From d23ccd8808d0b45e0e69758e8eb6785e218457f7 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 10:26:05 -0400 Subject: [PATCH 01/41] rewrap markdown source in starter document --- ap-pac.md | 369 ++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 287 insertions(+), 82 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index 2754541..78b2949 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -7,7 +7,7 @@ ## Committee Specification Draft 01 -## 30 March 2022 +## xx May 2022   @@ -43,44 +43,115 @@ David Kemp (d.kemp@cyber.nsa.gov), [National Security Agency](http://www.nsa.gov This prose specification is one component of a Work Product that also includes: * XML schemas: (list file names or directory name) * Other parts (list titles and/or file names) -* `(Note: Any normative computer language definitions that are part of the Work Product, such as XML instances, schemas and Java(TM) code, including fragments of such, must be (a) well formed and valid, (b) provided in separate plain text files, (c) referenced from the Work Product; and (d) where any definition in these separate files disagrees with the definition found in the specification, the definition in the separate file prevails. Remove this note before submitting for publication.)` +* `(Note: Any normative computer language definitions that are + part of the Work Product, such as XML instances, schemas and + Java(TM) code, including fragments of such, must be (a) well + formed and valid, (b) provided in separate plain text files, + (c) referenced from the Work Product; and (d) where any + definition in these separate files disagrees with the + definition found in the specification, the definition in the + separate file prevails. Remove this note before submitting for + publication.)` #### Related work: This specification is related to: -* _Open Command and Control (OpenC2) Language Specification Version 1.0_. Edited by Jason Romano and Duncan Sparrell. Latest stage: https://docs.oasis-open.org/openc2/oc2ls/v1.0/oc2ls-v1.0.html. +* _Open Command and Control (OpenC2) Language Specification + Version 1.0_. Edited by Jason Romano and Duncan Sparrell. + Latest stage: + https://docs.oasis-open.org/openc2/oc2ls/v1.0/oc2ls-v1.0.html. #### Abstract: -This specification defines an actuator profile to automate collection of security posture attributes from virtual and physical computing resources using OpenC2. Security Posture Attribute Collection (PAC) supports security automation by providing mechanisms to collect and aggregate the configuration and status of network components for use in situational awareness, security posture evaluation, and response actions. This actuator profile defines the OpenC2 Actions, Targets, Arguments, and Specifiers along with conformance clauses to enable the operation of OpenC2 Producers and Consumers in the context of PAC. It covers identification of computing resources, definition of security-relevant resource attributes, and controlling the collection of those attributes using direct pull or event-based push mechanisms. - -Open Command and Control (OpenC2) is an effort to rigorously standardize command and control of vital cyber defense systems. OpenC2 is a concise and extensible language to enable the command and control of cyber defense components, subsystems and/or systems in a manner that is agnostic of the underlying products, technologies, transport mechanisms or other aspects of the implementation. +This specification defines an actuator profile to automate +collection of security posture attributes from virtual and +physical computing resources using OpenC2. Security Posture +Attribute Collection (PAC) supports security automation by +providing mechanisms to collect and aggregate the configuration +and status of network components for use in situational +awareness, security posture evaluation, and response actions. +This actuator profile defines the OpenC2 Actions, Targets, +Arguments, and Specifiers along with conformance clauses to +enable the operation of OpenC2 Producers and Consumers in the +context of PAC. It covers identification of computing resources, +definition of security-relevant resource attributes, and +controlling the collection of those attributes using direct pull +or event-based push mechanisms. + +Open Command and Control (OpenC2) is an effort to rigorously +standardize command and control of vital cyber defense systems. +OpenC2 is a concise and extensible language to enable the command +and control of cyber defense components, subsystems and/or +systems in a manner that is agnostic of the underlying products, +technologies, transport mechanisms or other aspects of the +implementation. #### Status: -This document was last revised or approved by the OASIS Open Command and Control (OpenC2) TC on the above date. The level of approval is also listed above. Check the "Latest stage" location noted above for possible later revisions of this document. Any other numbered Versions and other technical work produced by the Technical Committee (TC) are listed at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=openc2#technical. - -TC members should send comments on this specification to the TC's email list. Others should send comments to the TC's public comment list, after subscribing to it by following the instructions at the "[Send A Comment](https://www.oasis-open.org/committees/comments/index.php?wg_abbrev=)" button on the TC's web page at https://www.oasis-open.org/committees/openc2/. - -This specification is provided under the [Non-Assertion](https://www.oasis-open.org/policies-guidelines/ipr/#Non-Assertion-Mode) Mode of the OASIS IPR Policy, the mode chosen when the Technical Committee was established. For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the TC's web page (https://www.oasis-open.org/committees/openc2/ipr.php). - -Note that any machine-readable content ([Computer Language Definitions](https://www.oasis-open.org/policies-guidelines/tc-process-2017-05-26/#wpComponentsCompLang)) declared Normative for this Work Product is provided in separate plain text files. In the event of a discrepancy between any such plain text file and display content in the Work Product's prose narrative document(s), the content in the separate plain text file prevails. +This document was last revised or approved by the OASIS Open +Command and Control (OpenC2) TC on the above date. The level of +approval is also listed above. Check the "Latest stage" location +noted above for possible later revisions of this document. Any +other numbered Versions and other technical work produced by the +Technical Committee (TC) are listed at +https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=openc2#technical. + +TC members should send comments on this specification to the TC's +email list. Others should send comments to the TC's public +comment list, after subscribing to it by following the +instructions at the "[Send A +Comment](https://www.oasis-open.org/committees/comments/index.php?wg_abbrev=)" +button on the TC's web page at +https://www.oasis-open.org/committees/openc2/. + +This specification is provided under the +[Non-Assertion](https://www.oasis-open.org/policies-guidelines/ipr/#Non-Assertion-Mode) +Mode of the OASIS IPR Policy, the mode chosen when the Technical +Committee was established. For information on whether any patents +have been disclosed that may be essential to implementing this +specification, and any offers of patent licensing terms, please +refer to the Intellectual Property Rights section of the TC's web +page (https://www.oasis-open.org/committees/openc2/ipr.php). + +Note that any machine-readable content ([Computer Language +Definitions](https://www.oasis-open.org/policies-guidelines/tc-process-2017-05-26/#wpComponentsCompLang)) +declared Normative for this Work Product is provided in separate +plain text files. In the event of a discrepancy between any such +plain text file and display content in the Work Product's prose +narrative document(s), the content in the separate plain text +file prevails. #### Key words: -The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [[RFC2119](#rfc2119)] and [[RFC8174](#rfc8174)] when, and only when, they appear in all capitals, as shown here. +The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL +NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", +"MAY", and "OPTIONAL" in this document are to be interpreted as +described in BCP 14 [[RFC2119](#rfc2119)] and +[[RFC8174](#rfc8174)] when, and only when, they appear in all +capitals, as shown here. #### Citation format: -When referencing this specification the following citation format should be used: +When referencing this specification the following citation format +should be used: **[AP-PAC-v1.0]** -_OpenC2 Actuator Profile for Posture Attribute Collection Version 1.0_. Edited by David Lemire and David Kemp. 30 March 2022. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/openc2/ap-pac/v1.0/csd01/ap-pac-v1.0-csd01.html. Latest stage: https://docs.oasis-open.org/openc2/ap-pac/v1.0/ap-pac-v1.0.html. +_OpenC2 Actuator Profile for Posture Attribute Collection Version +1.0_. Edited by David Lemire and David Kemp. 30 March 2022. OASIS +Committee Specification Draft 01. +https://docs.oasis-open.org/openc2/ap-pac/v1.0/csd01/ap-pac-v1.0-csd01.html. +Latest stage: +https://docs.oasis-open.org/openc2/ap-pac/v1.0/ap-pac-v1.0.html. #### Notices Copyright © OASIS Open 2022. All Rights Reserved. -Distributed under the terms of the OASIS [IPR Policy](https://www.oasis-open.org/policies-guidelines/ipr/). +Distributed under the terms of the OASIS [IPR +Policy](https://www.oasis-open.org/policies-guidelines/ipr/). -The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the owner and developer of this specification, and should be used only to refer to the organization and its official outputs. +The name "OASIS" is a trademark of +[OASIS](https://www.oasis-open.org/), the owner and developer of +this specification, and should be used only to refer to the +organization and its official outputs. -For complete copyright information please see the full Notices section in an Appendix below. +For complete copyright information please see the full Notices +section in an Appendix below. ------- @@ -94,16 +165,26 @@ For complete copyright information please see the full Notices section in an App -Here is a customized command line which will generate HTML from this markdown file (named openc2-file.md): +Here is a customized command line which will generate HTML from +this markdown file (named openc2-file.md): -pandoc -f gfm -t html openc2-file.md -c styles/markdown-styles-v1.7.3.css --toc --toc-depth=5 -s -o openc2-file.html --metadata title="Title of Specification Version 1.0" +pandoc -f gfm -t html openc2-file.md -c +styles/markdown-styles-v1.7.3.css --toc --toc-depth=5 -s -o +openc2-file.html --metadata title="Title of Specification Version +1.0" -OASIS staff are currently using pandoc 2.6 from https://github.com/jgm/pandoc/releases/tag/2.6. +OASIS staff are currently using pandoc 2.6 from +https://github.com/jgm/pandoc/releases/tag/2.6. -This also requires the presence of a .css file containing the HTML styles (like styles/markdown-styles-v1.7.3.css). +This also requires the presence of a .css file containing the +HTML styles (like styles/markdown-styles-v1.7.3.css). -Note this command generates a Table of Contents (TOC) in HTML which is located at the top of the HTML document, and which requires additional editing in order to be published in the expected OASIS style. This editing will be handled by OASIS staff during publication. -A TC may use other ways to generate HTML from markdown, which may generate a TOC in a different way. +Note this command generates a Table of Contents (TOC) in HTML +which is located at the top of the HTML document, and which +requires additional editing in order to be published in the +expected OASIS style. This editing will be handled by OASIS staff +during publication. A TC may use other ways to generate HTML from +markdown, which may generate a TOC in a different way. ## 1.1 Changes from earlier versions @@ -127,23 +208,30 @@ A TC may use other ways to generate HTML from markdown, which may generate a TOC **Text.** -Note that text paragraphs in markdown should be separated by a blank line between them - +Note that text paragraphs in markdown should be separated by a +blank line between them - -Otherwise the separate paragraphs will be joined together when the HTML is generated. -Even if the text appears to be separate lines in the markdown source. +Otherwise the separate paragraphs will be joined together when +the HTML is generated. Even if the text appears to be separate +lines in the markdown source. To avoid having the usual vertical space between paragraphs, -append two or more space characters (or space-backslash) to the end of the lines -which will generate an HTML break tag instead of a new paragraph tag \ +append two or more space characters (or space-backslash) to the +end of the lines +which will generate an HTML break tag instead of a new paragraph +tag \ (as demonstrated here). ### 1.3.1 Figures and Captions -FIGURE EXAMPLE: - +FIGURE EXAMPLE: ###### Figure 1 -- Title of Figure -![image-label should be meaningful](images/image_0.png) (this image is intentionally missing) +![image-label should be meaningful](images/image_0.png) (this +image is intentionally missing) ###### Figure 2 -- OpenC2 Message Exchange ![message exchange](images/image_1.png) @@ -177,8 +265,9 @@ text. | :--- | :--- | | **content** | Message body as specified by content_type and msg_type. | -Here is a reference to the table caption: -Please see [Table 1-5 or other meaningful label](#table-1-5-see-reference-label-construction) +Here is a reference to the table caption: Please see [Table 1-5 +or other meaningful +label](#table-1-5-see-reference-label-construction) ### 1.3.3 Lists @@ -189,7 +278,8 @@ Bulleted list: * bullet item 3. * bullet item 4. -Indented or multi-level bullet list - add two spaces per level before bullet character (* or -): +Indented or multi-level bullet list - add two spaces per level +before bullet character (* or -): * main bullet type * Example second bullet * See third level @@ -200,40 +290,51 @@ Numbered list: 2. item 2 3. item 3 -Left-justified list without bullets or numbers: -To list multiple items without full paragraph breaks between items, add space-backslash after each item except the last. +Left-justified list without bullets or numbers: To list multiple +items without full paragraph breaks between items, add +space-backslash after each item except the last. ### 1.3.4 Reference Label Construction REFERENCES and ANCHORS -- in markdown source, format the Reference tags as level 6 headings like: `###### [RFC2119]` +- in markdown source, format the Reference tags as level 6 + headings like: `###### [RFC2119]` ###### [RFC2119] Bradner, S., "Key words ..." - reference text has to be on a separate line below the tag -- format cross-references (citations of the references) like: `see [[RFC2119](#rfc2119)]` +- format cross-references (citations of the references) like: + `see [[RFC2119](#rfc2119)]` "see [[RFC2119](#rfc2119)]" -(note the outer square brackets in markdown will appear in the visible HTML text) +(note the outer square brackets in markdown will appear in the +visible HTML text) -- The text in the Reference tag (following ###### ) will become an HTML anchor using the following conversion rules: +- The text in the Reference tag (following ###### ) will become + an HTML anchor using the following conversion rules: - punctuation marks will be dropped (including "[" ) - leading white spaces will be dropped - upper case will be converted to lower - spaces between letters will be converted to a single hyphen -- The same HTML anchor construction rules apply to cross-references and to section headings. +- The same HTML anchor construction rules apply to + cross-references and to section headings. - Thus, a section heading like "## 1.2 Glossary" - becomes an anchor in HTML like `` - - referenced in the markdown like: see [Section 1.2](#12-glossary) + - referenced in the markdown like: see [Section + 1.2](#12-glossary) - in markdown: `"see [Section 1.2](#12-glossary)"` - similar HTML anchors are also used in constructing the TOC ### 1.3.5 Code Blocks -Text to appear as an indented code block with grey background and monospace font - use three back-ticks before and after the code block. +Text to appear as an indented code block with grey background and +monospace font - use three back-ticks before and after the code +block. -Note the actual backticks will not appear in the HTML format. If it's necessary to display visible backticks, place a back-slash before them like: \``` . +Note the actual backticks will not appear in the HTML format. If +it's necessary to display visible backticks, place a back-slash +before them like: \``` . ``` { @@ -247,13 +348,16 @@ Note the actual backticks will not appear in the HTML format. If it's necessary } ``` -Text to be highlighted as code can also be surrounded by a single "backtick" character: -`code text` +Text to be highlighted as code can also be surrounded by a single +"backtick" character: `code text` ## 1.4 Page Breaks -Add horizontal rule lines where page breaks are desired in the PDF - before each major section -- insert the line rules in markdown by inserting 3 or more hyphens on a line by themselves: --- -- place these before each main section in markdown (usually "#" - which generates the HTML `

` tag) +Add horizontal rule lines where page breaks are desired in the +PDF - before each major section +- insert the line rules in markdown by inserting 3 or more + hyphens on a line by themselves: --- +- place these before each main section in markdown (usually "#" - + which generates the HTML `

