection-sub-architecture" numbered="true" toc="default">
<name>Collection Sub-Architecture</name>
<t>The Collection sub-architecture is, in a SACM context, the mechanism by which posture attributes are collected from applicable endpoints and persisted to a repository, such as a configuration management database (CMDB). Control plane functions initiated by the Manager will coordinate the necessary orchestration components, who will choreograph endpoint data collection via defined interactions, using the Integration Service as a message broker. Instructions to perform endpoint data collection are directed to a Posture Collection Service capable of performing collection activities utilizing any number of protocols, such as SNMP, NETCONF/RESTCONF, SCAP, SSH, WinRM, packet capture, or host-based. Instructions are orchestrated with the appropriate Posture Collection Services using serializations supported according to the collector's capabilities.</t>
<figure anchor="fig-collection">
<name>Decomposed Collection Sub-Architecture</name>
<artwork name="" type="" align="left" alt=""><![CDATA[
+----------------------------------------------------------+
| Manager |
+-----------+----------------------------------------------+
|
Orchestrate
Collection
|
+-----------v-------------+ +------------------------------+
| Orchestrator(s) | | Posture Attribute Repository |
+-----------+-------------+ +--------------^---------------+
| |
Perform |
Collection Collected Data
| ^
| |
+-----------v------------------------------+---------------+
| Integration Service |
+----+------------------^------------------------------^---+
| | | |
v + v |
Perform Collected Perform Collected
Collection Data Collection Data
| ^ | ^
| | | |
+----v-----------------------+ +------------------------------+
| Posture Collection Service | | | Endpoint | |
+---^------------------------+ | +--v------------------+----+ |
| | | |Posture Collection Service| |
| | | +--------------------------+ |
Events Queries +------------------------------+
^ | (PCS resides on Endpoint)
| |
+---+-------------------v----+
| Endpoint |
+----------------------------+
(PCS does not reside on Endpoint)
]]></artwork>
</figure>
<section anchor="posture-collection-service" numbered="true" toc="default">
<name>Posture Collection Service</name>
<t>The Posture Collection Service (PCS) is a SACM component responsible for the collection of posture attributes from an endpoint or set of endpoints. A single PCS MAY be responsible for management of posture attribute collection from many endpoints. The PCS will interact with the Integration Service to receive collection instructions, and to provide collected posture attributes for persistence to one or more Posture Attribute Repositories. Collection instructions may be supplied in a variety of forms, including subscription to a publish/subscribe topic to which the Integration Service has published instructions, or via request/response-style messaging (either synchronous or asynchronous).</t>
<t>Four classifications of posture collections MAY be supported.</t>
<section anchor="ad-hoc" numbered="true" toc="default">
<name>Ad-Hoc</name>
<t>Ad-Hoc collection is defined as a single colletion of posture attributes, collected at a particular time. An example of ad-hoc collection is the single collection of a specific registry key.</t>
</section>
<section anchor="continuousscheduled" numbered="true" toc="default">
<name>Continuous/Scheduled</name>
<t>Continuous/Scheduled collection is defined as the ongoing, periodic collection of posture attributes. An example of scheduled collection is the collection of a specific registry key value every day at a given time.</t>
</section>
<section anchor="observational" numbered="true" toc="default">
<name>Observational</name>
<t>This classification of collection is triggered by the observation, external to an endpoint, of information asserting posture attribute values for that endpoint. An example of observational collection is examination of netflow data for particular packet captures and/or specific information within those captures.</t>
</section>
<section anchor="event-based" numbered="true" toc="default">
<name>Event-based</name>
<t>Event-based collection may be triggered either internally or externally to the endpoint. Internal event-based collection is triggered when a posture attribute of interest is added, removed, or modified on an endpoint. This modification indicates a change in the current state of the endpoint, potentially affecting its adherence to some defined policy. Modification of the endpoint's minimum password length is an example of an attribute change which could trigger collection.</t>
<t>External event-based collection can be described as a collector being subscribed to an external source of information, receiving events from that external source on a periodic or continuous basis. An example of event-based collection is subscription to YANG Push notifications.</t>
</section>
</section>
<section anchor="endpoint" numbered="true" toc="default">
<name>Endpoint</name>
<t>Building upon <xref target="I-D.ietf-sacm-terminology" format="default"/>, the SACM Collection Sub-Architecture augments the definition of an Endpoint as a component within an organization's management domain from which a Posture Collection Service will collect relevant posture attributes.</t>
</section>
<section anchor="posture-attribute-repository" numbered="true" toc="default">
<name>Posture Attribute Repository</name>
<t>The Posture Attribute Repository is a SACM component responsible for the persistent storage of posture attributes collected via interactions between the Posture Collection Service and Endpoints.</t>
</section>
<section anchor="posture-collection-workflow" numbered="true" toc="default">
<name>Posture Collection Workflow</name>
<t>Posture collection may be triggered from a number of components, but commonly begin either via event-based triggering on an endpoint or through manual orchestration, both illustrated in <xref target="fig-collection" format="default"/> above. Once orchestration has provided the directive to perform collection, posture collection services consume the directives. Posture collection is invoked for those endpoints overseen by the respective posture collection services. Collected data is then provided to the Integration Service, with a directive to store that information in an appropriate repository.</t>
</section>
</section>
<section anchor="evaluation-sub-architecture" numbered="true" toc="default">
<name>Evaluation Sub-Architecture</name>
