Team,
This was the response from Christopher Johnson of DISA's VMS/Gold Disk team:
Steve,
VMS and Gold Disk employ elements and conditions in two distinct ways:
1. Asset Registration:
Elements are used to describe securable objects. A securable object is
defined as any physical or logical object for which security guidance
can be issued. Each element is a singular assertion or fact used to
describe these objects. During asset registration, the user either
manually traverses the element treeview display and selects those
products present on the system or imports the asset element posture from
an automated tool. As seen in the examples below, an element can serve
as a container object (e.g., Computing, Operating System). In most
cases, an effort has been made by the element maintainers to "fully
qualify" the name of each element.
Computing -> Operating System -> Windows -> Windows 2000 -> Windows
2000 SP4
Non-Computing -> Enclave -> Data Center Enclave
2. Vulnerability Maintenance:
Conditions are Boolean expressions comprised of Elements. Conditions
can be associated with vulnerabilities and with Gold Disk checks/fixes
and are used to identify the affected products.
For example: (Windows 2000 AND Member Server AND Oracle 9i)
When associating a condition with a vulnerability in VMS, the
vulnerability maintainer must also identify a "target" element. The
target element in this context identifies the element that is
vulnerable. For instance, in the previous example both Windows 2000 and
Oracle 9i are evaluated as part of the condition. The ability to assign
a target allows the vulnerability maintainer to answer the questions "Is
this an Oracle vulnerability that is present when run on a Windows 2000
system" or "Is this a Windows vulnerability that manifests itself when
Oracle 9i is installed on the system?". The target element also
provides a means for logically grouping vulnerabilities according to the
affected product. Though available to the vulnerability maintainer,
most of the conditional complexity is implemented at the Gold Disk check
and fix level.
There is both a integer key and a unique textual description associated
with each element. The element also maintains two integer values
(LeftNodeID and RightNodeID) that are used for traversal purposes as
part of a nested-set implementation. These values determine the
element's global location within the tree hierarchy and establish the
set boundaries that are used by the stored procedure algorithms that
assign vulnerabilities to assets.
-Chris
Quoting
[hidden email]:
> Drew et al,
>
> I suggest we solicit DISA as to how they handled their platform naming
> construct in the Gold Disk/VMS paradigm. If I recall, it pairs a sequential
> index number to an ordered, enumerated platform category. This allows for
> mathematical traversals of the index to determine conditional applicability
> of
> vulnerabilities/misconfigurations (i.e. CCEs) while at the same time offering
> an
> English Prose platform naming construct for higher-level roll up. The
> approach
> accommodated the requirements of both the host-based scanner and
> import/reporting requirements of the database. It also provided a clear
> demarcation as to where the platform name stops and the logic for
> conditional
> CCE/CVE begins.
>
> Can anyone from the DISA VMS/Gold Disk team weigh in on this? If I missed
> their
> comments from an earlier thread, my apologies in advance.
>
> Respectfully,
> Steve
>
> Quoting "Buttner, Drew" <
[hidden email]>:
>
> > One thing to remember is that we can not encode all the information
> > about when a vulnerability/patch applies in a CPE Name. At some point,
> > the level of information needs to stop and users need to be directed to
> > the OVAL Definition instead.
> >
> > So what is the goal we are trying to accomplish by using a CPE Name?
> > Obviously everyone is going to have slightly different goals. CPE is
> > trying to provide a unique name for a variety of platforms.
> >
> > For the example we had been working with, I would suggest that you
> > provide a list of CPE Names. Each name would represent a version of
> > Bind that is affected by the advisory.
> >
> > cpe:/a:redhat:bind:2.3
> > cpe:/a:redhat:bind:2.4
> > cpe:/a:redhat:bind:2.5
> >
> > Of course you provided an example where this wouldn't work ...
> >
> >
> > >A better example might be RHSA-2007:0569
> > >
https://rhn.redhat.com/errata/RHSA-2007-0569.html> > >
> > >This advisory applies to tomcat5-5.5.23 as shipped in
> > >redhat:enterprise_linux:5:client_workstation and
> > >redhat:enterprise_linux:5:server
> > >but not the tomcat we shipped in
> > >redhat:certificate_server:7.2 or
> > >redhat:certificate_server:7.3 or
> > >redhat:rhel_application_server:1 or
> > >redhat:rhel_application_server:2 or
> > >redhat:rhel_directory_server:3 or
> > >fedora_project:fedora_core:6 or
> > >fedora_project:fedora:7,
> > >even though some of those share the same tomcat version
> > >number (and indeed that isn't the complete list of
> > >distributions in which we ship the same and different
> > >versions of the tomcat application)
> >
> >
> > The current 2.0 draft would have this relationship expressed by the CPE
> > Language. And given the talk to remove the string representation, this
> > would be done via a chunk of XML. Looking at the info trying to be
> > conveyed in the example, XML may not be a bad idea. Of course you may
> > not be set up to hold an XML block where this info is being stored.
> >
> > I think this is a GREAT use case for helping us determine where to go
> > with CPE related to this issue. The debate is about complex names vs.
> > languages. Should CPE Names attempt to relay the information in the
> > example above? Should this be left to the CPE Language? Should the
> > CPE Language have a string representation so instances can be stored
> > along side traditional CPE Names? Should users that need complex name
> > just be forced to use XML?
> >
> > Lots of questions that require lots of thought. The more opinions we
> > can have on this the better.
> >
> > Thanks
> > Drew
> >
>
>
> --
> Stephen Quinn
> NIST
--
Stephen Quinn
NIST