` tag) ------- @@ -281,8 +385,17 @@ text. # 3 Conformance -(Note: The [OASIS TC Process](https://www.oasis-open.org/policies-guidelines/tc-process-2017-05-26/#wpComponentsConfClause) requires that a specification approved by the TC at the Committee Specification Public Review Draft, Committee Specification or OASIS Standard level must include a separate section, listing a set of numbered conformance clauses, to which any implementation of the specification must adhere in order to claim conformance to the specification (or any optional portion thereof). This is done by listing the conformance clauses here. -For the definition of "conformance clause," see [OASIS Defined Terms](https://www.oasis-open.org/policies-guidelines/oasis-defined-terms-2018-05-22/#dConformanceClause). +(Note: The [OASIS TC +Process](https://www.oasis-open.org/policies-guidelines/tc-process-2017-05-26/#wpComponentsConfClause) +requires that a specification approved by the TC at the Committee +Specification Public Review Draft, Committee Specification or +OASIS Standard level must include a separate section, listing a +set of numbered conformance clauses, to which any implementation +of the specification must adhere in order to claim conformance to +the specification (or any optional portion thereof). This is done +by listing the conformance clauses here. For the definition of +"conformance clause," see [OASIS Defined +Terms](https://www.oasis-open.org/policies-guidelines/oasis-defined-terms-2018-05-22/#dConformanceClause). See "Guidelines to Writing Conformance Clauses": https://docs.oasis-open.org/templates/TCHandbook/ConformanceGuidelines.html. @@ -296,9 +409,12 @@ Remove this note before submitting for publication.) -This appendix contains the normative and informative references that are used in this document. +This appendix contains the normative and informative references +that are used in this document. -While any hyperlinks included in this appendix were valid at the time of publication, OASIS cannot guarantee their long-term validity. +While any hyperlinks included in this appendix were valid at the +time of publication, OASIS cannot guarantee their long-term +validity. ## A.1 Normative References @@ -335,13 +451,31 @@ Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Conside -(Note: OASIS strongly recommends that Technical Committees consider issues that might affect safety, security, privacy, and/or data protection in implementations of their specification and document them for implementers and adopters. For some purposes, you may find it required, e.g. if you apply for IANA registration. - -While it may not be immediately obvious how your specification might make systems vulnerable to attack, most specifications, because they involve communications between systems, message formats, or system settings, open potential channels for exploit. For example, IETF [[RFC3552](#rfc3552)] lists “eavesdropping, replay, message insertion, deletion, modification, and man-in-the-middle” as well as potential denial of service attacks as threats that must be considered and, if appropriate, addressed in IETF RFCs. - -In addition to considering and describing foreseeable risks, this section should include guidance on how implementers and adopters can protect against these risks. - -We encourage editors and TC members concerned with this subject to read _Guidelines for Writing RFC Text on Security Considerations_, IETF [[RFC3552](#rfc3552)], for more information. +(Note: OASIS strongly recommends that Technical Committees +consider issues that might affect safety, security, privacy, +and/or data protection in implementations of their specification +and document them for implementers and adopters. For some +purposes, you may find it required, e.g. if you apply for IANA +registration. + +While it may not be immediately obvious how your specification +might make systems vulnerable to attack, most specifications, +because they involve communications between systems, message +formats, or system settings, open potential channels for exploit. +For example, IETF [[RFC3552](#rfc3552)] lists “eavesdropping, +replay, message insertion, deletion, modification, and +man-in-the-middle” as well as potential denial of service attacks +as threats that must be considered and, if appropriate, addressed +in IETF RFCs. + +In addition to considering and describing foreseeable risks, this +section should include guidance on how implementers and adopters +can protect against these risks. + +We encourage editors and TC members concerned with this subject +to read _Guidelines for Writing RFC Text on Security +Considerations_, IETF [[RFC3552](#rfc3552)], for more +information. Remove this note before submitting for publication.) @@ -351,13 +485,19 @@ Remove this note before submitting for publication.) -Note: A Work Product approved by the TC must include a list of people who participated in the development of the Work Product. This is generally done by collecting the list of names in this appendix. This list shall be initially compiled by the Chair, and any Member of the TC may add or remove their names from the list by request. Remove this note before submitting for publication. +Note: A Work Product approved by the TC must include a list of +people who participated in the development of the Work Product. +This is generally done by collecting the list of names in this +appendix. This list shall be initially compiled by the Chair, and +any Member of the TC may add or remove their names from the list +by request. Remove this note before submitting for publication. ## C.1 Special Thanks -Substantial contributions to this document from the following individuals are gratefully acknowledged: +Substantial contributions to this document from the following +individuals are gratefully acknowledged: Participant Name, Affiliation or "Individual Member" @@ -365,7 +505,8 @@ Participant Name, Affiliation or "Individual Member" -The following individuals have participated in the creation of this specification and are gratefully acknowledged: +The following individuals have participated in the creation of +this specification and are gratefully acknowledged: **OpenC2 TC Members:** @@ -402,20 +543,84 @@ Darren | Anstman | Big Networks Copyright © OASIS Open 2022. All Rights Reserved. -All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full [Policy](https://www.oasis-open.org/policies-guidelines/ipr/) may be found at the OASIS website. - -This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English. - -The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns. - -This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -As stated in the OASIS IPR Policy, the following three paragraphs in brackets apply to OASIS Standards Final Deliverable documents (Committee Specification, Candidate OASIS Standard, OASIS Standard, or Approved Errata). - -\[OASIS requests that any OASIS Party or any other party that believes it has patent claims that would necessarily be infringed by implementations of this OASIS Standards Final Deliverable, to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this deliverable.\] - -\[OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of any patent claims that would necessarily be infringed by implementations of this OASIS Standards Final Deliverable by a patent holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this OASIS Standards Final Deliverable. OASIS may include such claims on its website, but disclaims any obligation to do so.\] - -\[OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this OASIS Standards Final Deliverable or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS' procedures with respect to rights in any document or deliverable produced by an OASIS Technical Committee can be found on the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this OASIS Standards Final Deliverable, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any information or list of intellectual property rights will at any time be complete, or that any claims in such list are, in fact, Essential Claims.\] - -The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the owner and developer of this specification, and should be used only to refer to the organization and its official outputs. OASIS welcomes reference to, and implementation and use of, specifications, while reserving the right to enforce its marks against misleading uses. Please see https://www.oasis-open.org/policies-guidelines/trademark/ for above guidance. +All capitalized terms in the following text have the meanings +assigned to them in the OASIS Intellectual Property Rights Policy +(the "OASIS IPR Policy"). The full +[Policy](https://www.oasis-open.org/policies-guidelines/ipr/) may +be found at the OASIS website. + +This document and translations of it may be copied and furnished +to others, and derivative works that comment on or otherwise +explain it or assist in its implementation may be prepared, +copied, published, and distributed, in whole or in part, without +restriction of any kind, provided that the above copyright notice +and this section are included on all such copies and derivative +works. However, this document itself may not be modified in any +way, including by removing the copyright notice or references to +OASIS, except as needed for the purpose of developing any +document or deliverable produced by an OASIS Technical Committee +(in which case the rules applicable to copyrights, as set forth +in the OASIS IPR Policy, must be followed) or as required to +translate it into languages other than English. + +The limited permissions granted above are perpetual and will not +be revoked by OASIS or its successors or assigns. + +This document and the information contained herein is provided on +an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE +OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS +OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A +PARTICULAR PURPOSE. + +As stated in the OASIS IPR Policy, the following three paragraphs +in brackets apply to OASIS Standards Final Deliverable documents +(Committee Specification, Candidate OASIS Standard, OASIS +Standard, or Approved Errata). + +\[OASIS requests that any OASIS Party or any other party that +believes it has patent claims that would necessarily be infringed +by implementations of this OASIS Standards Final Deliverable, to +notify OASIS TC Administrator and provide an indication of its +willingness to grant patent licenses to such patent claims in a +manner consistent with the IPR Mode of the OASIS Technical +Committee that produced this deliverable.\] + +\[OASIS invites any party to contact the OASIS TC Administrator +if it is aware of a claim of ownership of any patent claims that +would necessarily be infringed by implementations of this OASIS +Standards Final Deliverable by a patent holder that is not +willing to provide a license to such patent claims in a manner +consistent with the IPR Mode of the OASIS Technical Committee +that produced this OASIS Standards Final Deliverable. OASIS may +include such claims on its website, but disclaims any obligation +to do so.\] + +\[OASIS takes no position regarding the validity or scope of any +intellectual property or other rights that might be claimed to +pertain to the implementation or use of the technology described +in this OASIS Standards Final Deliverable or the extent to which +any license under such rights might or might not be available; +neither does it represent that it has made any effort to identify +any such rights. Information on OASIS' procedures with respect to +rights in any document or deliverable produced by an OASIS +Technical Committee can be found on the OASIS website. Copies of +claims of rights made available for publication and any +assurances of licenses to be made available, or the result of an +attempt made to obtain a general license or permission for the +use of such proprietary rights by implementers or users of this +OASIS Standards Final Deliverable, can be obtained from the OASIS +TC Administrator. OASIS makes no representation that any +information or list of intellectual property rights will at any +time be complete, or that any claims in such list are, in fact, +Essential Claims.\] + +The name "OASIS" is a trademark of +[OASIS](https://www.oasis-open.org/), the owner and developer of +this specification, and should be used only to refer to the +organization and its official outputs. OASIS welcomes reference +to, and implementation and use of, specifications, while +reserving the right to enforce its marks against misleading uses. +Please see +https://www.oasis-open.org/policies-guidelines/trademark/ for +above guidance. From 58f4de3d84474e617b23482b1f6a2d1c7a341856 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 13:02:28 -0400 Subject: [PATCH 02/41] insert new appndx E, and renumber subsequent --- ap-pac.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index 78b2949..67a1fbc 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -529,15 +529,22 @@ Darren | Anstman | Big Networks ------- -# Appendix E. Example Appendix with subsections +# Appendix E. Orchestrator Consumer Operating Model -## E.1 Subsection title -### E.1.1 Sub-subsection + + +------- + +# Appendix F. Example Appendix with subsections + +## F.1 Subsection title + +### F.1.1 Sub-subsection ------- -# Appendix F. Notices +# Appendix G. Notices From db124757ab8cc0f7a24e9bc5c805d573cb707ff2 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 13:10:55 -0400 Subject: [PATCH 03/41] populate appendix E: operating model --- ap-pac.md | 152 ++++++++++++++++++++++++ images/Orchestrator-Consumer.drawio.png | Bin 0 -> 25758 bytes 2 files changed, 152 insertions(+) create mode 100644 images/Orchestrator-Consumer.drawio.png diff --git a/ap-pac.md b/ap-pac.md index 67a1fbc..89eb64f 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -531,7 +531,159 @@ Darren | Anstman | Big Networks # Appendix E. Orchestrator Consumer Operating Model +This appendix explains the operating model for an Orchestrator +Consumer (OC). Figure E-1 shows the relevant operating context. + +![Figure E-1: Orchestrator Consumers Context](images/Orchestrator-Consumer.drawio.png) + +The diagram illustrates the interactions of the OC with the +upstream Producer that commands it and the downstream Consumers +that it commands. Any particular downstream Consumer may support +any mixture of OpenC2 actuator profiles (APs) and other +non-OpenC2-based interfaces for interacting with the OC. Tracking +the available downstream Consumers and their capabilities is a +local matter for the OC. +## E.1. Terminology + +- **Upstream:** refers to interfaces and external entities + through which the OC receives OpenC2 commands and via which + it sends responses. +- **Downstream:** refers to interfaces and external entities + through which the OC sends commands via OpenC2 and/or other + mechanisms and via which it receives responses and data. +- **OpenC2-based Interfaces:** refers to any interface, inbound + or outbound, where the OC exchanges information via formats + and protocols defined by OpenC2 specifications (i.e., OpenC2 + Language Specification, Actuator Profiles, and Transfer + Specifications). +- **Other mechanisms:** refers to any interface, inbound or + outbound, where the OC exchanges information using formats + and protocols not defined by any OpenC2 specification. + + +## E.2 Assumptions + +1. All commands received via the OC’s upstream interface: + + 1. Are governed by OpenC2 specifications; + + 2. Are defined by an Actuator Profile not used with any of + the downstream Consumers (in the figure above this is the + Posture Attribute Collection (PAC) AP); + + 3. Provide enough information for the OC to select a + mechanism to interact with downstream Consumers; + + 4. Provide enough information for the OC to determine which + downstream Consumers to command; the number of downstream + Consumers can range from a single Consumer to very large + quantities. + +2. Interactions between the OC and its downstream Consumers may + use any mixture of OpenC2-based and other mechanisms; the + mechanisms used are opaque to the upstream Producer. + +3. Responses via the upstream interface will typically only + provide status information regarding the execution of the + referenced command, but may contain other requested content + such as a pointer to stored information, or the actual + information retrieved, based on specifics of the command + received from upstream. + +Assumption 1.ii is a simplifying assumption: when only the OC +supports the AP defining commands received from upstream, there +is no ambiguity regarding what element executes the command. If +both the OC and downstream Consumers support the AP or LS feature +defining the command received from upstream, the OC must +implement suitable decision logic to determine whether to execute +the command locally or trigger downstream commands derived from +the upstream command. + +Assumption 3 alters an OpenC2 Language Specification (LS) +default: [*Section +3.3.1.4*](https://docs.oasis-open.org/openc2/oc2ls/v1.0/cs02/oc2ls-v1.0-cs02.html#3314-command-arguments) +of the LS states that if the command argument `response\_requested` +is not explicitly specified by a Producer, then the Consumer +should send a complete response. In the case of an OC responding +to an upstream Producer, this default is overridden. + +## E.3 Operations + +The OC performs the following operations in executing a command +received from the upstream Producer: + +1. Receive command and validate it against the appropriate AP. + +2. Interpret the received command contents to determine: + + 1. The appropriate mechanism (e.g., OpenC2 AP / command, + other mechanism) to use with downstream Consumers to + accomplish the intent of the received command. This + guides the creation of a derived command to send + downstream; + + 2. What set of downstream Consumers should receive the + derived command; + + 3. How to process responses from the downstream Consumers; + + 4. What information must be collected to generate a response + to the upstream Producer. + +3. Generate and send commands (as identified in 2.a) to the + identified set of downstream Consumers (as identified in + 2.b). + +4. Process received downstream Consumer responses (as determined + in 2.c) and accumulate information to generate the response + to the upstream Producer (as determined in 2.d). + +5. When appropriate, generate and send the response to the + upstream Producer. + + +## E.4 Notional Example + +The OC receives a command for software bill of material (SBOM) +retrievals from the upstream Producer: + +1. Evaluate the command and determine that it is a valid command + under the PAC AP. + +2. Interpret the command: + + 1. Identify that the command directs SBOM retrieval, so an + OpenC2 command conforming to the SBOM AP will be sent to + downstream consumers + + 2. The actuator specifiers in the received command identify + a set of downstream consumers by a network address block. + The OC uses its consumer registration information store + to identify the specific downstream Consumers + corresponding to the specified network addresses (for + this example: 10 downstream Consumers). + + 3. The received command directs that retrieved SBOMs be + stored in a data store. + + 4. The received command indicates a requested response + containing a success percentage, and a pointer to the + stored set of SBOMs from the specified downstream + consumers. + +3. The OC generates and sends commands in accordance with the + SBOM AP to retrieve SBOMs from the 10 downstream Consumers + identified in 2.b. + +4. The OC receives responses containing SBOMs from 8 of the 10 + downstream Consumers, and stores those SBOMs in the + identified data store. The OC receives error responses from + the other 2 downstream Consumers. + +5. The OC transmits a response to the upstream Producer + indicating an 80% success rate and providing a pointer to the + set of 8 SBOMs in the data store. ------- diff --git a/images/Orchestrator-Consumer.drawio.png b/images/Orchestrator-Consumer.drawio.png new file mode 100644 index 0000000000000000000000000000000000000000..0f6d8241d9fa4ae1db68964a5aef5b889138cc87 GIT binary patch literal 25758 zcmeFYc|4Tg8$T?`R<@zVl4T5v5@VRL8#89HjTyU&k9Ed6ma&apiAl0ml0>L1Eu;mB zLPfHLQkEjJB(jy=bEePt`+9!cAI~4p>-p<>y~^D8eeQG4bzSE=*SVJW&9bt@3-C+u zb8v775D8cc2gj~V@PCJw8$7x4MIxx`B)85m~%p1&()6_t!YG{GSN6ZK|7Ul|Y47m35_Volmcu#j< zI=c&o7EJdCPjKph3^i2*N?S`+9gYMo)~;Tz!QTJFIBa%28LrfSSs_p`YItK?9||7f zMi0~`y4z_G{$(M|GdRSX9`NsL>PS_DDjhOGk>PlAos7pt$?hKtN%L)(vIQgp&5cOu|lX@ z`Fm-EJ222_Ka{750^Hck8i{qa^hBC_Fz6_=NTQPs8D~RQrkmUPsN2)XT0|mA%h#K%X>A?o z5y+rWP1V(neJmp!eeiZ+SUMeT9IWAn)N%_AGIjOv$7#^OgyB|TA}`-aGe;WIC!D5< z0!!y>>l+aoVob6OLpiy5U`+}3rr;&IKf%GA7~)MbRtLn>iS~YQoGZegM8f#{*}Its z1cy1fd%4?$p~Ec9HLb!45o9edZIpH}0*AzVdEuN)H7Oy+SesDoNHDFFm!rLwT`$xp*q!wrw7c%bdECU(eBYkOle zR{|45B|Bn_eXYYx!vcbWJ^dXcyfB`=9*!o#2zBcS#}Frqubp48xuvmhq@M+w@lZ`; zq_(XO(ai&e3=c-*FUVco_q-|;*0DedWpAa9UgK=;OHPYJ8%*@u^$JZo+=;s|_ zY~$hY3#TE}{NOYTYZLQeim{`HB|($Kq`UiCg;|A?d~h^(Q#CIOCk+CF7={fnak9|% zwITaCT04YOG(yb-ZRq9%%OI@~6vjTl%+}h>MkB-uhb4rg!h_5(w(fLegrhMj+|N7^ zNQsVSSWz_*<^(u`y@`!czIZA*grpg1?CEA5?uSH@f=OQ5fMSe>KQcIgh60yFGkY}M z*ObPj`%=RLiKrl~JqhEag|-T@w$?