<t>The Evaluation Sub-Architecture, in the SACM context, is the mechanism by which policy, expressed in the form of expected state, is compared with collected posture attributes to yield an evaluation result, that result being contextually dependent on the policy being evaluated.</t>
<figure anchor="fig-evaluation">
<name>Decomposed Evaluation Sub-Architecture</name>
<artwork name="" type="" align="left" alt=""><![CDATA[
+------------------+
| Manager |
+-------+----------+
|
Orchestrate +------------------+
Evaluation | Collection | +-------------------------------+
| | Sub+Architecture | | Evaluation Results Repository |
+------v----------+ +--------^---------+ +-----------------^-------------+
| Orchestrator(s) | | |
+------+----------+ (Potentially) |
| Perform Store Evaluation Results
Perform Collection |
Evaluation | |
| | |
+------v----------------------v--------------------------------+-------------+
| Integration Service |
+--------^----------------------^-----------------------^--------------------+
| | |
| | |
| Retrieve Posture Perform
Retrieve Policy Attributes Evaluation
| | |
| | |
+------v-----+ +-----v------+ +--------v-------------------+
| Policy | | Posture | | Posture Evaluation Service |
| Repository | | Attribute | +----------------------------+
+------------+ | Repository |
+------------+
]]></artwork>
</figure>
<section anchor="posture-evaluation-service" numbered="true" toc="default">
<name>Posture Evaluation Service</name>
<t>The Posture Evaluation Service (PES) represents the SACM component responsible for coordinating the policy to be evaluated and the collected posture attributes relevant to that policy, as well as the comparison engine responsible for correctly determining compliance with the expected state.</t>
</section>
<section anchor="policy-repository" numbered="true" toc="default">
<name>Policy Repository</name>
<t>The Policy Repository represents a persistent storage mechanism for the policy to be assessed against collected posture attributes to determine if an endpoint meets the desired expected state. Examples of information contained in a Policy Repository would be Vulnerability Definition Data or configuration recommendations as part of a CIS Benchmark or DISA STIG.</t>
</section>
<section anchor="evaluation-results-repository" numbered="true" toc="default">
<name>Evaluation Results Repository</name>
<t>The Evaluation Results Repository persists the information representing the results of a particular posture assessment, indicating those posture attributes collected from various endpoints which either meet or do not meet the expected state defined by the assessed policy. Consideration should be made for the context of individual results. For example, meeting the expected state for a configuration attribute indicates a correct configuration of the endpoint, whereas meeting an expected state for a vulnerable software version indicates an incorrect configuration.</t>
</section>
<section anchor="posture-evaluation-workflow" numbered="true" toc="default">
<name>Posture Evaluation Workflow</name>
<t>Posture evaluation is orchestrated through the Integration Service to the appropriate Posture Evaluation Service (PES). The PES will, using interactions defined by the applicable taxonomy, query both the Posture Attribute Repository and the Policy Repository to obtain relevant state data for comparison. If necessary, the PES may be required to invoke further posture collection. Once all relevant posture information has been collected, it is compared to expected state based on applicable policy. Comparison results are then persisted to an evaluation results repository for further downstream use and analysis.</t>
</section>
</section>
</section>
</section>
<section anchor="ecosystem-interactions" numbered="true" toc="default">
<name>Ecosystem Interactions</name>
<t>Ecosystem interactions describe the various functions between SACM components, including manager requirements, the onboarding of components, capability advertisement, administrative actions, and status updates, among others. The Manager component acts as the administrative "lead" for the SACM ecosystem, and must maintain records of registered components, manage capabilities, and more.</t>
<section anchor="manager-1" numbered="true" toc="default">
<name>Manager</name>
<t>The Manager, being a specialized role in the architecture, enables the onboarding and capability management of the various SACM component roles. The Manager must support the set of capabilities needed to operate the SACM ecosystem.</t>
<t>With this in mind, the Manager must first authenticate to the Integration Service. Once authentication has succeeded, the Manager MUST establish a service handler capable of performing SACM component registration/onboarding activities (Component Registration Operation). The Manager MUST also establish a subscription to an ecosystem-wide status notification mechanism, in order to receive published status updates from other SACM components.</t>
<t>The following requirements exist for the Manager to establish service handlers supporting the component registration taxonomy (Component Registration Operation):</t>
<ul spacing="normal">
<li>The Manager MUST enable the capability to receive onboarding requests,</li>
<li>The Manager MUST have the capability to generate, manage, and persist unique identifiers for all registered components,</li>
<li>The Manager MUST maintain the relationships between capabilities and payload categorizations (such as topic names or specific payload identifiers),</li>
<li>The Manager MUST have the capability to inventory and manage its "roster" (the list of registered components),</li>
<li>The Manager MUST have the capability to manage its roster's advertised capabilities, including those endpoints to which those capabilities apply.</li>
<li>In addition to supporting component registration, the Manager is responsible for many of the operational functions of the architecture, including initiating collection or evaluation, queries for repository data, or the assembly of information for downstream use.</li>
<li>The Manager MUST support making directed requests to registered components over the component's administrative interface. Administrative interface functions are described by their taxonomy, below.</li>
<li>The Manager MUST support each of the interaction categories as described above.</li>
</ul>
</section>
<section anchor="component-registration" numbered="true" toc="default">
<name>Component Registration</name>
<t>Component registration describes how an individual component becomes part of the SACM ecosystem; authenticating to the Integration Service, registering and establishing its administrative interface with, the Manager.</t>
<t>The component onboarding workflow involves multiple steps:</t>
<ul spacing="normal">
<li>The component first authenticates to the Integration Service.</li>
<li>The component initiates registration with the Manager, per the component registration operation (Component Registration Operation).</li>
<li>The component handles the response from the Manager to configure a service handler allowing the component to receive directed messages over the administrative interface with the Manager.</li>
</ul>
</section>
<section anchor="administrative-interface" numbered="true" toc="default">
<name>Administrative Interface</name>
<t>The administrative interface represents a direct communication channel between the Manager and any registered Component. This interface allows the Manager to make directed requests to a component in order to perform specific actions.</t>
<section anchor="capability-advertisement-handshake" numbered="true" toc="default">
<name>Capability Advertisement Handshake</name>
<t>Capability Advertisement is the mechanism by which components initially indicate their capabilities to the Manager. This handshake is completed using the administrative interface with the Manager. It becomes the Manager's responsibility to persist component/capability relationships, and to provide the component the information necessary to receive and process message payloads specific to the supported capabilities.</t>
</section>
<section anchor="health-check" numbered="true" toc="default">
<name>Health Check</name>
<t>The administrative "health check" is a mechanism by which the Manager queries for the "liveness" of its roster of components, and to possibly alert users or other systems when components are no longer present. The Manager MAY enable a periodic message to each component to determine if that component is still listening to the Administrative Interface. The Health Check interaction MAY include a request for "Capability Refresh", to reinitiate the Capability Advertisement Handshake. This interaction is similar to the "Heartbeat" interaction, but is initiated by the Manager.</t>
</section>
<section anchor="heartbeat" numbered="true" toc="default">
<name>Heartbeat</name>
<t>The administrative "heartbeat" is a mechanism by which a Component indicates to the Manager that the Component remains connected to the ecosystem. The Heartbeat differs from the Health Check interaction in that the Component initiates the interaction, and that no response from the Manager is required.</t>
</section>
<section anchor="capability-specific-requests" numbered="true" toc="default">
<name>Capability-specific Requests</name>
<t>Any number of capability-specific requests can be enabled through the administrative interface that allow the Manager to direct actions to be performed by a specific component. Utilizing the interface from a component to the Manager, this interface can be used to indicate a component has come back online, or to provide an updated capability advertisement, potentially resulting in updates to subscriptions or service handlers.</t>
</section>
</section>
<section anchor="status-notifications" numbered="true" toc="default">
<name>Status Notifications</name>
<t>A generic status notifications mechanism SHOULD be configured to which (a) the Manager is subscribed, and (b) all onboarded components can publish. Status notifications may be used by the Manager to update user interfaces, to provide notification of the start, finish, success or failure of ecosystem operations, or as events to trigger subsequent activities.</t>
</section>
<section anchor="component-interactions" numbered="true" toc="default">
<name>Component Interactions</name>
<t>Component interactions describe functionality between components relating to collection, evaluation, or other downstream processes. The following component interactions begin with the Manager providing a set of instructions to an Orchestrator or set of Orchestrators that have registered with the SACM ecosystem indicating the appropriate capabilities, such as collection or evaluation. Subscribing Orchestrator(s) MAY translate, manipulate, filter, augment, or otherwise transform the Manager's instructions into content supported through the Orchestrator's capabilities.</t>
<section anchor="initiate-ad-hoc-collection" numbered="true" toc="default">
<name>Initiate Ad-Hoc Collection</name>
<t>The Orchestrator supplies a payload of collection instructions to a Posture Collection Service either through direct or broadcast mechanisms. The receiving PCS components perform the required collection based on their capabilities. Each PCS then forms a payload of collected posture attributes (including endpoint identifying information) and provides that payload to the Posture Attribute Repository interface, for persistence.</t>
</section>
<section anchor="coordinate-periodic-collection" numbered="true" toc="default">
<name>Coordinate Periodic Collection</name>
<t>Similar to ad-hoc collection, the Orchestrator supplies a payload of collection instructions similar to those of ad-hoc collection. Additional information elements containing collection identification and periodicity are included.</t>
<section anchor="schedule-periodic-collection" numbered="true" toc="default">
<name>Schedule Periodic Collection</name>
<t>To enable operations on periodic collection, the scheduling payload MUST include both a unique identifier for the set of collection instructions, as well as a periodicity expression to enable the collection schedule. An optional "immediate collection" flag will indicate to the collection component that, upon receipt of the collection instructions, a collection will automatically be initiated prior to engagement of the scheduled collection.</t>
</section>
<section anchor="cancel-periodic-collection" numbered="true" toc="default">
<name>Cancel Periodic Collection</name>
<t>The Orchestrator disables the periodic collection of posture attributes by supplying collector(s) the unique identifier of previously scheduled collection instructions. An optional "final collection" flag will indicate to the collection component that, upon receipt of the cancellation instructions, a final ad-hoc collection is to take place.</t>
</section>
</section>
<section anchor="coordinate-observationalevent-based-collection" numbered="true" toc="default">
<name>Coordinate Observational/Event-based Collection</name>
<t>In these scenarios, the Posture Collection Service acts as the "observer". Interactions with the observer could specify a time period of observation and potentially information intended to filter observed posture attributes to aid the PCS in determining those attributes that are applicable for collection and persistence to the Posture Attribute Repository.</t>