^zVyKbfXhbB^%)(ABg3d%yKo_$BW2!gPUMtYm z!NK0s+r-+@2TW#5Alv$z0EGog5gLXvvmtw^0~=#(gK@Ahqv6f0i6p!)))nm?Y)vDo ztKls1;pR?SA#m$3O?;>i-k0j2?jML(v()nR#i_w5?lw3E+jMw4+7OYR5qJ|TLZ}DL z#(}I!BWrkDXoq+?n)yVydLyw|YNTn1rmv}uH6s%DcSbWOH+!Z#9dG92;Av;)=)tge zu=lmMvuENRk?t5x&0rLRN}*$HA_B-70VXEu>hA71te+o7~6BfIHgWpM=G*Es75&h~j6Cp}4~d=H6-qf_o6&-PTFnl;#_*ZEd4zV~h>4 zHVZPwlQfLIL(wEc1T)0b#?zWaWngWI8Wz@cPh%}JxLQyoUCqjeU`Dl7Hz5U?gfdO- zNS2OpD|cH4bOc7T^Fcp7LDg2V&LiHJxXUCYtYRg3CIuvf!| zAV?8D7zW+JlWLC&*EIEUWB}_&qB>ES>JC8;pa&9TiloBbJSbY)T4B}%4Y(UhE5O{$ z$u)rHr$q!hit{Iu{J{^}6Xg>II-pH#m?SS0S`$1o@eDJy(X=3&l5i9=G}0R7>!@FcpWn^{DpD^{*ttfk@L=D~0znObAR z>}|bClprrSQO$$k80=wUPj?GdbM#dwF|0i4T0RV>Ltua_!wm24V99hsnJ;gVK~U5QZhn>~R>4fB3CT1F4XC48n&FKjfOZ%M*o2wEgFW1WJ&m30@pNPW zJ;d78*cz(J zHD4^<)Gx>aoM=`Seq^7(086rmD^1%<-46o~@(iMQ*=Sounj;aKX8vYOZOvc@&u~9W z^#FAm!W9t|$W+5pO*~0K>Or<{U^c)SF*w9CfQSn*3DI;91FK_fVU3~U;kG7Wb`IuL z6RZ{4%OSuTO$4uEeViC%s;w)yHnt{VLrLt@%hDmhG?GCvGxs)QxP^!Kn~|*j7$`cN z4%+CZq#$owD@%1xA3Dh^7)c>}5$S%605zP&066#|$;V=u1| zcbiZTuL!1=D}siy3)2Xtkic_aWMHT^o(!%6aZauXJQnXAhy=24rO5AmgedX#t0gi3}$9vQ;@xp#7<=~LzAY#!r5zaqj_Ey@yy8Ij7f-2M#`?lNE8N;clE{ksG zMWyJJz}-t=A~>TUMhge@h&f!Y{)~DOHy1H6Q)CaM`$eImb;jyHTz%*FndY+ok#ZKd z5f*DP5|3+ksi3b9Je?n*HZtdjhc^aopUyp>Tz0=lzc)vJ5PQQ2`-V?Qn1j=ZgO?*g zjQ9ErSnwt)0=6ftm6I!;L%0;dsdPP%GXbmolhaC?mt&V~hV-rs0&_M)lzn3r$z=q+ z9KMT#gZ(lgor3_=4{POP-<0Zc%4WWO#=*hC3C1qLbHK8sb;r5bH#Y1cCQgHF}eRCNML5V!b!SR>WW!`w~d-vq) ze{bG`A=$A}<~fdltz&2*@DlU02RMpT9e;ChPW7WAD|1{az_zoG=I+|mIJ>KI6y6L14BKxJk2`gGaIjE&vx{2= z+s*-Dy)J!tv^zz`m#HF_yyNJ4jv!|Q%@npp?ve-!^{1ct{>xDEuJG~Q1eiqe+uKI+ z_wP>Mvy$4TCW%9nI9OO?n_(_mOaJ5N0@s>%{3?wf?UT)!`tl4SY}VnLL5xo5j}P}U(K#nvEG4!43Ts0qDNElwtRtS+~po2pD{FFHi6e@n`Bzr0WG8(|Bz3(?IU6Xzvyx;jHdLs%jm9F}E3b=SxFO z)HPI4(dsjo#@Ix{#lyNErs85ysVtAq>)M)-?%t43)m|NtP&Fcv)3GK{Ze_anj-5eV z*F&|JReoo9gaR&Y->vS1l=K7YaEl&l&omul77TqkI*7s<1j`reR(DUNq4-!AB#{@t zcNMtg>AD7g?TlR*do}hHCNkWBh81-_=IY4p%T8^#pY*+owfU4tVD-)qR23i4uAMsr zUN_&cK@j8%IxDL?zne#}@7%rRo25q}qk^%kzeX+U ziH9GKomi36a3mdKT{xs}j8)BI7(w?3R4SASLXPr994z0%$~ffpzF0JL&bTwTMJ|(B z@xo@&;fY`FA$Y1ND;|4_MvQIeg)9s<h)c|LzY~bBW)e}3x zi%$9BHS04KdFH1oxWx9eS|3JaIp6>No|w{}z1X(jWH}%S@@Ju6C0W>99on|MvQR^pP(t~dODy60NjL%K z5}mL5+$Zf2%q{1cUB}L>v0(#3Hgna%R@Jj#LY>f}dho%uoli-z(cVVTg{tyXroe>d z4k;%A6P8;%SNVqzTc0IZAv>hz7(^)&Ihd^J<8z*4vrFKC5p3*SzG)^TtwwBsJnbS9 zzf(KPFDrtawK;!@)^h8`MN>4?a*cz~ax`SW%3V6FXkIjvcFn-}^c>HqMbhG_3b*5v zc>jjA0vS6#>9CgTDGxq$l;+UWP_w_$BMSHDy}CFL6JUFpGLtJEJMRkJT#lw-XRBG7 zkhKpf%>=Ce#GmC}(w(+!rPSiD^v12zf4% zLQcnzK3b=YRkq(p-P2Q5n1ZUPCa0H9CWjAHJo|AksAyl}>i0PD!b%+#LW|GRC6()d z4pr7KzPh2c3hJpeagEzyFU4|-w;$l)i>r`^4z=@G9mbR}^OJ2~VJb(XO z=-7#_PVeJ^ja7IGOii4W7nB#7TmCaQtP&us$6PL*%J38uVXTQ_REqa*y~b=?%5;_= zWc@mbv9kMDozjROJO|HX7K3Tt5%m@_4 zT%N*}6bqu;nniwO61vf8?~_4iPS$GQ=b`>Ru(A6;gL8)PkWoIyMbtGUT{@+}A4Zvn zs(eZJ1|$a4D-~=x{@pYy_e7EfsAW&Oi6yh6cPnqIUJ-|l8LKS1;4)Hnv@Gw*5lTkq zf@7fiQ*n>0KPr7Vqc~!J&q+aXW`(sK{DZ$0XTq^Pc}^uBJ5*_X6ewyAr>^oI7HVR*tjL{rws$LKGu;+&{%L=;ROEls zQj!1dtrYC3>}>a#77L9&ba@H&R5q{tPMCIL2pmJ z;@=B7dVt<{PFv()3;LoJdW=xwP)|PT&gMFT z>pxuU^4!?R`$)bB2_MJX>BMfLtSY6z^b_2P5dqM^sbUOcd%o*Vj=>+uWA6{IEfi!m zg;NrMhsaGJaB^iq)wa^65#Kt*5kF_W5zmL0OFm^v^P(6Pc=cXWfxl;P@?hQmi}4akt#3ur!~(c& z9Ats3$N3UxyDeXcmrKEIK8@_x&6`YJ$E3<$zT6sR_61b2YJ_ z&3%GE-T+4vBBN5m#d(vrFV$E$?L|;D4#>Vb^yW!d-cmB*4Jou_>Ev~iui(9#Xn*b= zGrUXDaNNjokC&$Rn#>c=^BV(C6)e$f7cLL6_jQiGRaJo=gPDkLY2t{jj%mc!>@?!u zFv2M~kWalwYI{oUciQR?{>y#)U=(6C#ygu=4gITmTuvq*J3fi_ws@QPFy5#K95v^0 zQY*Hc32KnCvx`;_DQx%EGvLTcF~Dh222S4-c)>>pIZMBoafQWJW`}J?@`SG09Gr=! zP)~%Or5MEnSNMg{U&q==RugpU>z0#ed%_%Gq_4Z#o;2`-C4g`4GnFC2zTp6p6^)=fdL>4vNNe|mW93catC zJXZa^BQN_Bb+|4RYB>3gM%(!P6A`n{sQcBlcl!4r{f@Lgv%4v2FH2t9Ql(d$E5?mn zMPe(_*CT9l_8rW@UOjSEI3nV_Za^$9UE0F^&BgusQBMPgxvGB2_qL86Q@p0`{<{0^ zWfc=0#j`=*UiWOSEtO%C1re@ITs~hK^ewKV$eY6tTnx$Qu3cl6mJXY;pV=uDpktJJ3=1ZocTiB+XGpA&ct znsne2nG=D}^tTXALapR4fTFnN0-zk8X$1$)1GWR-H5=ko3ZDWFK> zyaCcCA<2#5^CP%SZu~*LppN#~iSf19X_BvYvi`YW`&~l)(k&d%F_-S^Dbj7FA%`Bu zD&Cc(*H=9mx=LgzEsC%Z4u`4KiP5biy*R*>mXm_9;#_NFEXE*9Z8c6&M3Fz%?yf@* zZNT*KHA-^z_+)VC6;tR#^BCJ4soPnY)2RoJLn>-eraD{8y?Me{E_jv0mBtEBqCI3Y z_<;^956pImX)X9aXvx?IbU6pmT;ung;}aTsLtJczV^=$P;1D32!ovj=w^AG!u8t20 zet$Q?f14&1IZ?Xp7SGT#<6wtmxu26Vl7;M&ih}ToKq3->p>o5NKkJAj`VWXA^KZBW zIFC=%MoOJ;4LVRXIVwedTeVA9=eqvfA;5$FytCS{8~l69ozx7hMxyHcWWu@DW9{rYu8Di9N)>GXV$J-E5zx{&rSZ&FC%7SRDNE$JBQTazV zKDo44C4Z{V>(2Y-u--knQ?RD-mj%x^dY(P{QGdGcwqss>3%b^*&&x_ zCB1ia$Xy5Yy*qAdB1$`CnQK$+kA8GLYYFe|yrG!FEhPMF50Lb$EBkcx$okHwrQ<-{ zbmOyNkRAT{mX*F@Quw8cH}&}ZdKJ>VK69B?>^?r>c=CDFA3;6E8|hdw3;pHReQ8YB z;>=n1Dx$GTc2DbQx*!PBhVNTTo;MM8#3!Q}=L&1$D#ob=$!8Y2j}q3D^SBQNcXcnYg7uJ1K~FPf=3M)3Y)SL+6v*m%n{o(=~85 zn7SI#8S-a1{G(#~O24~7CyRjOKMy8$7;2Su@&X!=EBEd}d=0Eg^ow3@r%-tJ%*-+E zORqN6mYc=;j2ZJ#Z}t%L%BSRh$MSPq5#wX;&3oV_Pp#E#3F$6yF=v# zwghKLTTogd`T~TO(7oS}Gzz5++_BWW zSQhjCBhOB%yT->}5D`B8=i=f-t<1-n7)&=icVS|tUEyQobIXT z(ck)XXZjK8hFyDcj!Gl1iVQ5v{ftph0{h@Sbd%R66MJaiWkR2&-raB8Z)F;ce~g^` z$n_@MFbIBcd$51`&%JE}v2Q$rdPX}BH(Xl&pr@M&XM1_tc0G?5-Q;$l1DtReC64FDx+z8u`dS+cObsUNr6K z*pN-=zRsIx1xYj&&UsRA^RBqGC-nmF$a)<8)wP}OVT?jb8I`oZXD?pChe4*JRA_>G zGE=B&-Md1;nRlq{m`DWynq|~?^O*MdE&Sn?bC-+!4qQSWnczI#?@eW`w59OE616kopJTJYJjCvDhtK6% zDHkA?-eIQMwSu44+WRRhyh?to2U5yWJH>zUj_tZqBB%5V4V4uce0De^<>vuqas%ix zlF1_wGA)A3>Np2y@|~wJI8Ro_B@DEb(i8WE?A=GbJn)aQlP000=v;d7lLs&eKHQ$I zn2)bN3qFG#dVG2=>kKwHc_3nstjM>Fq8GeiLk4EDE&ZG}51~aruT~X=@N5M)B*5^2 zA<7c4EYZp%Pv+Vcza%h+RwQTtabMzH#X-M|JbZ@zcw%(%<<9JHVU72Whgs3TUh*uz zRe8|;#D8#V<)h1;;b-B!;KW96{F%QKJ`$OHQA*nwpDuk%$Z#`bdoic6Tgh;Zs54!X zJvE+9y8YqaNo(N2O~2FVD*63$(E5&LeyQ)r`;58TNeYN~I|?Twj~XD{PNo02pS}Jy zZmvkiCAfkx4zhB~eb%I&>MjGbF2fzY=gaTS`ik*FJqvN)H41J5H`llnz)b075?ewsppG_V-|1I$xBw&`m z=g}$iBhROcQdNu0RBO+wKAVN34I(7uzhdOMSv5cU4OR=DO})vfXFwu1em?b{czgMg zSBC^Rv_($`z1rW`7#CN!I+i+}xL38%tK-_MkBVMzo0EllQ%^Jyy7d1@-E(Pl&iG*8 zxNa+fpb5up{ct%rem0p)-TkWQ4XXp3zZxHAknHH*utgx2?%hIqM(GCYM+DeuLLq5$ zd*?`nm@&};!tI2FKD}eV+g-M^z=2}1vmmpB2D99W+n$U&KsLQBgBVjj*%&=M8aFX0 zdyy+CyH%8=hXy&z;+T!!Jsrp|=E$MI-H-h~!7tuTDjAilOqOP*#IE-iP@aYTq;0M) zBo39Yg8X#P%ur4nH;=Y}b=4-VXt$!N+=zp${tRC1H{n7iB?ouVTdgWxmg00D{ z=)#AG0Y|tYL2oQ^U7cg@#7^x=sr6==?XSyHgiC9&8-rio8*YCye1AhfYKp%7onDls zyQVKumF=~JqpcQ5-bP5Xeq}i*W+m-CSeIbLeKayRxWFKW_U@{>xM>wqMWX8Yld?pQ zUxvuLe%G-PSCjvo`4wr?V5oQMO-1L2`=@{0DyOwLU+WjY1w!wuZ&9pA-o59-=7xxO zZZOLwc|9_+gu*w+4mKXK-2Zz4E&scxd~S*haAk)ho)!A>&DP9T=TUm`eed4ewXQ$U zf;@;4*S@wiD94TlKQ$mpTtVbY*52`sB-<41NX(zpL9pi!N?5q-C!b+nstd>Oyy9p} zgaP?vlMEbL+9C}bm9c&Q~XwcVMFQ6aF z>%JolaYdi5ci*BKZio+uemp&fa2vTCyS+Avd^tqLKP4jPB0xbxFq?QftYL_?n7Jv5 z40zX8Pz{pVWB@GV*!@Ld6IegI z=ryCF%*cj82`+dM#Iz53$GY2 z_Z+kW1(6Gq--^=>iVnI&XWodK({^f%)!+J#Y!qqURsZKqGLOO5H0jO#Ua)2+$hk*I zzX7Z8RlG&W@>I{~`g1xiP0fT^_eBkDtd?5~Zyh*`d=J;p+9-&dgWLc)GUWTavdpX- zinJ7>OvC$~oD#9VPZd4(Lv^d31e_;Rng~5n|I7Gx>+!JNZ5iDMcG?S#6&_x(get!s zDqYhnrxwIqxe>P=sh-|M_no{Eb${USNR>N&4EL(pyxtTf9_(7^;Yv3m-25;1CCkJT zhFHH&9+u&1YxdIHu8;Z?P?fsfZ|}07?xNSYFmWO-SG9H=64Yt`ndMk;c=*8Z*gLsE zd_7~Df)?HkWV{@gRccdk{UsUOy@?*k$aQ)OQ+j-A?fZ!zBTxKKj(0l=vsyRb3)L>k zAOoa23Je>yuy@)^MePQpSm)C&oNGGA?LV{Pw_up3Rz*HgLBR5)%M3!$($%q)y*J!60HW#KRE^ z@_0wb@7VJLHo5&u{tJzFnX5NIbkWm9l-laPiE-QixiwQ>N;Z8}PCSznwCYvN4)shRn9Dhk!N2C*!*yre;#{rp%ZkT1ka zKl)r=ow?)K%{gk>)AU=d7MEFR6`qwnI}c~Z-D5KdxQY)UjLUkfbZ5EOhjF<=GLlUd zLnsLrR1`4=Kb}-K8W*q%0{7zlM5)tCLXLZ6?ojN+pq^jljvM&k3|3mX(on@AvQdh_ zk;(n4a!i8&lkY1pPR``9cg2W7Z7=tvlrx2M3q`05L65Gp9GfRZqmw+jSsrJv?TQ9* zwr_~EISegCqAexa?dIM`TU==tGBno>pYvN>1I8SmuN$s)V|yaU<$&lWI^9%}eM~>K z-|<4|K0Fu?unim;0yeuKZM@Lktz_;l4Xpl`wa#$b@7YflS*K&yCdO(GZbdG(DZR=( zw(hPRqaS(8vSCC<##1HQ#Q?~9(O($PnL&`cG*gn9$@`#wtN?h4x`$bh0*0N;YnFtd znHM?}W^=*m>XG=M@*P+ls~;gySC6J8VKl~0yn=LDpJs_w5UNcFV%T5b>cP8fwLnfb zM3ozsCGxeh-x2NM_HE{_>|#d7|3LyeJ_RYJidtBCIDZ*l`hIrGkYB6P^joD_?C^!} z_}~Ag1@FHs0{Z;&!ndh;&OEYl%_1o9R`jxN+X}qzW_6)xZ0N&pn~S+R zq2;UABki4k3fsH-qWV0Uj{~+YsNT<`n~zHxt#!8+Zj5Qv#ohmOda3c$%gUNSplaX1 z*{?c%W%(a;?u{;Z_CecerOCHD{hjuPd=5(YQ3p--Wb%q8!DLqAaa$TI4dJJ+sI8r8 zRVp4lm^G}hqrxR@rm_ogbpiMpSpn;rvt%!UXD^P<=nNH}x| zYW+;pq2t&Fso1d%<31%-R_nzAzB4k~Ew6G&3&q(4{k4fbj=)!`h;p>UeeBYIX11N9 zd+2~Y2c(TA1uVV7aF!r7X?XC)CG0@V@&=}F^no7H1Ju_OMpXC&U|Cf`@=?ctpI7w{ zKWUtT&$F@p$f!V8seYN8kldN+uXt5beO-twpUI>zl0VLx8fPvEM`jT+Hpyfwip&v> z=f2zaigunK1R!lG4L}Ij0*F^uU+0VV%v+{IMZ%Oc-|}6{=~jAiruBpmO2s_(`5ZI6 zk;>Q_s($u8u6DPZ_a30Z=N3NoobEe5=ha+OQ9YAMc;Ngz<$i9F9PTMJRkiAV!roI`l{}9OWoaLodySET2+hN4_+Cz-BH;mYo^Qz zmh$Xhmr=aq;_Mz-jvW;akKMNMSa{-8b@9gClelX6s9m7q#?SG|Xg{D_c71lr;K!Ao z*;Z!`5D9V`X<6+7<|f5Jx2~(s^Iwaw`QX16q3Hk9p${o#ifedvgJ@!3%6FWI!H-nj z>^Y%zWd%^lZ`R%I;wMUhzz?frxX1W*g2(1jSjEZ!kF6sLXF^$QHSf z215{e-UNYq&v;w*bDRBX17_7a#bRJ?YjGtJ#f*?n?d0uW$%a;-v@~QSmvl)tY__l~ z`n$&R8^dj~Fe_b1qAJ}k6t4s#tS4|w=-uD{iQqKuIaa?G5Tg*ZY2C6j!_Sa0f1Z7@ z$Q(>NMr#QeXtO^Gjt2*=gAmvL2X!;bGvLe_4(ZYlkj*rDt2qC98eauo{2Aahu7U%nzReNfTCY2uzPBxc&IkZtpw!I3fLI;e5t>Vt@nc3_wbV zzrcKW2h<3TaUkphF-hN79>djy8vaXhOZk2G^+P5*Z_#6ZoE(#|-adVqC#^>L$`fnS zYC(Qj&n@M%*qZk_&P?L0%qVi59=9>b`1$ywQ+jt->~D>_ANQYOxn6CcI}LZD|4%W! zD-7BnHO5k+jnqdzqJJ@{Tl=0jeNHl<@XGO%SBhhd?tvisCXY;X20KvKS$e184KfRi ziOcp*@-CT)g(3%8S~L92W_?f!j<1qRXd+_A7XA-uk7GJNNYP`WNtoX`jhjhVhd>d~ zM8)oIAwBw=B%{{?*>fw$*{SB3mMt%&s!gIldk=`{JIv%o___w^jTUSWRFo;ZfM|az zXwS<0mjcy>RkymYiF->yE%J5dCddm-y*lVp0=(jjA0D`n8rM4LrKAFbmMFt>`^1e4 zz(S^doOVl~wWvCE$m9Zr7~zhoC8ZMqCLj_L1gF1bnH0+9(jdv$(z^ssIi zJExWEs_3lHUv8`7(^Ir3KVpmpJ3I%D|B_;S`unK)=Sp@-3zeTno=16ue3#q7t%?T? zrtFYqNzw(R%cir;R7EDEANvn}5J=sB1b_w-{wXe31PeVB$Pc{YgCL4NyyRNdS8BE<$n)1 zh5g{!sU9?-==}c}ivO1|6thwh@kY74zaD>#m<8wox2G|(r+GP(1rHZ3br}{oGp7}N zdT$E^nx=64GUGjzl?-Y=2_Y!f3xI?123a|T|7XNl;{puBv8vF#x2&06t^9r%1f@k~ z)_1hBd_cGh>hYH-Fnyr5X@_;~7=54su42OdoD!QlH&m;!K)+}V@q=56@$Gb*)`!3kSMV%ITT4Vqu^5t!xUtPLomP4tqyGH{k zMq?hu4p61%%?Gv$*Ie^WFrx1%Z7uYEPwUnn(S@!KBy!Uu#yls->PFLo*%6tnXUQNz z1ppn+*iJ{I_7>Q{dmM*i{tP4jdBM@cTG}z!s-|`wkg&X==g8=L z7`+|ae&u-4H!ovU;Me%60fp&bgIj6H5dx@>GSjYuxUL(fOquWu&X@?wS6(Osxd(V{ zDeRH&M^*GW;ERdE7ul#nf49S1$8|o^&K9405R;YyU@nWR-#!(I^iJIRHEg_KCMWZ- z=3g33GI_&ihD3(Kzr++}+ZJEy$V0Nx7g(;BXJ2$p8tz0cY)s!NxNmY`YkftOt3=SY z4EDZ0a!EqjM}o+P6ePE?SY`^k;%Tjk9?NoVW(xe<&p`IoSn&hCpQK6ZKFPS>lX5}A zL&32a%&xFJ{2vLi*b;gMT-@;Sht*y|{eliZ$Jd^{Nq+1y zvN^Q=PGUhN0V|la&@Gltc&;r% zG=?jWeYsAuTs?8B#;Q+&SOPr9BInrmIOxnt#+!?W_hf>yNY<5Oj?itOI8Tp!X*Io9 zSSn|RaI32qGpP9Xv6@O^yA)I9759sBTw*^Ri#@s%zkL%j_TUEs>fRjt9mAauvg0NbjPO;_Mib3YV zvOy3?{epxX&@4&A0UhtAp84foznaW)P;i%DRk$S7Hq6E^J=s#0(+>~Z45S`hfe|Gg z?4Fm(S+L1G!ok@{u+{I+3gUyTv2Y(n-j8<1ElnC0{#2P7|TU+B_uBdQt2| z>Hdr0soQ*MI9G~t7{F4L&nynQe%hPqu1v_68-4K z$Q-3L?!&{KZ%ZYmCd3`2PM5xU{-a>&X8NMDm}dSZYsf)*%B4F(lDh;%&g*x?M$hQ?lj1{+az`txHOsupxc0O+Rm+9y>WIzxC^NW$|FTwEpL*`;gkb zH@d!OMJ~IK*}C!SOp)KVHRk?f({yzAkMe##NZGYlOT7nSSu#&@%{~yZKgaub3)n(> z=D%6BcQ;mq`?@~gEqcps=CB-GdGwq4T>X+I+j(rcnXcowrz581@cXy>0v|g8{HQzE0R+WdB~aYnpYOgF8@A*x1zX{6`0&n z0)22pAQgN-WH37wCar3n{C+%WC7SwdJF?prln2!#mFny9`W@E^t{YP3c){E4)dO*I zPMRQp;@~&=7c}t@^Ig#CbiP9J!wA(PkhoKNedc07j>@xfHOGOOW1;<*E%(iI=Ugio zB~|NGRI11H<~K|)9{cT*VkZFN=Kji%Q74>$H!A9+-ni}T;Af32LbiEt20 zk?_Kp*fQ>Df4gh!Z3pwnA>I}Y*cU=dB@g!{0JVlcw_sThT+ce1K)(1G9NKp^1-L4} zxd6+H<7o6-mHYDsJp3wP35|~t{Pd0+(soV;6p8_wukbx+Q1*{4ek%`A=U3w2%^3jJ zCaBp`mB0rHdTE+brN?Dn5b9Z1f2lPdOW{oRvtR=_j>a45bD7fx5vQF^f4Ev6RS0b5 zh9n4qoydE2ZrLIyhae8)=KL;V1ap(NzU08cne;P6ZFo9Q^#R9S@*d$*KpNNfD2y{H zZ90$r{$$CD>?0B&CHkRP5@Q$3rggxo-v@}sE{~@vNzUpB>+9?>6jYekgagJo83WCB#Na92Db&BcN3;`IY36vMa92y{>|RWv73Ae7 z$3U#C@OdDrPPV8rQ?jS9druEsr#w1B7)1eF^hUtJb^#6jbWCXT;b`)Z3_yn^AWF8 zs9t4dCp(1Aj|`88l+fd0^k}!M@JL86^>nW4iCP>KuMZg|{sDF4QeqoB+{u*3YpqF5 zOUe=xyFiwJ;?&vTC!2Xl%Qd5KGM9Se=JwVGvaPLP>to!OeRfx7!>+9Q1(xgEapJ$q z6P)G)gHB#%xHy9o<1};nmWAo|v&IeGvH4}5X-Q!)=)$)**8d$e69)Yvz3PAL7-aM* zd<(tKjjic@D_U^qw)u?~#vOWH{kQ~6YG|SQcoTH*lgrzcUGn;TL+{7r@tQ`^qlZ8C z`(+v&;u(so}m18nP=DBa!}Y6!{28WUjxNDlq|OA?I z0HR!?^W@y^zgWR;BWis5-q#gz(PW5e0mHYSPSH8%@f^o zp8@hYKHilpde+Pcs(!r%-~7f(l6Yv>-&GK@3+CS?vjNE<>^r#J^Gm%C2f@8qZV>F9 zcxh@W_to8n6T%uzG>|Z04+EC}5RT0tn2;Eah~D=&lM86A+J*njm%SP>V(~veY^lsH zM0E+P=_k9^>2-ZQr!xlt`axY@88rm1z%aW^TCpk*U=&3|r0n|(iey9ej$etF`pfA5 z)xN>b`#y6oO@o0>{|kYVN~5->GfTHlh%BUUPfd^iX}C?| zhZW@Cx>0cJd*j;o+qc%P8W6flP&(H}{$)%&hRv9y()94Ng`Ly`d$L(I*jH{Lj6j_2w1TH&K6%0627^9EVKPCr6stU&;ZEHe8i0 z2e$#O>~AN_fM%4O6BPf;F)*ua1Id0dp%1V~!6aY!PcNXNyZk=?U158x}wh~xMx!9_rqY>$|)|1qsQ*; z(Krg=6=!f4rHJ5zK2eXNEZ%IMxJHjQ$b$ZzKXa~-(E^nRu=SicZ&}gH*sFT6>()g| zH)yiL+b?$muD@c6=%vPBxAj~zXhf?8Nf|^tL^pdhoxQmOLTq0*;{|2@Oov~2FwxeH zd1Q1`oQCUETtTpD^JI##k*p4&LnO`SCQu+QMBExT`2qEp7JsH`JF<-_E6cwtvJc3^ zCKVSw2TZ`O5B*#Rh!F%Z@>X52V?&CP&YMkwYag-I7?(q6}sa!DK}C z+wW|`!2}~K@Zq}5VlAMpZy|0=pol^yI3OrDk%Wvha$L)_l0<{?5Vo12Da}Y?CyFu( zX(ev-jB|Blv0|M3{uMbFwspcTU7-tKe>WH-M?QT$I(wWka1fGoph3tO@HL1WJINlP zXMEy5<3#wKH{C9{|IuW`172o2> z&#Myb59_>4VZ9UDX`JVAW&LNE$N?knc6D3-kG>Or@$e@axsp&RA^kTEWcuDTmC$^XgO`& zpv-F|yS2*w4GqAf9)bKuLI=R|WGAwWJOWlCgRo*=xEYqW+68^U*oG^}nBg02sqUUI9qJ z^juYU_cbhZJICk-B4e17CFyN+u+bjMem(8(nmM0-ij#QDY!A8wX z4@Be5mnKdiGX!#83hmsBdsDDP{j%YVxwh2lYi?x@-E6H}rK{2>J6{)+U3)$K=+ZJd zAMGcsa!n1=cqFQ3%3UPi>(+Wo<9bYq49ri)Ihz+R1!@Ac_r&%tkfuG}>Iq~6H6A_L zy83o-?}_@1fX1z`_r;uwg$*$q{3-Y}2@{Yv-yauJ(wqm;P8_HSl3y7`t~MGlVNE+H zoa-I>LP2piPcAcjL~g9~Ofj#fj+LR|ZX7KL6vmobrFQbKU<`|M4E3 zjFiJcl5up-A*7UK&m0^hE2CwTQCV?}uT9Q5_OWN#I~tVCvNFC_jvcbX(Xka0_kFte zJ|6d{`?!C=_1iH%X7|bWI z@Ex2x;WeiqN@gU>UCS~N&Ru{J#@1|QwMPkl=vL9QV z9)b$RU3#;yk$er-C1KI)>+r8YhSW=IJ@gBO+hnm~P~CpFL3QuQxn3L* zWHEg7QE<@B?}J>_uju90yB_@L%D#l(w|t(5T^!HHgqzt+0mh+bpS7}InBW%TG_nEZ z=T)q7-yKFXpOu{2zJROsxf8pjse)k2w0zx#l#i1sSj&iOALBACRYK77Yc+oP2c~rj zPgz0A(@k<3EJh7EEuM?0ha@xIMFw2VRn+Y?MspMWxGtbWywEE=y8%X^wE)sj*+wS@ zVUz6e>=d)QR2qL&AQQzf^i*kCG)dm1^ykCKFVf`S1sNge1ca%F-w=yInH<<-syxMM z_o&-+K7`ZAguB$c%!ty%!*C8K^+H+*S?d_!*PIL5(@F(&o})1}%q(zpL^ z{==vL@0))*078tNMu-0K;*zTTeEDBKq&!rJ4f;ZK`nARS@^6eXX8A;4BIafQ@vAjN zSH8K`pa90VR~Xt`uUqs744Bzbd*$&?OTV~Et$Kqkhs7+S;b0^;>k|mpyP8=VY$ z51BP>ak{_R0vPW;Nu}PPlIhUsM0oUwfYk()m2k)Q9wY3Tis{nQY7}nk_3nlKNX|=b zy(wC7v+mwVOQQ$z(|Qoy-?SL?>$eJnsp}8S;D0K;cpj)JhGyuWt87VZ-5Tpla7*=z6bfcLL$<-h*$^d?X7fp7YA z5ZV!;q$%*Yxdew~i^a?-T}ggax6Rm!x9k{*o%1u;T%n#DMNe>pH3=Fv+M37R1JJzC z+8v;-{QOl`aYhRD@k zzcMz?9fOIJkS}~RTR-v7E?IC*?rycCVd9(p6E(a?mea%*kDmJ%_MiGf6;eL{s6Am6 zqT?IsOn*148N9JioKU`+A{b$U}M~6Ih7B;%LApODvPtMnPotYKycun1A^Q_ zyX;mFn4a~501r{)sHNZURhnwGGMHSENr<(d-AWT1o87;@-;84Eu>D%=E*W%m*pl~F zEL&hH<~M1QQl2_%^x^JCR1{xvxhBF<^9-eX7z+VC7}IW+2X_D#i+tWEUq z0dAkSz0~Io@+~&ZgqYSy0TvqP5@}-b!MtfbI1Q$xndGD)uFTT~3d^Hty`N~tkHnp*@`W1^K8O-ei zh%`MP2jfw4`w<*ygu;$c6$`d^-#nwA)Vf*P}u(NR@$ zIoC(jP=v_>LM3hWTjxAZ`7l=i+IJmvK?fAqARWs;WV3cw0}et7L{Q$(%K{aNCUv5{ zuO=%j#3yT8H4*VTr;Ff+l1Af6`T$*0TBsw(BPKzao;TZkuR zA{n$^W|_9%2o@U?hflf*jbC|uFPaaIvO0n$rYRx=0q zCyR6qkkv~4D1tFV%S(xoO73f`JW0&*JtopOL|n(I%ds)X2qVaEJiKa7?CVG6xJntP zHfh(ir0kU$hSj}CIhMK_qw@OAAeWB=R$snv3v$Ny% zB$VWuRk^(Kgsbx-PF``;yl9ZXi8t(vktGU;Z#3Ruch?J z6)qb2WMaQO;=)FGMtj)q4GMz*+g|c@#x!i81BWz9c;h;xV7@)==LrD9u^0+&-jWYW zer0PO0(QArOhE)q7Q8P`?`l0XhtK}=01gJ8cmx}~ArB#!hCPb>7?JwAj9c!eP#_JA$(=C(e)8gN=~HrRnx*Z~iIwMdufn;(d0NQX z`WEzoj+#F|#5gI_5FlfBT(&YLof2e(iSR!qp1&U;g9tn3l>O1MTKb_r%j!e>Q8P*K z`}X%0Y6Gdq9&}@=!>I`|$+MVG?OyH&!u*Cr3z>GWXXe3z;_v3>_4^dIbtm4~N7cG% zKmWIi?WE8Y9-wmT*~+rVO! z$5Su0VKN*VW-R{R#%uU`ZRqq_ug^=86_%j!<5|31XDbN~-(!gl_sSs4VSc+FK^=C^d5T(jl3?w&fVbzsVEEG!&S$ezH!xk!* z8boOq7ZO9!6=Dl!r0%(PitATh1%*OPYQ1|m+tRfBIf(~bo)bv- z>gZ>lyaS1|psd>+$7lCkVmixiswi8zKf>8|Tz!sfw5p60d&ewrr(MpY@~!ZTYt(A% z_1K+eA@yaw?efI|-%+H|9E-!rn4ppRRU|WE!!6~?MNC1-cV{!jBKbJKiCn%L>bS`Z zGcFUw`Y(k3oD>>)>H=KZ&8QPiu~Lo%@hZK!Nyz>z)1wbYB91nSU0HY~QsJ~ZB6Wn` z+_uMq6h#f`7{KVITfmqTqpvt9K1IN~#>bzE@lzaSHwRp}Dfr(EO_ZGu9#;-CTZWoR z-di&zjzfV!soUmp@JugDcjoaq&)11{ZPL+bnOlv_#db-^)YUBs3yZ!UX_2k_x(Tyl z*fGD<+wFYV_^To4NN4i*)oW9}ZA4Z|39Vp<^?$i~6Odf?Prg#0H=@jCTBiz?kJa1v zbB#l8(lpb3dRHq-t>4#UW2`T)(G_JkJMYmom)%vkV@dsXh^1^;u+x&ahPzrQowAyW zoJBOXCS=xFO<*(C+h$DiBb<9Cy>oc9Gvmko*~4YX+ut-3hS<{q!k?<)0ANz2ZXXGMxZcN2yU0~azWwnCD!j)MBj1V7V_@Ds&j?EHaOXK^`B!C}OPPW)w zfD?d0Dj%5udZm}fbn`DF`u{)r-&cdF7Xau&RnGOK+d?`>l)EvM6AJI?!)V66WT#=g4WO*xHLNL>f-eVFKMeC(4ZUfK+NiZvA z@B%d`>Zk(f3TpcIjsbqp_*>_AuG!>;L@DE>4=}(2DVJ8E{Dy*bF# z=8nyjbIG(LNaEX>{#!Z%Vs&mHVg%r#Vdybj^Hy>dBloao!ZfgVNO&LlCg9tP#C0X( zF}fum2HigwH8;9r*Is>&;nCb)>gQr3JdQq`0uc}DXZ(_Knz+jbPka9a84QIw;*CkQ zw43=&H%5>rOgexKK+5;Gkvu`5W-$})EyFvzY?#77zC43lY4hspdpww@p6A^7)S%~K zfV>wO4YDHMBSa%t5T-)qqaoxY1d{XJ8BGD{X`g%_TB1^grnsM^0&rnuG}cc4`TdJo zc@92x%q{lwJyJ8)00=ys0O(Rvf)B6cwM~=mpcV6E- z9Le`cQ73oJl-F%|7X!-s7FUhpD&<<4Ih0S%c)270MD(_I^KbLIm7+|#$xPAP1`Cc+ zts!WedkAuGTJ!ps!YI5(0a8nIIG?W3x;!SmeO98DeevoGc%V)qpR=Mwl#yU8%h!0j zu%$Yn3PK{p1AQEIHKYds`RNWEv^rEopfI)H4Z97qAsvdhC2{FDYkW> zC)2ypRIaI`>b#0#FMMBCtcP&k|C&}iSZX^XF=xXoI&Kdta_8cHK@RRB-b*cq1RX|sC&<{qaiTIQsS+b4fU)H-*K*AHs*wSg_ z8fRF$JhR$V@~#kALmEdc?oPiNjLebS^%%w`yvt6V-2uc_iKbT((5uKdcrLgGZfAM| ztKz6o{V-Y9qbm$O*Ed-*n3SaB?HPbkWzp%vYq6M>wsIX5REpha!6|~yc@F7yQ`vd> za>Tgk3sl+Lq-=}xu-VxAd`Cp99_v&TO2T~(J-4-YGAiGce{D8ba(6M$A^@=8Irm)~ zYt9xfN5ttM>RxEWV|5T93J!)oN1|`Rpl$jk%25bpa*nnABrgvNHiR&A?Kp5VRfO#W z-feW^kYEuI|F%6~9%>{QtwP!~t+{TNeGe;fn8{Q7;EWJ%rRC=1yYIxLg})fspJ_P@ z4sdN173H^2xSmy5*#~Cu>^i-}GGX@!%bi)CzL|P&*K0{PY&%XH&2+2|bE&5oq7Yqb zFoB-jSbESRdvRt?)06P(MMIVop$M$kmBA5Tws_3H?=n1X%q@*dSR7VbP0APzQF(D^ z%6)e)l;?2D?2=weXSLgo9K;(p#@?iSlySY2CZ1n=wc+s{7v3TD3f;5bHrc5M^u2^| zB8KFqV+1o?Qq@!1Uzqr6lV$x?_)Uc-Lc%Y8`{v`e>ejmlMvf+xIcyO!C`7hsq;QX? z644Nx1j@wqI~dQM#B%{+g?X(}+4@w|s@59<<%s=EwV}UB}jgP&L8blghp3zc`Hy z=tDWXMjU)WEc%0X%$dDci(I}GP*M-r)|bl?M0%%WPI`@f)yl%4FRq9& zJJ0!Q9~cV|!^hgkA9v~%h>MU?Wy)H$#6l01L}A3tH#>{(oVmZGhjmn}zN~jhCly8? zz${E2UcoU%{rcS5n_?|j>gw(Bw17XO{J?Ge<-Ho1jxrko!}zBT**;?tUT215@st-OUr-ESnvrsDAb3RZ-$k!*y z#9qSpD?qy>U8fb?lVU*5L3u$(99;kX6qctG^^si_A(UCH&42i7+<|>Fvu+)#dC#?J zTtz^D-Sy?m1cu`&;EZ!`YgmW6rc42emH=zK*6l}OXx(a>Yz4b?|E!vRwYx_8Lfzcg zl{8>>HZA29B5D_*B4c4trDZP;#O}g{mpm@DxeuZ7TDGGQf}K;D^};86Q^8Zjy)H*| zJG)&%d%bo)j|RWk9g{p(CkS^;i3V-DWDYG%Ysh$&h!cyun5q1GJWj`T=J_)GDA(!9 zKfhpLqP?Z;EeJ%yTfS51s>YF5c!6cw^n%SdU$#g{s0fF?6cG8m6|x0*$qG>4JVIfZXy=qJ zn!eFMSeGAJ^w%_5Qpo$tN{yaOS$D^pp52Kb^#F8u$|AieM&WPR+xfqIZ5-e^PrV}N z#<2`$s6BGDyC0+{Zw?Z?&NyGkPe`_|6rHSPEu*0up*}o=lDhoA)|yklQ!+K5_NTA% z5p?(FA?Jg>`_zFT5fvfX1GY$dIw>ID==vll>bo(+r#wu=W-rYEH-NF~VZU>1$V z^I4fPqcx1rv8A7L6Xl?V@B&Rj!Y6~>PPMZ=iT#S1mx{BWlhP|6@wiQ_Fo1drqb<(9 z_uL{*Lq&+2_tf2x;4mtod;ZDj3va_?%AfWum4u}?DXD{rFV4tNb~(x{1}cA(nOYkvB4Ek1L->;aPD6)O(GiX> z_at>t%HaUFNR7VyyR!xg7$Dh{Ng;m^2-1@!>5k#uC#L&P)jT<(0bg3`dg#iVR-yj^ DYPk2! literal 0 HcmV?d00001 From c82c6041b31fb0ad6c245aab1c7298f2e3b7e415 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 13:11:58 -0400 Subject: [PATCH 04/41] move markdown examples to very end --- ap-pac.md | 311 +++++++++++++++++++++++++++--------------------------- 1 file changed, 157 insertions(+), 154 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index 89eb64f..59937af 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -204,160 +204,6 @@ markdown, which may generate a TOC in a different way. - Font colors and styles - Typographic conventions -## 1.3 Some markdown usage examples - -**Text.** - -Note that text paragraphs in markdown should be separated by a -blank line between them - - -Otherwise the separate paragraphs will be joined together when -the HTML is generated. Even if the text appears to be separate -lines in the markdown source. - -To avoid having the usual vertical space between paragraphs, -append two or more space characters (or space-backslash) to the -end of the lines -which will generate an HTML break tag instead of a new paragraph -tag \ -(as demonstrated here). - -### 1.3.1 Figures and Captions - -FIGURE EXAMPLE: - -###### Figure 1 -- Title of Figure -![image-label should be meaningful](images/image_0.png) (this -image is intentionally missing) - -###### Figure 2 -- OpenC2 Message Exchange -![message exchange](images/image_1.png) - - -### 1.3.2 Tables - -#### 1.3.2.1 Basic Table -**Table 1-1. Table Label** - -| Item | Description | -| :--- | :--- | -| Item 1 | Something
(second line) | -| Item 2 | Something | -| Item 3 | Something