<section anchor="initiate-observationalevent-based-collection" numbered="true" toc="default">
<name>Initiate Observational/Event-based Collection</name>
<t>The Orchestrator supplies a payload of instructions to a topic or set of topics to which Posture Collection Services (observers) are subscribed. This payload could include specific instructions based on the observer's capabilities to determine specific posture attributes to observe and collect.</t>
</section>
<section anchor="cancel-observationalevent-based-collection" numbered="true" toc="default">
<name>Cancel Observational/Event-based Collection</name>
<t>The Orchestrator supplies a payload of instructions to a topic or set of topics to which Posture Collection Services are subscribed. The receiving PCS components cancel the identified observational/event-based collection executing on those PCS components.</t>
</section>
</section>
<section anchor="persist-collected-posture-attributes" numbered="true" toc="default">
<name>Persist Collected Posture Attributes</name>
<t>Following successful collection, Posture Collection Services (PCS) will supply the payload of collected posture attributes to the interface(s) supporting the persistent storage of those attributes to the Posture Attribute Repository. Information in this payload should include identifying information of the computing resource(s) for which attributes were collected.</t>
</section>
<section anchor="initiate-ad-hoc-evaluation" numbered="true" toc="default">
<name>Initiate Ad-Hoc Evaluation</name>
<t>The Orchestrator supplies a payload of evaluation instructions to a Posture Evaluation Services (PES) either through direct or broadcast mechanisms. The receiving PES components perform the required evaluation based on their capabilities. The PES generates a payload of posture evaluation results and publishes that payload to the Evaluation Results Repository interface, for persistence.</t>
</section>
<section anchor="coordinate-periodic-evaluation" numbered="true" toc="default">
<name>Coordinate Periodic Evaluation</name>
<t>Similar to ad-hoc evaluation, the Orchestrator supplies a payload of evaluation instructions similar to those of ad-hoc evaluation. Additional information elements containing evaluation identification and periodicity are included.</t>
<section anchor="schedule-periodic-evaluation" numbered="true" toc="default">
<name>Schedule Periodic Evaluation</name>
<t>To enable operations on periodic evaluation, the scheduling payload MUST include both a unique identifier for the set of evaluation instructions, as well as a periodicity expression to enable the evaluation schedule. An optional "immediate evaluation" flag will indicate to the Posture Evaluation Service (PES) that, upon receipt of the evaluation instructions, an evaluation will automatically be initiated prior to engagement of the scheduled evaluation.</t>
</section>
<section anchor="cancel-periodic-evaluation" numbered="true" toc="default">
<name>Cancel Periodic Evaluation</name>
<t>The Orchestrator disables the periodic evaluation of posture attributes by supplying Posture Evaluation Service(s) the unique identifier of previously scheduled evaluation instructions. An optional "final evaluation" flag will indicate to the PES that, upon receipt of the cancellation instructions, a final ad-hoc evaluation is to take place.</t>
</section>
</section>
<section anchor="coordinate-change-based-evaluation" numbered="true" toc="default">
<name>Coordinate Change-based Evaluation</name>
<t>A more fine-grained approach to periodic evaluation may be enabled through the triggering of Posture Evaluation based on changes to posture attribute values at the time of their collection and persistence to the Posture Attribute Repository.</t>
<section anchor="identify-attributes" numbered="true" toc="default">
<name>Identify Attributes</name>
<t>The Orchestrator enables change-based evaluation through a payload published to Posture Attribute Repository component(s). This payload includes appropriate information elements describing the posture attributes on which changes in value will trigger posture evaluation.</t>
</section>
<section anchor="cancel-change-based-evaluation" numbered="true" toc="default">
<name>Cancel Change-based Evaluation</name>
<t>An Orchestrator may disable change-based evaluation through a payload published to Posture Attribute Repository component(s), including those information elements necessary to identify those posture attributes for which change-based evaluation no longer applies.</t>
</section>
</section>
<section anchor="queries" numbered="true" toc="default">
<name>Queries</name>
<t>Queries should allow for a "freshness" time period, allowing the requesting entity to determine if/when posture attributes must be re-collected prior to performing evaluation. This freshness time period can be "zeroed out" for the purpose of automatically triggering re-collection regardless of the most recent collection.</t>
</section>
</section>
</section>
<section anchor="operations" numbered="true" toc="default">
<name>Operations</name>
<t>The following sections describe a number of operations required to enable a cooperative ecosystem of posture attribute collection and evaluation functions.</t>
<section anchor="component-registration-1" numbered="true" toc="default">
<name>Component Registration</name>
<t>Component registration describes how an individual component becomes part of the SACM ecosystem; registering with the Manager, and establishing the administrative interface.</t>
<ul spacing="normal">
<li>Interaction Type: Directed (Request/Response)</li>
<li>Source Component: Any component wishing to join the ecosystem, such as Posture Collection Services, Repository Interfaces, Posture Evaluation Services and more.</li>
<li>Target Component(s): Manager</li>
</ul>
<section anchor="request-payload" numbered="true" toc="default">
<name>Request Payload</name>
<t>When a component onboards with the ecosystem, it must identify itself to the Manager, using either descriptive information or an already-existing component unique identifier.</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
component-registration-request:
{:component-identification:}
component-identification:
component-unique-identifier (if re-establishing communication)
#-OR-#
component-type {:component-type:}
component-name
component-description (optional)
component-type:
enumeration:
- posture-collection-service
- posture-evaluation-service
- repository-interface
- orchestrator
- others?
]]></artwork>
<t>When registering for the first time, the component will send identifying information including the component type and a name. If the component is re-establishing communications, for example after a restart of the component or deployment of a new version, the component only needs to supply its previously generated (and persisted) [component-unique-identifier].</t>
</section>
<section anchor="request-processing" numbered="true" toc="default">
<name>Request Processing</name>
<t>When the Manager receives the component's request for onboarding, it will:</t>
<ul spacing="normal">
<li>Generate a unique identifier, <tt>[component-unique-identifier]</tt>, for the onboarding component,</li>
<li>Persist identifying information, including the <tt>[component-unique-identifier]</tt> to its component inventory, enabling an up-to-date roster of components being managed,</li>
<li>Establish the administrative interface to the onboarded component by enabling a service handler to listen for directed messages from the component.</li>
</ul>
</section>
<section anchor="response-payload" numbered="true" toc="default">
<name>Response Payload</name>
<t>The Manager will respond to the component with a payload including the component's unique identifier. At this point, the Manager is aware of the component's existence in the ecosystem, and the component can self-identify by virtue of receiving its unique identifier.</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
component-registration-response:
component-unique-identifier: [component-unique-identifier]
]]></artwork>
</section>
<section anchor="response-processing" numbered="true" toc="default">
<name>Response Processing</name>
<t>Successful receipt of the Manager's response, including the <tt>[component-unique-identifier]</tt>, indicates the component is onboarded to the ecosystem. Using the response payload, the component can then establish it's end of the administrative interface with the Manager. The component must then persist it's unique identifier for use when re-establishing communication with the Manager after failure recovery or restart.</t>
</section>
</section>
<section anchor="administrative-interface-1" numbered="true" toc="default">
<name>Administrative Interface</name>
<t>A number of functions may take place which, instead of being published to multiple subscribers, may require direct interaction between the Manager and a registered component (and vice-versa). During component onboarding, this direct channel, known as the Administrative Interface, is established first by the Manager and subsequently complemented by the component onboarding the SACM ecosystem. Three operations are defined for the administrative interface, but any number of application or capability-specific operations MAY be enabled using the directed messaging provided by this interface.</t>
<section anchor="capability-advertisement-handshake-1" numbered="true" toc="default">
<name>Capability Advertisement Handshake</name>
<t>Capability advertisement represents the ability of any registered component to inform the Manager of that component's capacity for performing certain operations. For example, a Posture Collection Service component may advertise its capability to perform collection using a particular collection system/serialization. This capability advertisement is important for the Manager to persist in order for the Manager to correctly classify components registered within the SACM ecosystem, and therefore provide the ability to publish messages to components in accordance with their capabilities.</t>
<ul spacing="normal">
<li>Interaction Type: Directed (Request/Response)</li>
<li>Source Component: Any registered component, such as Posture Collection Services, Repository Interfaces, Posture Evaluation Services and more.</li>
<li>Target Component(s): Manager</li>
</ul>
<section anchor="request-payload-1" numbered="true" toc="default">
<name>Request Payload</name>
<t>The component's capability advertisement request payload will include a list of "Capability URNs" (TBD IANA SECTION) that represent it's supported operational capabilities.</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
capability-advertisement:
capabilities:
capability-urn: [urn]
capability-urn: [urn]
capability-urn: [urn]
...