(second line) | -| Item 4 | text | - -#### 1.3.2.2 Table with Three Columns and Some Bold Text -text. - -| Title 1 | Title 2 | title 3 | -| :--- | :--- | :--- | -| something | something | something else that is a long string of text that **might** need to wrap around inside the table box and will just continue until the column divider is reached | -| something | something | something | - -#### 1.3.2.3 Table with a caption which can be referenced - -###### Table 1-5. See reference label construction - -| Name | Description | -| :--- | :--- | -| **content** | Message body as specified by content_type and msg_type. | - -Here is a reference to the table caption: Please see [Table 1-5 -or other meaningful -label](#table-1-5-see-reference-label-construction) - - -### 1.3.3 Lists - -Bulleted list: -* bullet item 1. -* **Bold** bullet item 2. -* bullet item 3. -* bullet item 4. - -Indented or multi-level bullet list - add two spaces per level -before bullet character (* or -): -* main bullet type - * Example second bullet - * See third level - * fourth level - -Numbered list: -1. item 1 -2. item 2 -3. item 3 - -Left-justified list without bullets or numbers: To list multiple -items without full paragraph breaks between items, add -space-backslash after each item except the last. - -### 1.3.4 Reference Label Construction - -REFERENCES and ANCHORS -- in markdown source, format the Reference tags as level 6 - headings like: `###### [RFC2119]` -###### [RFC2119] -Bradner, S., "Key words ..." - -- reference text has to be on a separate line below the tag - -- format cross-references (citations of the references) like: - `see [[RFC2119](#rfc2119)]` -"see [[RFC2119](#rfc2119)]" -(note the outer square brackets in markdown will appear in the -visible HTML text) - -- The text in the Reference tag (following ###### ) will become - an HTML anchor using the following conversion rules: - - punctuation marks will be dropped (including "[" ) - - leading white spaces will be dropped - - upper case will be converted to lower - - spaces between letters will be converted to a single hyphen - -- The same HTML anchor construction rules apply to - cross-references and to section headings. - - Thus, a section heading like "## 1.2 Glossary" - - becomes an anchor in HTML like `` - - referenced in the markdown like: see [Section - 1.2](#12-glossary) - - in markdown: `"see [Section 1.2](#12-glossary)"` - - similar HTML anchors are also used in constructing the TOC - -### 1.3.5 Code Blocks - -Text to appear as an indented code block with grey background and -monospace font - use three back-ticks before and after the code -block. - -Note the actual backticks will not appear in the HTML format. If -it's necessary to display visible backticks, place a back-slash -before them like: \``` . - -``` -{ - "target": { - "x_kmip_2.0": { - {"kmip_type": "json"}, - {"operation": "RekeyKeyPair"}, - {"name": "publicWebKey11DEC2017"} - } - } -} -``` - -Text to be highlighted as code can also be surrounded by a single -"backtick" character: `code text` - -## 1.4 Page Breaks -Add horizontal rule lines where page breaks are desired in the -PDF - before each major section -- insert the line rules in markdown by inserting 3 or more - hyphens on a line by themselves: --- -- place these before each main section in markdown (usually "#" - - which generates the HTML `

` tag) ------- @@ -783,3 +629,160 @@ reserving the right to enforce its marks against misleading uses. Please see https://www.oasis-open.org/policies-guidelines/trademark/ for above guidance. + +------ + +## 1.3 Some markdown usage examples + +**Text.** + +Note that text paragraphs in markdown should be separated by a +blank line between them - + +Otherwise the separate paragraphs will be joined together when +the HTML is generated. Even if the text appears to be separate +lines in the markdown source. + +To avoid having the usual vertical space between paragraphs, +append two or more space characters (or space-backslash) to the +end of the lines +which will generate an HTML break tag instead of a new paragraph +tag \ +(as demonstrated here). + +### 1.3.1 Figures and Captions + +FIGURE EXAMPLE: + +###### Figure 1 -- Title of Figure +![image-label should be meaningful](images/image_0.png) (this +image is intentionally missing) + +###### Figure 2 -- OpenC2 Message Exchange +![message exchange](images/image_1.png) + + +### 1.3.2 Tables + +#### 1.3.2.1 Basic Table +**Table 1-1. Table Label** + +| Item | Description | +| :--- | :--- | +| Item 1 | Something
(second line) | +| Item 2 | Something | +| Item 3 | Something
(second line) | +| Item 4 | text | + +#### 1.3.2.2 Table with Three Columns and Some Bold Text +text. + +| Title 1 | Title 2 | title 3 | +| :--- | :--- | :--- | +| something | something | something else that is a long string of text that **might** need to wrap around inside the table box and will just continue until the column divider is reached | +| something | something | something | + +#### 1.3.2.3 Table with a caption which can be referenced + +###### Table 1-5. See reference label construction + +| Name | Description | +| :--- | :--- | +| **content** | Message body as specified by content_type and msg_type. | + +Here is a reference to the table caption: Please see [Table 1-5 +or other meaningful +label](#table-1-5-see-reference-label-construction) + + +### 1.3.3 Lists + +Bulleted list: +* bullet item 1. +* **Bold** bullet item 2. +* bullet item 3. +* bullet item 4. + +Indented or multi-level bullet list - add two spaces per level +before bullet character (* or -): +* main bullet type + * Example second bullet + * See third level + * fourth level + +Numbered list: +1. item 1 +2. item 2 +3. item 3 + +Left-justified list without bullets or numbers: To list multiple +items without full paragraph breaks between items, add +space-backslash after each item except the last. + +### 1.3.4 Reference Label Construction + +REFERENCES and ANCHORS +- in markdown source, format the Reference tags as level 6 + headings like: `###### [RFC2119]` +###### [RFC2119] +Bradner, S., "Key words ..." + +- reference text has to be on a separate line below the tag + +- format cross-references (citations of the references) like: + `see [[RFC2119](#rfc2119)]` +"see [[RFC2119](#rfc2119)]" +(note the outer square brackets in markdown will appear in the +visible HTML text) + +- The text in the Reference tag (following ###### ) will become + an HTML anchor using the following conversion rules: + - punctuation marks will be dropped (including "[" ) + - leading white spaces will be dropped + - upper case will be converted to lower + - spaces between letters will be converted to a single hyphen + +- The same HTML anchor construction rules apply to + cross-references and to section headings. + - Thus, a section heading like "## 1.2 Glossary" + - becomes an anchor in HTML like `` + - referenced in the markdown like: see [Section + 1.2](#12-glossary) + - in markdown: `"see [Section 1.2](#12-glossary)"` + - similar HTML anchors are also used in constructing the TOC + +### 1.3.5 Code Blocks + +Text to appear as an indented code block with grey background and +monospace font - use three back-ticks before and after the code +block. + +Note the actual backticks will not appear in the HTML format. If +it's necessary to display visible backticks, place a back-slash +before them like: \``` . + +``` +{ + "target": { + "x_kmip_2.0": { + {"kmip_type": "json"}, + {"operation": "RekeyKeyPair"}, + {"name": "publicWebKey11DEC2017"} + } + } +} +``` + +Text to be highlighted as code can also be surrounded by a single +"backtick" character: `code text` + +## 1.4 Page Breaks +Add horizontal rule lines where page breaks are desired in the +PDF - before each major section +- insert the line rules in markdown by inserting 3 or more + hyphens on a line by themselves: --- +- place these before each main section in markdown (usually "#" - + which generates the HTML `

` tag) From 1c7bcf20a69140ee8f897768d5ff75eb81f1b953 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 13:25:32 -0400 Subject: [PATCH 05/41] initial population of 1.0 --- ap-pac.md | 89 +++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 66 insertions(+), 23 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index 59937af..33e2b30 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -162,32 +162,75 @@ section in an Appendix below. # 1 Introduction - - - -Here is a customized command line which will generate HTML from -this markdown file (named openc2-file.md): - -pandoc -f gfm -t html openc2-file.md -c -styles/markdown-styles-v1.7.3.css --toc --toc-depth=5 -s -o -openc2-file.html --metadata title="Title of Specification Version -1.0" - -OASIS staff are currently using pandoc 2.6 from -https://github.com/jgm/pandoc/releases/tag/2.6. - -This also requires the presence of a .css file containing the -HTML styles (like styles/markdown-styles-v1.7.3.css). - -Note this command generates a Table of Contents (TOC) in HTML -which is located at the top of the HTML document, and which -requires additional editing in order to be published in the -expected OASIS style. This editing will be handled by OASIS staff -during publication. A TC may use other ways to generate HTML from -markdown, which may generate a TOC in a different way. +*The content in this section is non-normative, except where it is +marked normative.* + +**Note:** This Actuator profile is consistent with Version 1.0 of +the OpenC2 Language Specification +[\[OpenC2-Lang-v1.0\]](#openc2-lang-v1.0). + +OpenC2 is a suite of specifications that enables command and +control of cyber defense systems and components. OpenC2 typically +uses a request-response paradigm where a Command is encoded by a +Producer (managing application) and transferred to a Consumer +(managed device or virtualized function) using a secure transfer +protocol, and the Consumer acts on the request and responds with +status and any other requested information. + +This specification defines an Actuator profile for **Posture +Attribute Collection (PAC)**. In particular, the specification +comprises a set of Actions, Targets and Target Specifiers, +Command Arguments, and Actuator Specifiers that integrates PAC +functionality with the OpenC2 Command set. Through this Command +set, cyber security orchestrators may gain visibility into and +provide control over PAC in a manner that is independent of the +instance of the PAC function. + +All components, devices, and systems that provide PAC +functionality MUST implement the identified OpenC2 Actions, +Targets, Specifiers, and Arguments as specified in the +Conformance section of this specification. + +Though cyber defense components, devices, systems and/or +instances may implement multiple Actuator profiles, a particular +OpenC2 Message may reference at most a single Actuator profile. +The scope of this document is limited to PAC. + +The rest of the specification is organized as follows: + +The remaining of Section 1 includes information about the IPR +policy, terminology used, and document conventions pertinent to +this Actuator profile specification. + +[Section 2](#2-section-heading) (normative) binds this particular +profile to Version 1.0 of the OpenC2 Language Specification +[\[OpenC2-Lang-v1.0\]](#openc2-lang-v1.0). It enumerates the +components of the Language Specification that are meaningful in +the context of PAC and defines components that are applicable to +this distinct profile. In addition, Section 2 defines the +Commands (i.e., the Action/Target pairs, arguments, and +associated specifiers) that are permitted in the context of PAC. + +[Section 3](#3-conformance) (normative) presents definitive +criteria for conformance so that cyber security stakeholders can +be assured that their products, instances and/or integrations are +compatible with this profile (OpenC2 Actuator Profile for Posture +Attribute Collection Version 1.0). + +[Appendix E](#appendix-e-orchestrator-consumer-operating-model) +(non-normative) describes the operating model for an +"Orchestrator Consumer", an OpenC2 element that can receive +commands from a higher-level ("upstream") Producer and then +command lower-level ("downstream") Consumers to implement those +commands. + +[Appendix F](#appendix-f-example-appendix-with-subsections) (non-normative) +provides multiple examples of Commands and associated Responses +(JSON serialization). ## 1.1 Changes from earlier versions +This is the initial version of this specifciation. ## 1.2 Glossary From fa4f3fc2d971b48cbe3f9ac926cf82cf540641e9 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 13:27:11 -0400 Subject: [PATCH 06/41] populate 1.2.1, 1.2.2 --- ap-pac.md | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index 33e2b30..ef63403 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -235,12 +235,46 @@ This is the initial version of this specifciation. ## 1.2 Glossary - - ### 1.2.1 Definitions of terms +*This section is normative.* + +- **Action**: The task or activity to be performed (e.g., + 'deny'). + +- **Actuator**: The function performed by the Consumer that + executes the Command (e.g., 'Posture Attribute Collection'). + +- **Argument**: A property of a Command that provides + additional information on how to perform the Command, such as + date/time, periodicity, duration, etc. + +- **Command**: A Message defined by an Action-Target pair that + is sent from a Producer and received by a Consumer. + +- **Consumer**: A managed device / application that receives + Commands. Note that a single device / application can have + both Consumer and Producer capabilities. + +- **Message**: A content- and transport-independent set of + elements conveyed between Consumers and Producers. + +- **Producer**: A manager application that sends Commands. + +- **Response**: A Message from a Consumer to a Producer + acknowledging a Command or returning the requested resources + or status to a previously received Command. + +- **Specifier**: A property or field that identifies a Target + or Actuator to some level of precision. + +- **Target**: The object of the Action, i.e., the Action is + performed on the Target (e.g., IP Address). + ### 1.2.2 Acronyms and abbreviations +TBSL + ### 1.2.3 Document conventions - Naming conventions From 8efd3998791531a542aef2504e28c03751d513d4 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 13:31:07 -0400 Subject: [PATCH 07/41] populate 1.2.3 --- ap-pac.md | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 52 insertions(+), 3 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index ef63403..381d429 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -277,10 +277,59 @@ TBSL ### 1.2.3 Document conventions -- Naming conventions -- Font colors and styles -- Typographic conventions +#### 1.2.3.1 Naming Conventions +- [\[RFC2119\]](#rfc2119)/[\[RFC8174\]](\l) key words are in + all uppercase. + +- All property names and literals are in lowercase, except when + referencing canonical names defined in another standard + (e.g., literal values from an IANA registry). + +- Words in property names are separated with an underscore + (\_), while words in string enumerations and type names are + separated with a hyphen (-). + +- The term "hyphen" used here refers to the ASCII hyphen or + minus character, which in Unicode is "hyphen-minus", U+002D. + +#### 1.2.3.2 Font Colors and Style + +The following color, font and font style conventions are used in +this document: + +- A fixed width font is used for all type names, property + names, and literals. + +- Property names are in bold style – **'created\_at'**. + +- All examples in this document are expressed in JSON. They are + in fixed width font, with straight quotes, black text and a + light shaded background, and 4-space indentation. JSON + examples in this document are representations of JSON + Objects. They should not be interpreted as string literals. + The ordering of object keys is insignificant. Whitespace + before or after JSON structural characters in the examples + are insignificant [\[RFC8259\]](#rfc8259). + +- Parts of the example may be omitted for conciseness and + clarity. + > These omitted parts are denoted with ellipses (...). + +Example: + +``` +{ + "action": "deny", + "target": { + "file": { + "hashes": { + "sha256": "22fe72a34f006ea67d26bb7004e2b6941b5c3953d43ae7ec24d41b1a928a6973" + } + } + } +} +``` ------- From 94bb2c886de05679e0d39169698598d789a648c9 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 13:38:53 -0400 Subject: [PATCH 08/41] create Section 2 headings / outline --- ap-pac.md | 57 ++++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 50 insertions(+), 7 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index 381d429..1576a84 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -333,25 +333,68 @@ Example: ------- -# 2 Section Heading +# 2 OpenC2 Language Binding text. -## 2.1 Level 2 Heading +## 2.1 OpenC2 Command Components text. -### 2.1.1 Level 3 Heading +### 2.1.1 Actions text. -#### 2.1.1.1 Level 4 Heading +### 2.1.2 Targets text. -##### 2.1.1.1.1 Level 5 Heading -This is the deepest level, because six # gets transformed into a Reference tag. +### 2.1.3 Command Arguments +text. + +### 2.1.4 Actuators +text. + +### 2.1.5 Actuator Specifiers +text. + + +## 2.2 OpenC2 Response Components +text. +### 2.2.1 Common Response Results +text. -## 2.2 Next Heading +### 2.2.2 Response Status Codes text. + +## 2.3 OpenC2 Commands + +### 2.3.1 Scan + +#### 2.3.1.1 'Scan Device' + +#### 2.3.1.2 'Scan domain_name' + +#### 2.3.1.3 'Scan mac_addr' + +### 2.3.2 Query + +#### 2.3.2.1 'query features' + +### 2.3.3 Cancel + +#### 2.3.3.1 'cancel command' + +### 2.3.4 Update + +#### 2.3.4.1 'update file' + +### 2.3.5 Copy + +#### 2.3.5.1 'copy file' + + + + + ------- # 3 Conformance From c9d1166d340f439faef4ef40ea351450cb41e830 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 14:03:56 -0400 Subject: [PATCH 09/41] populate 2.1 and 2.2 with rough content --- ap-pac.md | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 165 insertions(+), 10 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index 1576a84..419bfa0 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -334,35 +334,190 @@ Example: ------- # 2 OpenC2 Language Binding -text. + +*This section is normative.