]]></artwork>
</section>
<section anchor="request-processing-1" numbered="true" toc="default">
<name>Request Processing</name>
<t>Upon receipt of the component's capability advertisement, the Manager SHOULD:</t>
<ul spacing="normal">
<li>Persist the component's capabilities to the Manager's inventory</li>
<li>Coordinate, based on the supplied capabilities, the service handlers (for directed messages) and/or event listeners (for broadcast messages) to which the component should support.</li>
</ul>
</section>
<section anchor="response-payload-1" numbered="true" toc="default">
<name>Response Payload</name>
<t>The response payload delivered to the component should include the appropriate service handling/event listening information required for the component to handle further interactions based on each advertised capability. If a capability was not registered successfully, appropriate error messages SHOULD be supplied to inform the component of the failure(s).</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
capability-advertisement-response:
capabilities:
capability:
capability-urn: [urn]
registration-status: (success | failure)
service-handler-or-event-listener: [info]
messages: [messages]
capability:
capability-urn: [urn]
registration-status: (success | failure)
service-handler-or-event-listener: [info]
messages: [messages]
]]></artwork>
</section>
<section anchor="response-processing-1" numbered="true" toc="default">
<name>Response Processing</name>
<t>Once the component has received the response to its capability advertisement, it should configure the capability-specific service handler(s) or event listener(s). Once these handlers/listeners have been configured, the component is considered fully onboarded to the SACM ecosystem.</t>
</section>
</section>
<section anchor="health-check-1" numbered="true" toc="default">
<name>Health Check</name>
<t>As time passes, it is important that the Manager maintains knowledge of all registered component's current operational status. The health check operation describes the efforts taken by the Manager to maintain the most up-to-date inventory of it's component roster, and to potentially trigger events to users or outside systems (e.g. a SIEM or SOAR) indicating unavailable components.</t>
<ul spacing="normal">
<li>Interaction Type: Directed (Request/Response)</li>
<li>Source Component: Manager</li>
<li>Target Component(s): Any registered component, such as Posture Collection Services, Repository Interfaces, Posture Evaluation Services and more.</li>
</ul>
<section anchor="request-payload-2" numbered="true" toc="default">
<name>Request Payload</name>
<t>The request for the health check is a simple "ping".</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
health-check-request:
action: ping
]]></artwork>
</section>
<section anchor="request-processing-2" numbered="true" toc="default">
<name>Request Processing</name>
<t>When the target component receives the health check request, the target component need only respond that it is operational and connected to the integration service. This is a simple "Hello component, are you listening? Yes, I am" interaction. The health check request from the Manager should be made with an appropriately small timeout indicator; only an operational component will be able to respond to the request, so if that component is offline and cannot respond, the Manager should not be kept waiting for an extended amount of time.</t>
</section>
<section anchor="response-payload-2" numbered="true" toc="default">
<name>Response Payload</name>
<t>When responding to the health check request, the response payload will simply indicate success:
~~~~~~
health-check-response:
response: success
~~~~~~</t>
</section>
<section anchor="response-processing-2" numbered="true" toc="default">
<name>Response Processing</name>
<t>Upon receipt of the "health-check-response" payload, the Manager will update its inventory of currently operational components with the timestamp of the receipt. Manager implementations may raise alerts, inform users, or take other actions when health checks are unsuccessful, at their discretion.</t>
</section>
</section>
<section anchor="heartbeat-1" numbered="true" toc="default">
<name>Heartbeat</name>
<t>As time passes and SACM ecosystem components which have previously registered are brought offline (perhaps for maintenance or redeployment) and back online, it is important that registered components maintain administrative contact with the Manager. The heartbeat operation describes the efforts taken by a registered component to determine the status of contact with the Manager, and to take appropriate action if such contact cannot be made.</t>
<ul spacing="normal">
<li>Interaction Type: Directed (Request/Response)</li>
<li>Source Component: Any registered component, such as Posture Collection Services, Repository Interfaces, Posture Evaluation Services and more.</li>
<li>Target Component(s): Manager</li>
</ul>
<section anchor="request-payload-3" numbered="true" toc="default">
<name>Request Payload</name>
<t>The request payload simply defines the hearbeat action:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
heartbeat-request:
action: pulse
]]></artwork>
</section>
<section anchor="request-processing-3" numbered="true" toc="default">
<name>Request Processing</name>
<t>When the Manager receives the heartbeat request, it need only respond that it is operational and connected to the integration service. This is a simple "Hello Manager, are you listening? Yes, I am" interaction. The heartbeat request from the component should be made with an appropriately small timeout indicator; only an operational Manager will be able to respond to the request, so if it is offline and cannot respond, the component should not be kept waiting for an extended amount of time.</t>
</section>
<section anchor="response-payload-3" numbered="true" toc="default">
<name>Response Payload</name>
<t>When responding to the heartbeat request, the response payload will simply indicate success:
~~~~~~
heartbeat-response:
response: success
~~~~~~</t>
</section>
<section anchor="response-processing-3" numbered="true" toc="default">
<name>Response Processing</name>
<t>Upon receipt of the "heartbeat-response" payload, the component may reset its heartbeat timer and continue normal operations, awaiting incoming message payloads. Component implementations may raise alerts, inform users, or take other actions when heartbeat requests are unsuccessful (potentially indicating a downed Manager), at their discretion.</t>
</section>
</section>
</section>
<section anchor="status-notification" numbered="true" toc="default">
<name>Status Notification</name>
<t>From time to time during the performance of any given operation, a component may need to supply status information to the Manager (or any other concerned component), for use in display to users, or to trigger other events within the SACM ecosystem. The status notification operation is designed to allow any component to broadcast status message payloads to any subscribers with the need to know. For example, a collection component could broadcast to the Manager that it has initiated collection, subsequent collection progress updates, and finally completion or error conditions.</t>
<ul spacing="normal">
<li>Interaction Type: Broadcast (Publish/Subscribe)</li>
<li>Source Component: Any registered component, such as Posture Collection Services, Repository Interfaces, Posture Evaluation Services and more.</li>
<li>Target Component(s): Typically the Manager, but any registered component may subscribe to status notifications.</li>
</ul>
<section anchor="request-payload-4" numbered="true" toc="default">
<name>Request Payload</name>
<t>At a minimum, the payload broadcast for a status notification MUST include the status message and the publishing component's <tt>component-unique-identifier</tt>. Further identifying information, such as status codes, operation indicators, etc., MAY be provided by implementing components.</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
status-notification:
publisher: [component-unique-identifier]
message: [message]
[additional information]
]]></artwork>
</section>
<section anchor="request-processing-4" numbered="true" toc="default">
<name>Request Processing</name>
<t>When subscribers are notified of the status message, respective components may act upon them in component/application-specific ways, including persisting those messages to repositories, forwarding to log aggregation tools, displaying on user interfaces, and so on. Potential for use of component status notifications is only limited by application implementations.</t>
</section>
<section anchor="response-payload-4" numbered="true" toc="default">
<name>Response Payload</name>
<t>N/A</t>
</section>
<section anchor="response-processing-4" numbered="true" toc="default">
<name>Response Processing</name>
<t>N/A</t>
</section>
</section>
<section anchor="initiate-ad-hoc-collection-1" numbered="true" toc="default">
<name>Initiate Ad-Hoc Collection</name>
<t>The Ad-hoc collection workflow MAY be initiated by the Manager, via user interaction, or through a Posture Evaluation Service, and represents a single, point-in-time operation to collect posture attributes from applicable endpoints. The SACM Producer initiates a message payload, either through directed channels (such as the administrative interface) or through broadcast notifications to multiple subscribers, to Orchestrator components. Orchestrators MAY manipulate the Manager's collection instructions according to various collection capabilities, prior to providing those instructions to Posture Collection Service (PCS) components. Once collection instructions are received by the PCS, it will collect the requested posture attributes from the designated endpoints, using its advertised collection capabilities. The following diagram illustrates this workflow with the Manager as the initiating SACM Producer:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
+-----------+ +------------------------------+
| Manager | | Posture Collection Service |
+-+-----^---+ +---^----------+----------+----+
| | | | |
1.| (S) 4.| (S) 5.|
| | | | |
| | | | |
+-v-----+-----------------------------------------v----------v----+
| Integration Service |
+-+-----^------^----------------------------------^----------+----+
| | | | |
2.| (S) |3. (S) |6.
| | | | |
| | | | |
+-v-----+------+-+ +----------------+----------v----+
| Orchestrator | | Posture Attribute Repository |
+----------------+ +--------------------------------+
]]></artwork>
<ol spacing="normal" type="1"><li>The Manager initiates a request to one or more Orchestrators to perform collection,</li>
<li>The Orchestrator receives collection instructions and potentially manipulates them according to one or more collection capabilities,</li>
<li>The Orchestrator publishes a notification to subscribed Posture Collection Service components, indicating the posture attributes to be collected,</li>
<li>The Posture Collection Service receives the collection instructions and performs the actual collection of posture attributes from an endpoint or endpoints.</li>
<li>The Posture Collection Service publishes a notification(s) containing the collected posture attributes to be persisted to the Posture Attribute Repository,</li>
<li>The Posture Attribute Repository persists the collected posture attributes, potentially performing normalization of the data as part of its process.</li>
</ol>
<t>Interactions labeled (S) indicate the capability of each component to publish status notifications, subscribed to by the Manager.</t>
<section anchor="sacm-producer-to-orchestrator" numbered="true" toc="default">
<name>SACM Producer to Orchestrator</name>
<t>The Ad-hoc collection workflow MAY be initiated by a number of SACM components, such as the Manager, a Posture Evaluation Service, or other events outside the scope of this document.</t>
<ul spacing="normal">
<li>Interaction Type: Directed (Request/Response) or Broadcast (Publish/Subscribe)</li>
<li>Source Component: Various</li>
<li>Target Component(s): Orchestrator</li>
</ul>
<section anchor="request-payload-5" numbered="true" toc="default">
<name>Request Payload</name>
<t>A request to orchestrate posture attribute collection MUST include enough information to describe those attributes being collected, and MAY include endpoint targeting information.</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
collection-instructions:
TBD
]]></artwork>
</section>
<section anchor="request-processing-5" numbered="true" toc="default">
<name>Request Processing</name>