* + +This section defines the set of Actions, Targets, Arguments, and +Actuator Specifiers that are meaningful in the context of PAC and +the appropriate status codes, status texts, and other properties +of a Response message. In addition, this section defines the +Commands allowed by this Actuator profile. Section 2 is organized +into three major subsections; [Command +Components](#21-openc2-command-components), [Response +Components](#22-openc2-response-components), and +[Commands](#23-openc2-commands). + +Extensions to the Language Specification are defined in +accordance with Version 1.0 of the [OpenC2 Language +Specification](#openc2-lang-v1.0), Section 3.1.4, where: + +1. The unique name of the PAC schema is: `oasis-open.org/openc2/v1.0/ap-pac` + +2. The namespace identifier (NSID) referring to the PAC schema is: `pac` + +3. The conformance requirements for the OpenC2 Posture Attribute + Collection Actuator profile are defined and included in this + document. ## 2.1 OpenC2 Command Components -text. + +The components of an OpenC2 Command include Actions, Targets, +Actuators and associated Arguments and Specifiers. Appropriate +aggregation of the components will define a Command-body that is +meaningful in the context of PAC. + +This specification identifies the applicable components of an +OpenC2 Command. The components of an OpenC2 Command include: + +- **Action:** A subset of the Actions defined in Version 1.0 of the + [OpenC2 Language Specification](#openc2-lang-v1.0) that are + meaningful in the context of a posture attribute collection. + + - This profile SHALL NOT define Actions that are external + to Version 1.0 of the [OpenC2 Language + Specification](#openc2-lang-v1.0). + + - This profile MAY augment the definition of the Actions in + the context of PAC. + + - This profile SHALL NOT define Actions in a manner that is + inconsistent with Version 1.0 of the [OpenC2 Language + Specification](#openc2-lang-v1.0). + +- **Target:** A subset of the Targets and Target-Specifiers defined + in Version 1.0 of the [OpenC2 Language + Specification](#openc2-lang-v1.0) that are meaningful in the + context of PAC and two Targets and their Specifiers that are + defined in this specification. + +- **Arguments:** A subset of the Arguments defined in Version 1.0 + of the [OpenC2 Language Specification](#openc2-lang-v1.0) and + a set of Arguments defined in this specification. + +- **Actuator:** A set of Actuator Specifiers defined in this + specification that are meaningful in the context of PAC. ### 2.1.1 Actions -text. + +Table 2.1.1-1 presents the Actions defined in Version 1.0 of the +OpenC2 Language Specification, which are meaningful in the +context of PAC. The particular Action/Target pairs that are valid +combinations are presented in [Section 2.3](#23-openc2-commands). + +#### Table 2.1.1-1 Common Actions Applicable to PAC + ### 2.1.2 Targets -text. + +Table 2.1.2-1 lists the Targets defined in Version 1.0 of the +OpenC2 Language Specification that are applicable to PAC. Table +2.1.2-2 extends the list of common Targets and includes +additional Targets unique to PAC. Targets that are defined in +this profile (see Table 2.1.2-2) are referenced with the `pac` +namespace identifier. + +#### Table 2.1.2-1 Common Targets Applicable to PAC + + +#### Table 2.1.2-2 Targets Unique to PAC + +Usage Requirements: TBD ### 2.1.3 Command Arguments -text. + +Arguments provide additional precision to a Command by including +information such as how, when, or where a Command is to be +executed. Table 2.1.3-1 lists the Command Arguments defined in +Version 1.0 of the OpenC2 Language Specification as they relate +to PAC functionality. Table 2.1.3-2 lists the Command Arguments +that are defined in this profile. Command Arguments that are +defined in this profile (see Table 2.1.3-2) are referenced with +the pac namespace identifier. + + +#### Table 2.1.3-1 Common Command Arguments Applicable to PAC + +#### Table 2.1.3-2 Command Arguments Unique to PAC + + +Usage Requirements: TBD + +#### 2.1.3.1 Data Type Definitions + +**Type:** [add type, if necessary] ### 2.1.4 Actuators -text. + +An Actuator is the entity that provides the functionality and +performs the Action. The Actuator executes the Action on the +Target. In the context of this profile, the Actuator is the +posture attribute collection. Table 2.1.4-1 lists the PAC +Actuator. + +#### Table 2.1.4-1 PAC Actuator + ### 2.1.5 Actuator Specifiers -text. + +The presence of one or more Specifiers further refine which +Actuator(s) shall execute the Action. Table 2.1.5-1 lists the +Specifiers that are applicable to the PAC Actuator . Appendix E +provides sample Commands with the use of Specifiers. The Actuator +Specifiers defined in this profile are referenced with the `pac` +namespace identifier. + +#### Table 2.1.5-1 PAC Actuator Specifiers + + ## 2.2 OpenC2 Response Components -text. + +Response messages originate from the Actuator as a result of a +Command. Responses associated with required Actions MUST be +implemented. Implementations that include optional Actions MUST +implement the RESPONSE associated with the implemented Action. +Additional details regarding Command and associated Response are +captured in [Section 2.3](#23-openc2-commands). Examples are +provided in [Appendix +F](#appendix-f-example-appendix-with-subsections). + ### 2.2.1 Common Response Results -text. + +Table 2.2.1-1 lists the Response Results properties defined in +Version 1.0 of the OpenC2 Language Specification that are +applicable to PAC. + +#### Table 2.2.1-1 Common Response Results Applicable to PAC + + +#### Table 2.2.1-2 Response Results Unique to PAC + +The list of common Response properties is extended to include the +additional Response properties defined in this section and +referenced with the `pac` namespace. + +#### 2.2.1.1 Data Type Definitions + +---- OS-Version Table Goes Here ----- + +Usage Requirements: TBD + +---- OS-Arch Table Goes Here ----- + +Usage Requirements: TBD + + ### 2.2.2 Response Status Codes -text. + +Table 2.2.2-1 lists the Response Status Codes defined in Version +1.0 of the OpenC2 Language Specification that are applicable to +PAC. + +#### Table 2.2.2-1 Response Status Codes + ## 2.3 OpenC2 Commands From cea561c5c42c9e56ecbe9e580680a3ea439891f2 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 14:06:08 -0400 Subject: [PATCH 10/41] fix typo in appendix E --- ap-pac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ap-pac.md b/ap-pac.md index 419bfa0..d49a093 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -773,7 +773,7 @@ the upstream command. Assumption 3 alters an OpenC2 Language Specification (LS) default: [*Section 3.3.1.4*](https://docs.oasis-open.org/openc2/oc2ls/v1.0/cs02/oc2ls-v1.0-cs02.html#3314-command-arguments) -of the LS states that if the command argument `response\_requested` +of the LS states that if the command argument `response_requested` is not explicitly specified by a Producer, then the Consumer should send a complete response. In the case of an OC responding to an upstream Producer, this default is overridden. From ba7c96bb996b5a141349337ed4f05bae6304315c Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 14:14:30 -0400 Subject: [PATCH 11/41] populate 2.3.1 and subsections --- ap-pac.md | 124 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 124 insertions(+) diff --git a/ap-pac.md b/ap-pac.md index d49a093..775c523 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -522,14 +522,138 @@ PAC. ## 2.3 OpenC2 Commands +An OpenC2 Command consists of an Action/Target pair and +associated Specifiers and Arguments. This section enumerates the +Commands permitted by this Actuator profile and presents the +associated Response behavior. Sections 2.3.1 through 2.3.5 +provide details applicable to each Command, also as influenced by +the Arguments. Table 2.3-1 defines the Commands that are valid in +the context of the PAC profile. An Action (the top row in Table +2.3-1) paired with a Target (the first column in Table 2.3-1) +defines a valid Command. + +#### Table 2.3-1. Command Matrix + +Table 2.3-2 defines the Command Arguments that are allowed for a +particular Command by the PAC Actuator profile. A Command (the +top row in Table 2.3-2) paired with an Argument (the first column +in Table 2.3-2) defines an allowable combination. + +#### Table 2.3-2. Command Arguments Matrix + + +Hereafter the specification provides details applicable to each +Command, also as influenced by the Arguments. + ### 2.3.1 Scan +Table 2.3-2, Command Arguments Matrix, summarizes the Command +Arguments that apply to all Commands consisting of the scan +Action and a valid Target type. + +Upon receipt of a `scan target` Command with an Argument that +is not supported by the Actuator, PAC Consumers: + +- MUST NOT respond with the 200 status code. +- SHOULD respond with the 501 status code. +- SHOULD respond with "Argument not supported" in the status + text. +- MAY respond with the 500 status code. + +OpenC2 Consumers that receive `scan target` Commands: + +- SHOULD respond with the Response status code 200 upon + successful parsing of the `scan target` Command and subsequent implementation of the corresponding rule. + +OpenC2 Consumers that receive and successfully parse `scan +target` Commands, but cannot implement the `scan target`: + +- MUST NOT respond with the 200 status code. +- SHOULD respond with the 501 status code. +- SHOULD respond with 'Rule not implemented' in the status + text. +- MAY respond with the 500 status code. + +The valid Target types, associated Specifiers, and Arguments are +summarized in the following subsections. Sample Commands are +presented in [Appendix F](#appendix-f-example-appendix-with-subsections). + + #### 2.3.1.1 'Scan Device' +The `scan device` Command is OPTIONAL for Openc2 Producers +implementing the PAC profile. The `scan device` Command is +OPTIONAL for Openc2 Consumers implementing the PAC profile. + +The Command does systematic examination of some aspect of the +specified device that implemented the PAC profile. + +Products that receive but do not implement the `scan device` +Command: + +- MUST NOT respond with the 200 status code. +- SHOULD respond with the 501 Response code. +- SHOULD respond with 'Target type not supported' in the status + text. +- MAY respond with the 500 status code. + +OpenC2 Consumers that receive and support `scan device` Command: + +- SHOULD respond with the Response status code 200 upon + successful parsing and execution of the Command. + + + #### 2.3.1.2 'Scan domain_name' +The `scan domain_name` Command is OPTIONAL for Openc2 Producers +implementing the PAC profile. The `scan domain_name` Command is +OPTIONAL for Openc2 Consumers implementing the PAC profile. + +The Command does systematic examination of the specified network +domain name of the devices that implemented the PAC profile. + +Products that receive but do not implement the `scan domain_name` +Command: + +- MUST NOT respond with the 200 status code. +- SHOULD respond with the 501 Response code. +- SHOULD respond with 'Target type not supported' in the status + text. +- MAY respond with the 500 status code. + +OpenC2 Consumers that receive and support `scan domain_name` +Command: + +- SHOULD respond with the Response status code 200 upon + successful parsing and execution of the Command. + + #### 2.3.1.3 'Scan mac_addr' +The `scan mac_addr` Command is OPTIONAL for Openc2 Producers +implementing the PAC profile. The `scan mac_addr` Command is +OPTIONAL for Openc2 Consumers implementing the PAC profile. + +The Command does systematic examination of the specified MAC +addresses of the devices that implemented the PAC profile. + +Products that receive but do not implement the `scan mac_addr` +Command: + +- MUST NOT respond with the 200 status code. +- SHOULD respond with the 501 Response code. +- SHOULD respond with 'Target type not supported' in the status + text. +- MAY respond with the 500 status code. + +OpenC2 Consumers that receive and support `scan mac_addr` +Command: + +- SHOULD respond with the Response status code 200 upon + successful parsing and execution of the Command. + + ### 2.3.2 Query #### 2.3.2.1 'query features' From f0cfaa76b0308f9839a370b7b49669370a518309 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 14:28:00 -0400 Subject: [PATCH 12/41] populate 2.3.2 & subsections --- ap-pac.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/ap-pac.md b/ap-pac.md index 775c523..8a48805 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -656,8 +656,43 @@ Command: ### 2.3.2 Query +The valid Target types and Arguments for the query Action are +summarized in Table 2.3-1 Command Matrix and Table 2.3-2 Command +Arguments Matrix. Sample Commands are presented in [Appendix +F](#appendix-f-example-appendix-with-subsections). + +Upon receipt of `query [target]` Command with an Argument that is +not supported by the Actuator, PAC Consumers: + +- MUST NOT respond with the 200 status code. +- SHOULD respond with the 501 status code. +- SHOULD respond with 'Argument not supported' in the status + text. +- MAY respond with the 500 status code. + +OpenC2 Consumers that receive and support `query [target]` +Command: + +- SHOULD respond with the Response status code 200 upon + successful parsing and execution of the Command. + + #### 2.3.2.1 'query features' +Implementation of the 'query features' Command is REQUIRED and MUST be +implemented in accordance with Section 4.1, Implementation of 'query +features' Command, of Version 1.0 of the [OpenC2 Language +Specification](#openc2-lang-v1.0). + +#### 2.3.2.2 ‘Query pac:os\_version’* + +The `query pac:os_version` Command provides a mechanism to collect the +information such as name, version and other operating system related +data according to the provided target specifiers. Implementation of the +`query pac:os_version` Command is OPTIONAL. Products that choose to +implement the `query pac:os_version` Command MUST implement the +pac:os\_version Target type described in Table 2.1.2-2. + ### 2.3.3 Cancel #### 2.3.3.1 'cancel command' From 5a3b616bf1bc7383603a85faf964f1443afa4536 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 14:30:58 -0400 Subject: [PATCH 13/41] populate 2.3.3 & subsections --- ap-pac.md | 53 ++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 42 insertions(+), 11 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index 8a48805..b8321e8 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -679,26 +679,57 @@ Command: #### 2.3.2.1 'query features' -Implementation of the 'query features' Command is REQUIRED and MUST be -implemented in accordance with Section 4.1, Implementation of 'query -features' Command, of Version 1.0 of the [OpenC2 Language -Specification](#openc2-lang-v1.0). +Implementation of the 'query features' Command is REQUIRED and +MUST be implemented in accordance with Section 4.1, +Implementation of 'query features' Command, of Version 1.0 of the +[OpenC2 Language Specification](#openc2-lang-v1.0). #### 2.3.2.2 ‘Query pac:os\_version’* -The `query pac:os_version` Command provides a mechanism to collect the -information such as name, version and other operating system related -data according to the provided target specifiers. Implementation of the -`query pac:os_version` Command is OPTIONAL. Products that choose to -implement the `query pac:os_version` Command MUST implement the -pac:os\_version Target type described in Table 2.1.2-2. +The `query pac:os_version` Command provides a mechanism to +collect the information such as name, version and other operating +system related data according to the provided target specifiers. +Implementation of the `query pac:os_version` Command is OPTIONAL. +Products that choose to implement the `query pac:os_version` +Command MUST implement the pac:os\_version Target type described +in Table 2.1.2-2. ### 2.3.3 Cancel -#### 2.3.3.1 'cancel command' +The `command` Target as defined in Version 1.0 of the [OpenC2 +Language Specification](#openc2-lang-v1.0) is the only valid +Target type for the cancel Action. The associated Specifiers, and +Arguments are summarized in [Section 2.3.5.1](#update-file). +Sample Commands are presented in [Appendix +F](#appendix-f-example-appendix-with-subsections). + +#### 2.3.3.1 `cancel command` + +The `cancel command` Command is OPTIONAL for Openc2 Producers +implementing the PAC profile. The `cancel command` Command is +OPTIONAL for Openc2 Consumers implementing the PAC profile. + +The Command invalidates a previously issued Action. + +Products that receive but do not implement the `cancel command` +Command: + +- MUST NOT respond with the 200 status code. +- SHOULD respond with the 501 Response code. +- SHOULD respond with 'Target type not supported' in the status + text. +- MAY respond with the 500 status code. + +OpenC2 Consumers that receive and support `cancel command` +Command: + +- SHOULD respond with the Response status code 200 upon + successful parsing and execution of the Command. ### 2.3.4 Update + + #### 2.3.4.1 'update file' ### 2.3.5 Copy From d5edcedda06287d9be33d5401c111f2fdc550057 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 14:38:13 -0400 Subject: [PATCH 14/41] populate 2.3.4 & subsections --- ap-pac.md | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 71 insertions(+), 1 deletion(-) diff --git a/ap-pac.md b/ap-pac.md index b8321e8..de239bc 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -728,9 +728,79 @@ Command: ### 2.3.4 Update +The `file` Target as defined in Version 1.0 of the [OpenC2 +Language Specification](#openc2-lang-v1.0) is the only valid +Target type for the update Action. The associated Specifiers, and +Arguments are summarized in [Section 2.3.4.1](#update-file). +Sample Commands are presented in [Appendix +F](#appendix-f-example-appendix-with-subsections). + +#### 2.3.4.1 `update file` + +The `update file` Command is used to replace or update files such +as configuration files, rule sets, etc. Implementation of the +update file Command is OPTIONAL. OpenC2 Consumers that choose to +implement the `update file` Command MUST include all steps that +are required for the update file procedure such as retrieving the +file(s), install the file(s), restart/ reboot the device etc. The +atomic steps that take place are implementation specific. + +Table 2.3-2, Command Arguments Matrix, presents the valid +Arguments for the `update file` Command. OpenC2 Producers and +Consumers that choose to implement the `update file` Command MUST +NOT include Arguments other than the one identified in Table +2.3-2. + +OpenC2 Producers that send the `update file` Command: + +- MAY populate the arguments field with the response\_requested + Argument. Valid values for response\_requested for `update + file` are "complete", "ack", and "none". +- MUST NOT include other Command Arguments. +- MUST populate the name Specifier in the Target. +- SHOULD populate the path Specifier in the Target. + +Upon receipt of an `update file` Command with an Argument that is +not supported by the Actuator, PAC Consumers: + +- MUST NOT respond with the 200 status code. +- SHOULD respond with the 501 status code. +- SHOULD respond with 'Argument not supported' in the status + text. +- MAY respond with the 500 status code. + +OpenC2 Consumers that receive and support the `update file` +Command: + +- upon successful parsing and initiating the processing of the + 'update file' Command, OpenC2 Consumers MAY respond with + Response status code 102. + +- upon completion of all the steps necessary to complete the + update and the Actuator commences operations functioning with + the new file, OpenC2 Consumers SHOULD respond with Response + status code 200. + +- but cannot parse or process the `update file` Command: + + - MUST NOT respond with the 200 status code. + - SHOULD respond with the 400 status code. + - MAY respond with the 500 status code. + +- but do not support the `update file` Command: + + - MUST NOT respond with the 200 status code. + - SHOULD respond with the 501 status code. + - SHOULD respond with 'Command not supported' in the status + text. + - MAY respond with the 500 status code. + +- but cannot access the file specified in the file Target: + - MUST respond with the 500 status code. + - SHOULD respond with 'Cannot access file' in the status + text. -#### 2.3.4.1 'update file' ### 2.3.5 Copy From 58ec1929de7603c80d6ed821c2b417fbefc4b489 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 14:50:28 -0400 Subject: [PATCH 15/41] populate 2.3.5 and subsections --- ap-pac.md | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 72 insertions(+), 3 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index de239bc..a9024a8 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -753,8 +753,8 @@ NOT include Arguments other than the one identified in Table OpenC2 