<t>When the Orchestrator receives the collection instructions, it may be required to manipulate them according to the capabilities it's collector(s) support. For example, generic collection instructions could be transformed to the appropriate OVAL serialization for collection via OVAL-compliant collectors.</t>
</section>
<section anchor="response-payload-5" numbered="true" toc="default">
<name>Response Payload</name>
<t>Orchestrators have the option to provide broadcast status update messages to indicate success, failure, or other error messages when receiving posture collection orchestration payloads.</t>
</section>
<section anchor="response-processing-5" numbered="true" toc="default">
<name>Response Processing</name>
<t>N/A</t>
</section>
</section>
<section anchor="orchestrator-to-posture-collection-service" numbered="true" toc="default">
<name>Orchestrator to Posture Collection Service</name>
<t>Once the Orchestrator has received collection instructions from the initiating SACM component, and has performed any manipulation of the instructions to conform to it's capabilities, it will provide those instructions to relevant Posture Collection Services.</t>
<ul spacing="normal">
<li>Interaction Type: Directed (Request/Response) or Broadcast (Publish/Subscribe)</li>
<li>Source Component: Orchestrator</li>
<li>Target Component(s): Posture Collection Service</li>
</ul>
<section anchor="request-payload-6" numbered="true" toc="default">
<name>Request Payload</name>
<t>The payload exchanged between the Orchestrator and it's associated Posture Collection Services will be collection instructions adhering to a data model supported by the PCS based on its advertised capabilities.</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
collection-instructions:
TBD
]]></artwork>
</section>
<section anchor="request-processing-6" numbered="true" toc="default">
<name>Request Processing</name>
<t>Upon receipt of the payload containing collection instructions, the Posture Collection Service should parse and validate them, indicating any errors in the process. If the payload does not conform to any serialization or data model to which the PCS' capabilities correspond, status messages indicating such nonconformance SHOULD be provided to both the Orchestrator and the initiating SACM producer.</t>
<t>Once successfully parsed and validated, the PCS MUST perform collection of posture attributes according to the collection instructions, from any endpoint to which the PCS has access, or from the list of endpoints described in any targeting information included in the collection instructions.</t>
</section>
<section anchor="response-payload-6" numbered="true" toc="default">
<name>Response Payload</name>
<t>Posture Collection Service components will respond using the generic status update mechanisms to indicate success, failure, or any errors that occur. Errors may occur parsing collection instructions, verifying them, targeting indicated endpoints, or from the act of collecting the indicated posture attributes.</t>
</section>
<section anchor="response-processing-6" numbered="true" toc="default">
<name>Response Processing</name>
<t>Any messages received by components regarding the success, failure, or errors involved in the collection of posture attributes MAY be processed according to the receiving components' capabilities.</t>
</section>
</section>
<section anchor="posture-collection-service-to-posture-attribute-repository" numbered="true" toc="default">
<name>Posture Collection Service to Posture Attribute Repository</name>
<t>Upon completion of posture attribute collection, the PCS constructs the payload of collected attributes based on its advertised capabilities, e.g. OVAL system characteristics. This payload is provided to either a specific posture attribute repository via directed messages or to subscribed repository interfaces via broadcast messages.</t>
<ul spacing="normal">
<li>Interaction Type: Directed (Request/Response) or Broadcast (Publish/Subscribe)</li>
<li>Source Component: Posture Collection Service</li>
<li>Target Component(s): Posture Attribute Repository</li>
</ul>
<section anchor="request-payload-7" numbered="true" toc="default">
<name>Request Payload</name>
<t>The payload supplied by the Posture Collection Service SHOULD conform to information and data models supported by its advertised capabilities. These data models, at a minimum, SHOULD include name/value pairs for each collected attribute.</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
collection-results:
[
attribute-name,
attribute-value
]
]]></artwork>
</section>
<section anchor="request-processing-7" numbered="true" toc="default">
<name>Request Processing</name>
<t>As the Posture Attribute Repository interface receives the payload of collected posture attributes, some data normalization MAY occur in order to persist the information most efficiently based on the persistence technology. This normalization is dependent on the implementation of the repository interface as well as the persistence technology. For example, OVAL system characteristics, an XML payload, could be normalized to a property graph representation when persisted to a Neo4j database.</t>
</section>
<section anchor="response-payload-7" numbered="true" toc="default">
<name>Response Payload</name>
<t>Once the Posture Attribute Repository has received, it MAY respond to the Posture Collection Service that it has successfully received the collected posture attributes. This response would only be applicable when receiving payloads via directed requests. If payloads are received via broadcast interactions, there may not be a PCS to which a response can be sent. The Posture Attribute Repository MAY utilize the generic status update interactions to provide response messages to appropriate subscribers.</t>
</section>
<section anchor="response-processing-7" numbered="true" toc="default">
<name>Response Processing</name>
<t>Any messages received by components regarding the success, failure, or errors involved in the persistence of collected posture attributes MAY be processed according to the receiving components' capabilities. For example, a generic status update message could be processed by a Manager component, correlated with the initial posture collection instructions in order to "close the loop" on the posture attribute collection workflow.</t>
</section>
</section>
</section>