Producers that send the `update file` Command: -- MAY populate the arguments field with the response\_requested - Argument. Valid values for response\_requested for `update +- MAY populate the arguments field with the `response_requested` + Argument. Valid values for `response_requested` for `update file` are "complete", "ack", and "none". - MUST NOT include other Command Arguments. - MUST populate the name Specifier in the Target. @@ -804,7 +804,76 @@ Command: ### 2.3.5 Copy -#### 2.3.5.1 'copy file' +The `file` Target as defined in Version 1.0 of the [OpenC2 +Language Specification](#openc2-lang-v1.0) is the only valid +Target type for the copy Action. The associated Specifiers, and +Arguments are summarized in [Section 2.3.5.1](#update-file). +Sample Commands are presented in [Appendix +F](#appendix-f-example-appendix-with-subsections). + +#### 2.3.5.1 `copy file` + +The `copy file` Command is used to copy files such as +configuration files, rule sets, etc. Implementation of the copy +file Command is OPTIONAL. OpenC2 Consumers that choose to +implement the `copy file` Command MUST include all steps that are +required for the copy file procedure, such as parse a device and +extract the file based on its name, or/and path, or/and hash +code. The atomic steps that take place are implementation +specific. + +Table 2.3-2, Command Arguments Matrix, presents the valid +Arguments for the `copy file` Command. OpenC2 Producers and +Consumers that choose to implement the `copy file` Command MUST +NOT include Arguments other than the one identified in Table +2.3-2. + +OpenC2 Producers that send the `copy file` Command: + +- MAY populate the arguments field with the + `response_requested` Argument. Valid values for + `response_requested` for `copy file` are "complete", "ack", + and "none". +- MUST NOT include other Command Arguments. +- MUST populate the name Specifier in the Target. +- SHOULD populate the path Specifier in the Target. + +Upon receipt of an `copy file` Command with an Argument that is +not supported by the Actuator, PAC Consumers: + +- MUST NOT respond with the 200 status code. +- SHOULD respond with the 501 status code. +- SHOULD respond with 'Argument not supported' in the status + text. +- MAY respond with the 500 status code. + +OpenC2 Consumers that receive the `copy file` Command: + +- upon successful parsing and initiating the processing of the + 'copy file' Command, OpenC2 Consumers MAY respond with + Response status code 102. + +- upon completion of all the steps necessary to complete the + copy of the file, OpenC2 Consumers SHOULD respond with + Response status code 200. + +- but cannot parse or process the `copy file` Command: + + - MUST NOT respond with the 200 status code. + - SHOULD respond with the 400 status code. + - MAY respond with the 500 status code. + +- but do not support the `copy file` Command: + + - MUST NOT respond with the 200 status code. + - SHOULD respond with the 501 status code. + - SHOULD respond with "Command not supported" in the status text. + - MAY respond with the 500 status code. + +- but cannot access the file specified in the `file` Target: + + - MUST respond with the 500 status code. + - SHOULD respond with "Cannot access file" in the status text. From dc5050addd157f5a92b073c4d6e837ac741a1572 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 14:59:00 -0400 Subject: [PATCH 16/41] populate section 3 and subsections --- ap-pac.md | 102 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 99 insertions(+), 3 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index a9024a8..37a4134 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -884,7 +884,7 @@ OpenC2 Consumers that receive the `copy file` Command: # 3 Conformance -(Note: The [OASIS TC +> (Note: The [OASIS TC Process](https://www.oasis-open.org/policies-guidelines/tc-process-2017-05-26/#wpComponentsConfClause) requires that a specification approved by the TC at the Committee Specification Public Review Draft, Committee Specification or @@ -896,10 +896,106 @@ by listing the conformance clauses here. For the definition of "conformance clause," see [OASIS Defined Terms](https://www.oasis-open.org/policies-guidelines/oasis-defined-terms-2018-05-22/#dConformanceClause). -See "Guidelines to Writing Conformance Clauses": +> See "Guidelines to Writing Conformance Clauses": https://docs.oasis-open.org/templates/TCHandbook/ConformanceGuidelines.html. -Remove this note before submitting for publication.) +> Remove this note before submitting for publication.) + +*This section is normative*. + +This section identifies the requirements for twenty-two +conformance profiles as they pertain to two conformance targets. +The two conformance targets are OpenC2 Producers and OpenC2 +Consumers. + +3.1 Clauses Pertaining to the OpenC2 Producer Conformance Target +---------------------------------------------------------------- + +All OpenC2 Producers that are conformant to this specification +MUST satisfy Conformance Clause 1 and MAY satisfy one or more of +Conformance Clauses 2 through TBD. + +### 3.1.1 Conformance Clause 1: Baseline OpenC2 Producer + +An OpenC2 Producer satisfies Baseline OpenC2 Producer conformance +if: + +- 3.1.1.1 **MUST** support JSON serialization of OpenC2 + Commands that are syntactically valid in accordance with the + property tables presented in [Section + 2.1](#21-openc2-command-components). + +- 3.1.1.2 All serializations **MUST** be implemented in a + manner such that the serialization validates against and + provides a one-to-one mapping to the property tables in + [Section 2.1](#21-openc2-command-components) of this + specification. + +- 3.1.1.3 **MUST** support the use of a Transfer Specification + that is capable of delivering authenticated, ordered, + lossless and uniquely identified OpenC2 messages. + +- 3.1.1.4 **SHOULD** support the use of one or more published + OpenC2 Transfer Specifications which identify underlying + transport protocols such that an authenticated, ordered, + lossless, delivery of uniquely identified OpenC2 messages is + provided. + +- 3.1.1.5 **MUST** be conformant with Version 1.0 of the OpenC2 + Language Specification. + +- 3.1.1.6 **MUST** implement the `query features` Command in + accordance with the normative text provided in Version 1.0 of + the OpenC2 Language Specification. + +- 3.1.1.7 **MUST** implement the `response_requested` Command + Argument as a valid option for any Command. + +- 3.1.1.8 **MUST** conform to at least one of the following + conformance clauses in this specification: + + - [add Conformance Clause(s), if necessary] + +3.2 Clauses Pertaining to the OpenC2 Consumer Conformance Target +---------------------------------------------------------------- + +All OpenC2 Consumers that are conformant to this specification +MUST satisfy Conformance Clause 19 and MAY satisfy one or more of +Conformance Clauses 20 through 36. + +### 3.2.1 Conformance Clause 19: Baseline OpenC2 Consumer + +An OpenC2 Consumer satisfies Baseline OpenC2 Consumer conformance +if: + +- 3.2.1.1 **MUST** support JSON serialization of OpenC2 + Commands that are syntactically valid in accordance with the property + > tables presented in [Section 2.1](#21-openc2-command-components) . + +- 3.2.1.2 All serializations **MUST** be implemented in a + manner such that the serialization validates against and provides a one-to-one mapping to the property tables in [Section 2.1](#21-openc2-command-components) of this specification. + +- 3.2.1.3 **MUST** support the use of a Transfer Specification + that is capable of delivering authenticated, ordered, lossless and uniquely identified OpenC2 messages. + +- 3.2.1.4 **SHOULD** support the use of one or more published + OpenC2 Transfer Specifications which identify underlying transport protocols such that an authenticated, ordered, lossless, delivery of uniquely identified OpenC2 messages is provided. + +- 3.2.1.5 **MUST** be conformant with Version 1.0 of the OpenC2 Language Specification. + +- 3.2.1.6 **MUST** implement the 'query features' Command in accordance with the normative text provided in Version 1.0 of the OpenC2 Language Specification. + +- 3.2.1.7 **MUST** implement the `response_requested` Command Argument as a valid option for any Command. + + - 3.2.1.7.1 All Commands received with a + `response_requested` argument set to 'none' **MUST** process the Command and **MUST NOT** send a Response. This criteria supersedes all other normative text as it pertains to Responses. + + - 3.2.1.7.2 All Commands received without the `response_requested` argument **MUST** process the Command and Response in a manner that is consistent with `"response_requested":"complete"`. + +- 3.2.1.8 **MUST** conform to at least one of the following conformance clauses in this specification: + + - [add Conformance Clause(s), if necessary] + ------- From 542461ddf5dd476d3585d4884bfa911617b67be6 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 15:08:09 -0400 Subject: [PATCH 17/41] reflow appendix A source code --- ap-pac.md | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index 37a4134..6239a65 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -1013,17 +1013,21 @@ validity. ## A.1 Normative References -The following documents are referenced in such a way that some or all of their content constitutes requirements of this document. +The following documents are referenced in such a way that some or +all of their content constitutes requirements of this document. -(Reference sources: -For references to IETF RFCs, use the approved citation formats at: +(Reference sources: For references to IETF RFCs, use the approved +citation formats at: https://docs.oasis-open.org/templates/ietf-rfc-list/ietf-rfc-list.html. -For references to W3C Recommendations, use the approved citation formats at: +For references to W3C Recommendations, use the approved citation +formats at: https://docs.oasis-open.org/templates/w3c-recommendations-list/w3c-recommendations-list.html. Remove this note before submitting for publication.) ###### [OpenC2-Lang-v1.0] -_Open Command and Control (OpenC2) Language Specification Version 1.0_. Edited by Jason Romano and Duncan Sparrell. Latest stage: https://docs.oasis-open.org/openc2/oc2ls/v1.0/oc2ls-v1.0.html +_Open Command and Control (OpenC2) Language Specification Version +1.0_. Edited by Jason Romano and Duncan Sparrell. Latest stage: +https://docs.oasis-open.org/openc2/oc2ls/v1.0/oc2ls-v1.0.html ###### [RFC2119] -Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, http://www.rfc-editor.org/info/rfc2119. +Bradner, S., "Key words for use in RFCs to Indicate Requirement +Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, +http://www.rfc-editor.org/info/rfc2119. ###### [RFC8174] -Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, http://www.rfc-editor.org/info/rfc8174. +Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key +Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, +http://www.rfc-editor.org/info/rfc8174. ## A.2 Informative References ###### [RFC3552] -Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, DOI 10.17487/RFC3552, July 2003, https://www.rfc-editor.org/info/rfc3552. +Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on +Security Considerations", BCP 72, RFC 3552, DOI 10.17487/RFC3552, +July 2003, https://www.rfc-editor.org/info/rfc3552. ------- From 04051c466d41f99b44b91457a157d7acd3afeba0 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 15:12:51 -0400 Subject: [PATCH 18/41] initial examples for appendix F --- ap-pac.md | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 72 insertions(+), 2 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index 6239a65..a744f85 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -1295,9 +1295,79 @@ retrievals from the upstream Producer: # Appendix F. Example Appendix with subsections -## F.1 Subsection title +## F.1 Query and Return SBOM + +These examples illustrate a request from an upstream Producer for +SBOM information from downstream managed components, and the +response to that request. + +### F.1.1 Query SBOM + +``` json +{ + "action": "query", + "target": { + "pac": ["sbom"] + } +} +``` + +### F.2.1 Return SBOM + +``` json +{ + "status": 200, + "results": { + "pac": { + "sbom": { + "TODO": "Fill in data here??" + } + } + } +} +``` + +## F.1 Query and Return Operating System (OS) Version + +These examples illustrate a request from an upstream Producer for +OS version information from downstream managed components, and +the response to that request. + +### F.1.1 Query OS Version + +``` json +{ + "action": "query", + "target": { + "pac": ["os_version"] + } +} +``` + +### F.2.1 Return OS Version + +``` json +{ + "status": 200, + "results": { + "pac": { + "os_version": { + "name": "macOS", + "version": "12.3.1", + "major": 12, + "minor": 3, + "patch": 1, + "build": "21E258", + "platform": "darwin", + "platform_like": "darwin", + "codename": "", + "arch": "x86_64" + } + } + } +} +``` -### F.1.1 Sub-subsection ------- From bdee93a36f9a67ce39022dd4b3ade9332081c211 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 15:13:36 -0400 Subject: [PATCH 19/41] tag 1.2.3.2 example as JSON --- ap-pac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ap-pac.md b/ap-pac.md index a744f85..0fe9502 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -318,7 +318,7 @@ this document: Example: -``` +``` json { "action": "deny", "target": { From fb0ea4a67f38a1de1a0417c8fa5726e324a01a9f Mon Sep 17 00:00:00 2001 From: David Lemire Date: Wed, 4 May 2022 15:16:25 -0400 Subject: [PATCH 20/41] consistent use of double quotes for status text --- ap-pac.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index 0fe9502..856cb85 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -570,7 +570,7 @@ target` Commands, but cannot implement the `scan target`: - MUST NOT respond with the 200 status code. - SHOULD respond with the 501 status code. -- SHOULD respond with 'Rule not implemented' in the status +- SHOULD respond with "Rule not implemented" in the status text. - MAY respond with the 500 status code. @@ -593,7 +593,7 @@ Command: - MUST NOT respond with the 200 status code. - SHOULD respond with the 501 Response code. -- SHOULD respond with 'Target type not supported' in the status +- SHOULD respond with "Target type not supported" in the status text. - MAY respond with the 500 status code. @@ -618,7 +618,7 @@ Command: - MUST NOT respond with the 200 status code. - SHOULD respond with the 501 Response code. -- SHOULD respond with 'Target type not supported' in the status +- SHOULD respond with "Target type not supported" in the status text. - MAY respond with the 500 status code. @@ -643,7 +643,7 @@ Command: - MUST NOT respond with the 200 status code. - SHOULD respond with the 501 Response code. -- SHOULD respond with 'Target type not supported' in the status +- SHOULD respond with "Target type not supported" in the status text. - MAY respond with the 500 status code. @@ -666,7 +666,7 @@ not supported by the Actuator, PAC Consumers: - MUST NOT respond with the 200 status code. - SHOULD respond with the 501 status code. -- SHOULD respond with 'Argument not supported' in the status +- SHOULD respond with "Argument not supported" in the status text. - MAY respond with the 500 status code. @@ -716,7 +716,7 @@ Command: - MUST NOT respond with the 200 status code. - SHOULD respond with the 501 Response code. -- SHOULD respond with 'Target type not supported' in the status +- SHOULD respond with "Target type not supported" in the status text. - MAY respond with the 500 status code. @@ -765,7 +765,7 @@ not supported by the Actuator, PAC Consumers: - MUST NOT respond with the 200 status code. - SHOULD respond with the 501 status code. -- SHOULD respond with 'Argument not supported' in the status +- SHOULD respond with "Argument not supported" in the status text. - MAY respond with the 500 status code. @@ -791,14 +791,14 @@ Command: - MUST NOT respond with the 200 status code. - SHOULD respond with the 501 status code. - - SHOULD respond with 'Command not supported' in the status + - SHOULD respond with "Command not supported" in the status text. - MAY respond with the 500 status code. - but cannot access the file specified in the file Target: - MUST respond with the 500 status code. - - SHOULD respond with 'Cannot access file' in the status + - SHOULD respond with "Cannot access file" in the status text. @@ -843,7 +843,7 @@ not supported by the Actuator, PAC Consumers: - MUST NOT respond with the 200 status code. - SHOULD respond with the 501 status code. -- SHOULD respond with 'Argument not supported' in the status +- SHOULD respond with "Argument not supported" in the status text. - MAY respond with the 500 status code. From bc5d1085abfda1d5585d22e401c53e503ef1f2e7 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Mon, 9 May 2022 12:26:28 -0400 Subject: [PATCH 21/41] populate tables from JADN info --- ap-pac.md | 147 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 145 insertions(+), 2 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index 856cb85..db1f103 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -406,6 +406,11 @@ combinations are presented in [Section 2.3](#23-openc2-commands). #### Table 2.1.1-1 Common Actions Applicable to PAC +**Type: Action (Enumerated)** + +| ID | Item | Description | +|----|-----------|-------------| +| 3 | **query** | Initiate a request for information. | ### 2.1.2 Targets @@ -418,9 +423,22 @@ namespace identifier. #### Table 2.1.2-1 Common Targets Applicable to PAC +**Type: Target (Enumerated)** + +| ID | Item | Description | +|------|--------------|-------------| +| 9 | **features** | A set of items used with the query Action to determine an Actuator's capabilities.| +| 1035 | **pac/** | | + #### Table 2.1.2-2 Targets Unique to PAC +**Type: AP-Target (Choice)** + +| ID | Name | Type | \# | Description | +|----|-----------|-----------------------------|-------|------------------------------------------| +| 1 | **attrs** | PostureAttributeName unique | 1..\* | List of posture attribute names to query | + Usage Requirements: TBD ### 2.1.3 Command Arguments @@ -437,8 +455,25 @@ the pac namespace identifier. #### Table 2.1.3-1 Common Command Arguments Applicable to PAC +**Type: Args (Enumerated)** + +| ID | Name | Type | # | Description | +| ---: | :--- | :--- | ---: | :--- | +| 1 | **start_time** | Date-Time | 0..1 | The specific date/time to initiate the Command | +| 2 | **stop_time** | Date-Time | 0..1 | The specific date/time to terminate the Command | +| 3 | **duration** | Duration | 0..1 | The length of time for an Command to be in effect | +| 4 | **response_requested** | Response-Type | 0..1 | The type of Response required for the Command: `none`, `ack`, `status`, `complete`. | +| 1035 | **pac/** | | + + #### Table 2.1.3-2 Command Arguments Unique to PAC +**Type: AP-Args (Map{1..\*})** + +| ID | Name | Type | \# | Description | +|----|---------|--------|------|--------------------------| +| 1 | **foo** | String | 0..1 | Delete from Args if none | + Usage Requirements: TBD @@ -456,6 +491,12 @@ Actuator. #### Table 2.1.4-1 PAC Actuator +**Type: Actuator (Enumerated)** + +| ID | Item | Description | +|------|----------|-------------| +| 1035 | **pac/** | | + ### 2.1.5 Actuator Specifiers @@ -468,7 +509,11 @@ namespace identifier. #### Table 2.1.5-1 PAC Actuator Specifiers +**Type: AP-Specifiers (Map)** +| ID | Name | Type | \# | Description | +|----|---------|--------|------|------------------------------| +| 1 | **foo** | String | 0..1 | Delete from Actuator if none | ## 2.2 OpenC2 Response Components @@ -491,6 +536,16 @@ applicable to PAC. #### Table 2.2.1-1 Common Response Results Applicable to PAC +**Type: Results (Enumerated)** + +| ID | Name | Type | # | Description | +| ---: | :--- | :--- | ---: | :--- | +| 1 | **versions** | Version unique | 0..* | List of OpenC2 language versions supported by this Actuator | +| 2 | **profiles** | ArrayOf(Nsid) | 0..1 | List of profiles supported by this Actuator | +| 3 | **pairs** | Action-Targets | 0..1 | List of targets applicable to each supported Action | +| 4 | **rate_limit** | Number{0..*} | 0..1 | Maximum number of requests per minute supported by design or policy | +| 1035 | **pac/** | | + #### Table 2.2.1-2 Response Results Unique to PAC @@ -498,18 +553,106 @@ The list of common Response properties is extended to include the additional Response properties defined in this section and referenced with the `pac` namespace. +**Type: AP-Results (Map{1..\*})** + +| ID | Name | Type | \# | Description | +|----|----------------|------------|----|-------------| +| 1 | **os_version** | OS-Version | 1 | | +| 2 | **sbom** | SBOM | 1 | | + + #### 2.2.1.1 Data Type Definitions ----- OS-Version Table Goes Here ----- +**Type: OS-Version (Record)** + +| ID | Name | Type | \# | Description | +|----|-------------------|--------------|-------|--------------------------------------| +| 1 | **name** | String | 1 | Distribution or product name | +| 2 | **version** | String | 1 | Suitable for presentation OS version | +| 3 | **major** | Integer | 0..1 | Major release version | +| 4 | **patch** | Integer | 0..1 | Patch release | +| 5 | **build** | String | 0..1 | Build-specific or variant string | +| 6 | **platform** | String | 0..1 | OS Platform or ID | +| 7 | **platform_like** | String | 0..\* | Closely-related platforms | +| 8 | **arch** | OS-Arch | 0..1 | OS Architecture | +| 9 | **install_date** | ls:Date-Time | 0..1 | Install date of the OS | + + +Usage Requirements: TBD + +**Type: OS-Arch (Enumerated)** + +| ID | Item | Description | +|----|------------|-------------| +| 1 | **32-bit** | | +| 2 | **64-bit** | | +| 3 | **x86_32** | | +| 4 | **x86_64** | | + + +Usage Requirements: TBD + +**Type: SBOM (Choice)** + +| ID | Name | Type | \# | Description | +|----|-------------|---------------|----|------------------------------------------| +| 1 | **uri** | ls:URI | 1 | Unique identifier or locator of the SBOM | +| 2 | **summary** | SBOM-Elements | 1 | NTIA Minimumum Elements of an SBOM | +| 3 | **content** | SBOM-Content | 1 | SBOM structured data | +| 4 | **blob** | SBOM-Blob | 1 | Uninterpreted SBOM bytes | Usage Requirements: TBD ----- OS-Arch Table Goes Here ----- +**Type: SBOM-Elements (Record)** + +| ID | Name | Type | \# | Description | +|----|-------------------|--------------|-------|--------------------------------------------------------------------------------------| +| 1 | **supplier** | String | 1..\* | Name of entity that creates, defines, and identifies components | +| 2 | **component** | String | 1..\* | Designation(s) assigned to a unit of software defined by the original supplier | +| 3 | **version** | String | 1 | Identifier used by supplier to specify a change from a previously identified version | +| 4 | **component_ids** | String | 0..\* | Other identifiers used to identify a component, or serve as a look-yp key | +| 5 | **dependencies** | String | 0..\* | Upstream component(s) | +| 6 | **author** | String | 1 | Name of the entity that creates SBOM data for this component | +| 7 | **timestamp** | ls:Date-Time | 1 | Record of the date and time of the SBOM data assembly | + +Usage Requirements: TBD + +**Type: SBOM-Content (Choice)** + +| ID | Name | Type | \# | Description | +|----|---------------|--------|----|--------------------------------------| +| 1 | **cyclonedx** | String | 1 | Placeholder for CycloneDX data model | +| 2 | **spdx2** | String | 1 | Placeholder for SPDX v2.x data model | +| 3 | **spdx3** | String | 1 | Placeholder for SPDX v3 data model | + +Usage Requirements: TBD + + + + +**Type: SBOM-Blob (Record)** + +| ID | Name | Type | \# | Description | +|----|------------|--------------------------------|----|-------------| +| 1 | **format** | Enumerated(Enum[SBOM-Content]) | 1 | | +| 2 | **data** | Binary | 1 | | Usage Requirements: TBD + + + + + + + + + + + + ### 2.2.2 Response Status Codes Table 2.2.2-1 lists the Response Status Codes defined in Version From 164bff3d4cd1524fe4578dc9449fd730a6c4c647 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Mon, 9 May 2022 12:26:55 -0400 Subject: [PATCH 22/41] source clean-up --- ap-pac.md | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index db1f103..42aaf08 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -640,19 +640,6 @@ Usage Requirements: TBD Usage Requirements: TBD - - - - - - - - - - - - - ### 2.2.2 Response Status Codes Table 2.2.2-1 lists the Response Status Codes defined in Version From bbec19c12ab9e644d1f8b5434ecd4df5d053adfb Mon Sep 17 00:00:00 2001 From: David Lemire Date: Mon, 9 May 2022 12:36:20 -0400 Subject: [PATCH 23/41] strip out currently unsupported commands --- ap-pac.md | 320 ++++-------------------------------------------------- 1 file changed, 24 insertions(+), 296 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index 42aaf08..e309019 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -648,6 +648,21 @@ PAC. #### Table 2.2.2-1 Response Status Codes +> _EDITOR'S NOTE: for now simply including all of the status codes from the LS._ + +**_Type: Status-Code (Enumerated.ID)_** + +| ID | Description | +| ---: | :--- | +| 102 | **Processing** - an interim Response used to inform the Producer that the Consumer has accepted the Command but has not yet completed it. | +| 200 | **OK** - the Command has succeeded. | +| 400 | **Bad Request** - the Consumer cannot process the Command due to something that is perceived to be a Producer error (e.g., malformed Command syntax). | +| 401 | **Unauthorized** - the Command Message lacks valid authentication credentials for the target resource or authorization has been refused for the submitted credentials. | +| 403 | **Forbidden** - the Consumer understood the Command but refuses to authorize it. | +| 404 | **Not Found** - the Consumer has not found anything matching the Command. | +| 500 | **Internal Error** - the Consumer encountered an unexpected condition that prevented it from performing the Command. | +| 501 | **Not Implemented** - the Consumer does not support the functionality required to perform the Command. | +| 503 | **Service Unavailable** - the Consumer is currently unable to perform the Command due to a temporary overloading or maintenance of the Consumer. | ## 2.3 OpenC2 Commands @@ -668,123 +683,20 @@ Table 2.3-2 defines the Command Arguments that are allowed for a particular Command by the PAC Actuator profile. A Command (the top row in Table 2.3-2) paired with an Argument (the first column in Table 2.3-2) defines an allowable combination. - -#### Table 2.3-2. Command Arguments Matrix - - -Hereafter the specification provides details applicable to each -Command, also as influenced by the Arguments. - -### 2.3.1 Scan -Table 2.3-2, Command Arguments Matrix, summarizes the Command -Arguments that apply to all Commands consisting of the scan -Action and a valid Target type. +> _EDITOR'S NOTE: Insert Command Matrix here._ -Upon receipt of a `scan target` Command with an Argument that -is not supported by the Actuator, PAC Consumers: - -- MUST NOT respond with the 200 status code. -- SHOULD respond with the 501 status code. -- SHOULD respond with "Argument not supported" in the status - text. -- MAY respond with the 500 status code. - -OpenC2 Consumers that receive `scan target` Commands: - -- SHOULD respond with the Response status code 200 upon - successful parsing of the `scan target` Command and subsequent implementation of the corresponding rule. - -OpenC2 Consumers that receive and successfully parse `scan -target` Commands, but cannot implement the `scan target`: - -- MUST NOT respond with the 200 status code. -- SHOULD respond with the 501 status code. -- SHOULD respond with "Rule not implemented" in the status - text. -- MAY respond with the 500 status code. - -The valid Target types, associated Specifiers, and Arguments are -summarized in the following subsections. Sample Commands are -presented in [Appendix F](#appendix-f-example-appendix-with-subsections). - - -#### 2.3.1.1 'Scan Device' - -The `scan device` Command is OPTIONAL for Openc2 Producers -implementing the PAC profile. The `scan device` Command is -OPTIONAL for Openc2 Consumers implementing the PAC profile. - -The Command does systematic examination of some aspect of the -specified device that implemented the PAC profile. - -Products that receive but do not implement the `scan device` -Command: - -- MUST NOT respond with the 200 status code. -- SHOULD respond with the 501 Response code. -- SHOULD respond with "Target type not supported" in the status - text. -- MAY respond with the 500 status code. -OpenC2 Consumers that receive and support `scan device` Command: - -- SHOULD respond with the Response status code 200 upon - successful parsing and execution of the Command. - - - -#### 2.3.1.2 'Scan domain_name' - -The `scan domain_name` Command is OPTIONAL for Openc2 Producers -implementing the PAC profile. The `scan domain_name` Command is -OPTIONAL for Openc2 Consumers implementing the PAC profile. - -The Command does systematic examination of the specified network -domain name of the devices that implemented the PAC profile. - -Products that receive but do not implement the `scan domain_name` -Command: - -- MUST NOT respond with the 200 status code. -- SHOULD respond with the 501 Response code. -- SHOULD respond with "Target type not supported" in the status - text. -- MAY respond with the 500 status code. - -OpenC2 Consumers that receive and support `scan domain_name` -Command: - -- SHOULD respond with the Response status code 200 upon - successful parsing and execution of the Command. - - -#### 2.3.1.3 'Scan mac_addr' - -The `scan mac_addr` Command is OPTIONAL for Openc2 Producers -implementing the PAC profile. The `scan mac_addr` Command is -OPTIONAL for Openc2 Consumers implementing the PAC profile. - -The Command does systematic examination of the specified MAC -addresses of the devices that implemented the PAC profile. - -Products that receive but do not implement the `scan mac_addr` -Command: - -- MUST NOT respond with the 200 status code. -- SHOULD respond with the 501 Response code. -- SHOULD respond with "Target type not supported" in the status - text. -- MAY respond with the 500 status code. + +#### Table 2.3-2. Command Arguments Matrix -OpenC2 Consumers that receive and support `scan mac_addr` -Command: +> _EDITOR'S NOTE: Insert Command Arguments Matrix here._ -- SHOULD respond with the Response status code 200 upon - successful parsing and execution of the Command. +Hereafter the specification provides details applicable to each +Command, also as influenced by the Arguments. -### 2.3.2 Query +### 2.3.1 Query The valid Target types and Arguments for the query Action are summarized in Table 2.3-1 Command Matrix and Table 2.3-2 Command @@ -807,14 +719,14 @@ Command: successful parsing and execution of the Command. -#### 2.3.2.1 'query features' +#### 2.3.2.1 query features Implementation of the 'query features' Command is REQUIRED and MUST be implemented in accordance with Section 4.1, Implementation of 'query features' Command, of Version 1.0 of the [OpenC2 Language Specification](#openc2-lang-v1.0). -#### 2.3.2.2 ‘Query pac:os\_version’* +#### 2.3.2.2 Query pac:attrs* The `query pac:os_version` Command provides a mechanism to collect the information such as name, version and other operating @@ -824,190 +736,6 @@ Products that choose to implement the `query pac:os_version` Command MUST implement the pac:os\_version Target type described in Table 2.1.2-2. -### 2.3.3 Cancel - -The `command` Target as defined in Version 1.0 of the [OpenC2 -Language Specification](#openc2-lang-v1.0) is the only valid -Target type for the cancel Action. The associated Specifiers, and -Arguments are summarized in [Section 2.3.5.1](#update-file). -Sample Commands are presented in [Appendix -F](#appendix-f-example-appendix-with-subsections). - -#### 2.3.3.1 `cancel command` - -The `cancel command` Command is OPTIONAL for Openc2 Producers -implementing the PAC profile. The `cancel command` Command is -OPTIONAL for Openc2 Consumers implementing the PAC profile. - -The Command invalidates a previously issued Action. - -Products that receive but do not implement the `cancel command` -Command: - -- MUST NOT respond with the 200 status code. -- SHOULD respond with the 501 Response code. -- SHOULD respond with "Target type not supported" in the status - text. -- MAY respond with the 500 status code. - -OpenC2 Consumers that receive and support `cancel command` -Command: - -- SHOULD respond with the Response status code 200 upon - successful parsing and execution of the Command. - -### 2.3.4 Update - -The `file` Target as defined in Version 1.0 of the [OpenC2 -Language Specification](#openc2-lang-v1.0) is the only valid -Target type for the update Action. The associated Specifiers, and -Arguments are summarized in [Section 2.3.4.1](#update-file). -Sample Commands are presented in [Appendix -F](#appendix-f-example-appendix-with-subsections). - -#### 2.3.4.1 `update file` - -The `update file` Command is used to replace or update files such -as configuration files, rule sets, etc. Implementation of the -update file Command is OPTIONAL. OpenC2 Consumers that choose to -implement the `update file` Command MUST include all steps that -are required for the update file procedure such as retrieving the -file(s), install the file(s), restart/ reboot the device etc. The -atomic steps that take place are implementation specific. - -Table 2.3-2, Command Arguments Matrix, presents the valid -Arguments for the `update file` Command. OpenC2 Producers and -Consumers that choose to implement the `update file` Command MUST -NOT include Arguments other than the one identified in Table -2.3-2. - -OpenC2 Producers that send the `update file` Command: - -- MAY populate the arguments field with the `response_requested` - Argument. Valid values for `response_requested` for `update - file` are "complete", "ack", and "none". -- MUST NOT include other Command Arguments. -- MUST populate the name Specifier in the Target. -- SHOULD populate the path Specifier in the Target. - -Upon receipt of an `update file` Command with an Argument that is -not supported by the Actuator, PAC Consumers: - -- MUST NOT respond with the 200 status code. -- SHOULD respond with the 501 status code. -- SHOULD respond with "Argument not supported" in the status - text. -- MAY respond with the 500 status code. - -OpenC2 Consumers that receive and support the `update file` -Command: - -- upon successful parsing and initiating the processing of the - 'update file' Command, OpenC2 Consumers MAY respond with - Response status code 102. - -- upon completion of all the steps necessary to complete the - update and the Actuator commences operations functioning with - the new file, OpenC2 Consumers SHOULD respond with Response - status code 200. - -- but cannot parse or process the `update file` Command: - - - MUST NOT respond with the 200 status code. - - SHOULD respond with the 400 status code. - - MAY respond with the 500 status code. - -- but do not support the `update file` Command: - - - MUST NOT respond with the 200 status code. - - SHOULD respond with the 501 status code. - - SHOULD respond with "Command not supported" in the status - text. - - MAY respond with the 500 status code. - -- but cannot access the file specified in the file Target: - - - MUST respond with the 500 status code. - - SHOULD respond with "Cannot access file" in the status - text. - - -### 2.3.5 Copy - -The `file` Target as defined in Version 1.0 of the [OpenC2 -Language Specification](#openc2-lang-v1.0) is the only valid -Target type for the copy Action. The associated Specifiers, and -Arguments are summarized in [Section 2.3.5.1](#update-file). -Sample Commands are presented in [Appendix -F](#appendix-f-example-appendix-with-subsections). - -#### 2.3.5.1 `copy file` - -The `copy file` Command is used to copy files such as -configuration files, rule sets, etc. Implementation of the copy -file Command is OPTIONAL. OpenC2 Consumers that choose to -implement the `copy file` Command MUST include all steps that are -required for the copy file procedure, such as parse a device and -extract the file based on its name, or/and path, or/and hash -code. The atomic steps that take place are implementation -specific. - -Table 2.3-2, Command Arguments Matrix, presents the valid -Arguments for the `copy file` Command. OpenC2 Producers and -Consumers that choose to implement the `copy file` Command MUST -NOT include Arguments other than the one identified in Table -2.3-2. - -OpenC2 Producers that send the `copy file` Command: - -- MAY populate the arguments field with the - `response_requested` Argument. Valid values for - `response_requested` for `copy file` are "complete", "ack", - and "none". -- MUST NOT include other Command Arguments. -- MUST populate the name Specifier in the Target. -- SHOULD populate the path Specifier in the Target. - -Upon receipt of an `copy file` Command with an Argument that is -not supported by the Actuator, PAC Consumers: - -- MUST NOT respond with the 200 status code. -- SHOULD respond with the 501 status code. -- SHOULD respond with "Argument not supported" in the status - text. -- MAY respond with the 500 status code. - -OpenC2 Consumers that receive the `copy file` Command: - -- upon successful parsing and initiating the processing of the - 'copy file' Command, OpenC2 Consumers MAY respond with - Response status code 102. - -- upon completion of all the steps necessary to complete the - copy of the file, OpenC2 Consumers SHOULD respond with - Response status code 200. - -- but cannot parse or process the `copy file` Command: - - - MUST NOT respond with the 200 status code. - - SHOULD respond with the 400 status code. - - MAY respond with the 500 status code. - -- but do not support the `copy file` Command: - - - MUST NOT respond with the 200 status code. - - SHOULD respond with the 501 status code. - - SHOULD respond with "Command not supported" in the status text. - - MAY respond with the 500 status code. - -- but cannot access the file specified in the `file` Target: - - - MUST respond with the 500 status code. - - SHOULD respond with "Cannot access file" in the status text. - - - - ------- From 4e8da04ea475799fd41727092ac2e30bf78f221e Mon Sep 17 00:00:00 2001 From: David Lemire Date: Mon, 9 May 2022 12:37:38 -0400 Subject: [PATCH 24/41] tweaks --- ap-pac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ap-pac.md b/ap-pac.md index e309019..4669309 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -726,7 +726,7 @@ MUST be implemented in accordance with Section 4.1, Implementation of 'query features' Command, of Version 1.0 of the [OpenC2 Language Specification](#openc2-lang-v1.0). -#### 2.3.2.2 Query pac:attrs* +#### 2.3.2.2 Query pac:attrs The `query pac:os_version` Command provides a mechanism to collect the information such as name, version and other operating From b65fc7b7ef5176503980f2d0a42cd4f4b4563a13 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Mon, 9 May 2022 12:39:27 -0400 Subject: [PATCH 25/41] fix pac/ result in 2.2.1 --- ap-pac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ap-pac.md b/ap-pac.md index 4669309..ae9632b 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -544,7 +544,7 @@ applicable to PAC. | 2 | **profiles** | ArrayOf(Nsid) | 0..1 | List of profiles supported by this Actuator | | 3 | **pairs** | Action-Targets | 0..1 | List of targets applicable to each supported Action | | 4 | **rate_limit** | Number{0..*} | 0..1 | Maximum number of requests per minute supported by design or policy | -| 1035 | **pac/** | | +| 1035 | **pac/** | pac:AP-Results | 0..1 | #### Table 2.2.1-2 Response Results Unique to PAC From 10fd7595fd18c62bc751c760f010660cfabec9fc Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 10 May 2022 11:40:00 -0400 Subject: [PATCH 26/41] add command and arguments matrices --- ap-pac.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index ae9632b..a225c64 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -676,7 +676,13 @@ the Arguments. Table 2.3-1 defines the Commands that are valid in the context of the PAC profile. An Action (the top row in Table 2.3-1) paired with a Target (the first column in Table 2.3-1) defines a valid Command. - + +| | **query**| +|---:|:---:| +| **features**| valid | +| **pac/** | valid | + + #### Table 2.3-1. Command Matrix Table 2.3-2 defines the Command Arguments that are allowed for a @@ -684,13 +690,13 @@ particular Command by the PAC Actuator profile. A Command (the top row in Table 2.3-2) paired with an Argument (the first column in Table 2.3-2) defines an allowable combination. -> _EDITOR'S NOTE: Insert Command Matrix here._ - - #### Table 2.3-2. Command Arguments Matrix -> _EDITOR'S NOTE: Insert Command Arguments Matrix here._ +| | query features | query pac:attrs | +| ---: | :---: | :---: | +| response_requested | 2.3.2.1 | 2.3.2.2 | + Hereafter the specification provides details applicable to each From 84f7ec331db475609ee40e2558ef65eba996787f Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 10 May 2022 15:13:33 -0400 Subject: [PATCH 27/41] add note about SBOM/os_version, and RFC reference --- ap-pac.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index a225c64..6aae474 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -547,12 +547,21 @@ applicable to PAC. | 1035 | **pac/** | pac:AP-Results | 0..1 | -#### Table 2.2.1-2 Response Results Unique to PAC - The list of common Response properties is extended to include the additional Response properties defined in this section and referenced with the `pac` namespace. +> NOTE: To illustrate response results unique to PAC, os_version +> and Software Bill of Materials (SBOM) have been chosen. These +> two use cases well correlate with [RFC 7632](#rfc7632) and +> reflect growing community interest in security automation. The +> purpose of the use cases is to provide examples of how to +> collect the posture attributes from selected endpoints for +> storing and farther evaluation. The set of response results +> unique to PAC is expect to shift and expand as this AP matures. + +#### Table 2.2.1-2 Response Results Unique to PAC + **Type: AP-Results (Map{1..\*})** | ID | Name | Type | \# | Description | @@ -914,6 +923,11 @@ Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, DOI 10.17487/RFC3552, July 2003, https://www.rfc-editor.org/info/rfc3552. +###### [RFC7632] +Waltermire, D. and D. Harrington, "Endpoint Security Posture Assessment: Enterprise Use Cases", RFC 7632, DOI 10.17487/RFC7632, September 2015, . + + + ------- # Appendix B. Safety, Security and Privacy Considerations From ee5d488a94e5ae0c5da66dfa31f4ebad8ff202d9 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 10 May 2022 15:17:08 -0400 Subject: [PATCH 28/41] update internal link --- ap-pac.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index 6aae474..a424682 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -202,14 +202,15 @@ The remaining of Section 1 includes information about the IPR policy, terminology used, and document conventions pertinent to this Actuator profile specification. -[Section 2](#2-section-heading) (normative) binds this particular -profile to Version 1.0 of the OpenC2 Language Specification -[\[OpenC2-Lang-v1.0\]](#openc2-lang-v1.0). It enumerates the -components of the Language Specification that are meaningful in -the context of PAC and defines components that are applicable to -this distinct profile. In addition, Section 2 defines the -Commands (i.e., the Action/Target pairs, arguments, and -associated specifiers) that are permitted in the context of PAC. +[Section 2](#2-openc2-language-binding) (normative) binds this +particular profile to Version 1.0 of the OpenC2 Language +Specification [\[OpenC2-Lang-v1.0\]](#openc2-lang-v1.0). It +enumerates the components of the Language Specification that are +meaningful in the context of PAC and defines components that are +applicable to this distinct profile. In addition, Section 2 +defines the Commands (i.e., the Action/Target pairs, arguments, +and associated specifiers) that are permitted in the context of +PAC. [Section 3](#3-conformance) (normative) presents definitive criteria for conformance so that cyber security stakeholders can From c2200aa02b7bb24548faddfc4f0ef177a86d026d Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 10 May 2022 15:18:05 -0400 Subject: [PATCH 29/41] change example action in glossary --- ap-pac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ap-pac.md b/ap-pac.md index a424682..8617766 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -241,7 +241,7 @@ This is the initial version of this specifciation. *This section is normative.* - **Action**: The task or activity to be performed (e.g., - 'deny'). + 'query'). - **Actuator**: The function performed by the Consumer that executes the Command (e.g., 'Posture Attribute Collection'). From dc8d72feff0402aba1961fd502d122a18e01cd76 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 10 May 2022 15:26:23 -0400 Subject: [PATCH 30/41] edit 2.1.4 to fucntional language --- ap-pac.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index 8617766..137a36d 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -484,11 +484,10 @@ Usage Requirements: TBD ### 2.1.4 Actuators -An Actuator is the entity that provides the functionality and -performs the Action. The Actuator executes the Action on the -Target. In the context of this profile, the Actuator is the -posture attribute collection. Table 2.1.4-1 lists the PAC -Actuator. +An Actuator provides the functionality and performs the Action. +The Actuator executes the Action on the Target. In the context of +this profile, the Actuator performs the function of posture +attribute collection. Table 2.1.4-1 lists the PAC Actuator. #### Table 2.1.4-1 PAC Actuator From 86c621c0263a11d9ef4002dfa99d0f374430661a Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 10 May 2022 15:37:14 -0400 Subject: [PATCH 31/41] intro paragraph describing PAC --- ap-pac.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/ap-pac.md b/ap-pac.md index 137a36d..3a604ff 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -177,6 +177,16 @@ Producer (managing application) and transferred to a Consumer protocol, and the Consumer acts on the request and responds with status and any other requested information. +Understanding the security posture of components in a network is +a starting point for automation to update and maintain the +network's overall security posture. [RFC 7632](#rfc7632) defines +a set of use cases for endpoint posture assessment, which is +initiated by "securely collecting and aggregating configuration +and operational data". This activity is known as posture +attribute collection. OpenC2 can provide the means to coordinate +the collection of security posture attributes for subsequent +evaluation. + This specification defines an Actuator profile for **Posture Attribute Collection (PAC)**. In particular, the specification comprises a set of Actions, Targets and Target Specifiers, From def0cca49211d6cb08a086407933e1b7a488343d Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 10 May 2022 15:39:34 -0400 Subject: [PATCH 32/41] insert TOC --- ap-pac.md | 45 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/ap-pac.md b/ap-pac.md index 3a604ff..129f5f3 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -156,7 +156,50 @@ section in an Appendix below. ------- # Table of Contents -[[TOC will be inserted here]] +- [1 Introduction](#1-introduction) + - [1.1 Changes from earlier versions](#11-changes-from-earlier-versions) + - [1.2 Glossary](#12-glossary) + - [1.2.1 Definitions of terms](#121-definitions-of-terms) + - [1.2.2 Acronyms and abbreviations](#122-acronyms-and-abbreviations) + - [1.2.3 Document conventions](#123-document-conventions) + - [1.2.3.1 Naming Conventions](#1231-naming-conventions) + - [1.2.3.2 Font Colors and Style](#1232-font-colors-and-style) +- [2 OpenC2 Language Binding](#2-openc2-language-binding) + - [2.1 OpenC2 Command Components](#21-openc2-command-components) + - [2.1.1 Actions](#211-actions) + - [2.1.2 Targets](#212-targets) + - [2.1.3 Command Arguments](#213-command-arguments) + - [2.1.3.1 Data Type Definitions](#2131-data-type-definitions) + - [2.1.4 Actuators](#214-actuators) + - [2.1.5 Actuator Specifiers](#215-actuator-specifiers) + - [2.2 OpenC2 Response Components](#22-openc2-response-components) + - [2.2.1 Common Response Results](#221-common-response-results) + - [2.2.1.1 Data Type Definitions](#2211-data-type-definitions) + - [2.2.2 Response Status Codes](#222-response-status-codes) + - [2.3 OpenC2 Commands](#23-openc2-commands) + - [2.3.1 Query](#231-query) + - [2.3.2.1 query features](#2321-query-features) + - [2.3.2.2 Query pac:attrs](#2322-query-pacattrs) +- [3 Conformance](#3-conformance) + - [3.1 Clauses Pertaining to the OpenC2 Producer Conformance Target](#31-clauses-pertaining-to-the-openc2-producer-conformance-target) + - [3.1.1 Conformance Clause 1: Baseline OpenC2 Producer](#311-conformance-clause-1-baseline-openc2-producer) + - [3.2 Clauses Pertaining to the OpenC2 Consumer Conformance Target](#32-clauses-pertaining-to-the-openc2-consumer-conformance-target) + - [3.2.1 Conformance Clause 19: Baseline OpenC2 Consumer](#321-conformance-clause-19-baseline-openc2-consumer) +- [Appendix A. References](#appendix-a-references) + - [A.1 Normative References](#a1-normative-references) + - [A.2 Informative References](#a2-informative-references) +- [Appendix B. Safety, Security and Privacy Considerations](#appendix-b-safety-security-and-privacy-considerations) +- [Appendix C. Acknowledgments](#appendix-c-acknowledgments) +- [Appendix D. Revision History](#appendix-d-revision-history) +- [Appendix E. Orchestrator Consumer Operating Model](#appendix-e-orchestrator-consumer-operating-model) + - [E.1. Terminology](#e1-terminology) + - [E.2 Assumptions](#e2-assumptions) + - [E.3 Operations](#e3-operations) + - [E.4 Notional Example](#e4-notional-example) +- [Appendix F. Example Appendix with subsections](#appendix-f-example-appendix-with-subsections) + - [F.1 Query and Return SBOM](#f1-query-and-return-sbom) + - [F.1 Query and Return Operating System (OS) Version](#f1-query-and-return-operating-system-os-version) +- [Appendix G. Notices](#appendix-g-notices) ------- From 107c49572178caec91affaf1d7d17e6dff3316b0 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 10 May 2022 15:44:21 -0400 Subject: [PATCH 33/41] italicize document title --- ap-pac.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index 129f5f3..6a7c668 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -268,8 +268,8 @@ PAC. [Section 3](#3-conformance) (normative) presents definitive criteria for conformance so that cyber security stakeholders can be assured that their products, instances and/or integrations are -compatible with this profile (OpenC2 Actuator Profile for Posture -Attribute Collection Version 1.0). +compatible with this profile (*OpenC2 Actuator Profile for Posture +Attribute Collection Version 1.0*). [Appendix E](#appendix-e-orchestrator-consumer-operating-model) (non-normative) describes the operating model for an From 2886725b9b1efeb076152396a23fcd931e1e6b9c Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 10 May 2022 15:47:38 -0400 Subject: [PATCH 34/41] paragraph introducing Orchestrator Consumer --- ap-pac.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ap-pac.md b/ap-pac.md index 6a7c668..846c978 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -239,6 +239,14 @@ set, cyber security orchestrators may gain visibility into and provide control over PAC in a manner that is independent of the instance of the PAC function. +The PAC Actuator profile is oriented for commanding an OpenC2 +Consumer that will, in turn, command other network components to +retrieve the desired security posture attributes. The element +receiving commands under the PAC Actuator profile is referred to +here as an "Orchestrator Consumer", and an operating model for it +is described in [Appendix +E](#appendix-e-orchestrator-consumer-operating-model). + All components, devices, and systems that provide PAC functionality MUST implement the identified OpenC2 Actions, Targets, Specifiers, and Arguments as specified in the From ded3dc86ccb210ac2ca91b68b495675973d18916 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 10 May 2022 15:49:31 -0400 Subject: [PATCH 35/41] initial acronyms in 1.2.2 --- ap-pac.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ap-pac.md b/ap-pac.md index 846c978..4910004 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -335,7 +335,10 @@ This is the initial version of this specifciation. ### 1.2.2 Acronyms and abbreviations -TBSL +| Term | Explanation | +| :---: | :--- | +| PAC | Posture Attribute Collection | +| RFC | Request For Comment ### 1.2.3 Document conventions From 8a73a5c1caae5341ff13da7ef7e9956c34bdbab4 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 10 May 2022 15:51:44 -0400 Subject: [PATCH 36/41] fix typo --- ap-pac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ap-pac.md b/ap-pac.md index 4910004..2b75c0a 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -436,7 +436,7 @@ OpenC2 Command. The components of an OpenC2 Command include: - **Action:** A subset of the Actions defined in Version 1.0 of the [OpenC2 Language Specification](#openc2-lang-v1.0) that are - meaningful in the context of a posture attribute collection. + meaningful in the context of posture attribute collection. - This profile SHALL NOT define Actions that are external to Version 1.0 of the [OpenC2 Language From 3bec662b97753cb89366bf3ab005b338c0601fdf Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 10 May 2022 15:52:16 -0400 Subject: [PATCH 37/41] use acronym --- ap-pac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ap-pac.md b/ap-pac.md index 2b75c0a..3ba004d 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -436,7 +436,7 @@ OpenC2 Command. The components of an OpenC2 Command include: - **Action:** A subset of the Actions defined in Version 1.0 of the [OpenC2 Language Specification](#openc2-lang-v1.0) that are - meaningful in the context of posture attribute collection. + meaningful in the context of PAC. - This profile SHALL NOT define Actions that are external to Version 1.0 of the [OpenC2 Language From 5f766fb2774e0b47a7a65a96613cd78944bae84b Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 10 May 2022 15:53:43 -0400 Subject: [PATCH 38/41] remove specificity of # of AP-specific targets --- ap-pac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ap-pac.md b/ap-pac.md index 3ba004d..d6abee0 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -452,7 +452,7 @@ OpenC2 Command. The components of an OpenC2 Command include: - **Target:** A subset of the Targets and Target-Specifiers defined in Version 1.0 of the [OpenC2 Language Specification](#openc2-lang-v1.0) that are meaningful in the - context of PAC and two Targets and their Specifiers that are + context of PAC and the Targets and their Specifiers that are defined in this specification. - **Arguments:** A subset of the Arguments defined in Version 1.0 From fea7c090f7601c36a094173d15add64a699e50d5 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 10 May 2022 16:32:11 -0400 Subject: [PATCH 39/41] editorial corrections --- ap-pac.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/ap-pac.md b/ap-pac.md index d6abee0..b3a1bf9 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -622,7 +622,8 @@ referenced with the `pac` namespace. > purpose of the use cases is to provide examples of how to > collect the posture attributes from selected endpoints for > storing and farther evaluation. The set of response results -> unique to PAC is expect to shift and expand as this AP matures. +> unique to PAC is expected to shift and expand as this AP +> matures. #### Table 2.2.1-2 Response Results Unique to PAC @@ -1178,13 +1179,13 @@ received from the upstream Producer: 4. What information must be collected to generate a response to the upstream Producer. -3. Generate and send commands (as identified in 2.a) to the +3. Generate and send commands (as identified in 2.i) to the identified set of downstream Consumers (as identified in - 2.b). + 2.ii). 4. Process received downstream Consumer responses (as determined - in 2.c) and accumulate information to generate the response - to the upstream Producer (as determined in 2.d). + in 2.iii) and accumulate information to generate the response + to the upstream Producer (as determined in 2.iv). 5. When appropriate, generate and send the response to the upstream Producer. @@ -1221,7 +1222,7 @@ retrievals from the upstream Producer: 3. The OC generates and sends commands in accordance with the SBOM AP to retrieve SBOMs from the 10 downstream Consumers - identified in 2.b. + identified in 2.ii. 4. The OC receives responses containing SBOMs from 8 of the 10 downstream Consumers, and stores those SBOMs in the From 7a27c02ee436a4b122fd86918c421766ba45971a Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 10 May 2022 16:54:04 -0400 Subject: [PATCH 40/41] fix formatting --- ap-pac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ap-pac.md b/ap-pac.md index b3a1bf9..2e0cfed 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -515,7 +515,7 @@ Version 1.0 of the OpenC2 Language Specification as they relate to PAC functionality. Table 2.1.3-2 lists the Command Arguments that are defined in this profile. Command Arguments that are defined in this profile (see Table 2.1.3-2) are referenced with -the pac namespace identifier. +the `pac` namespace identifier. #### Table 2.1.3-1 Common Command Arguments Applicable to PAC From e7aa2b1d2498899cf9216d1fec60ced3d3456ff2 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 10 May 2022 17:01:22 -0400 Subject: [PATCH 41/41] minor edit --- ap-pac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ap-pac.md b/ap-pac.md index 2e0cfed..8d23867 100644 --- a/ap-pac.md +++ b/ap-pac.md @@ -617,7 +617,7 @@ referenced with the `pac` namespace. > NOTE: To illustrate response results unique to PAC, os_version > and Software Bill of Materials (SBOM) have been chosen. These -> two use cases well correlate with [RFC 7632](#rfc7632) and +> two use cases correlate well with [RFC 7632](#rfc7632) and > reflect growing community interest in security automation. The > purpose of the use cases is to provide examples of how to > collect the posture attributes from selected endpoints for