From 6437b87b9d1139997c91ce1b7f4405878dbf1e5f Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 9 Jul 2024 12:28:50 -0400 Subject: [PATCH 1/5] first draft of CACAO targets for OC2 APs --- openc2-cacao-ext-v1.0.md | 39 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/openc2-cacao-ext-v1.0.md b/openc2-cacao-ext-v1.0.md index b538195..7a59a46 100644 --- a/openc2-cacao-ext-v1.0.md +++ b/openc2-cacao-ext-v1.0.md @@ -229,6 +229,9 @@ Actuator Profile concept. The logical flow is as follows: - `agent-target-type-ov` "Devices and Equipment" vocabulary is extended with the following types: - `mqtt-broker` agent type for message transfer via MQTT (see [Section 4.1.1](#411-mqtt-broker-agent)) - `openc2-https` agent type for message transfer via HTTPS (see [Section 4.1.2](#412-https-agent) + - `openc2-profile` target type (see [Section 4.2](#42-openc2-cacao-targets)) +- `security-category-type-ov` is extended with the following types: + - `openc2-consumer` (see [Section 4.2](#42-openc2-cacao-targets)) - `variable-type-ov` is extended with the following types - `topic-list` to identify publish / subscribe topics to which a message should be published (see [Section 5.1](#51-__mqtt-topics__-variable)) @@ -534,7 +537,33 @@ _The IDs used in this example are notional and for illustrative purposes, they d ## 4.2 OpenC2 CACAO Targets -OpenC2 CACAO Targets correspond to OpenC2 Actuator Specifications. +OpenC2 CACAO Targets correspond to OpenC2 Actuator Profile (AP) specifications. +An `openc2` command object SHOULD specify one or more CACAO targets to identify +the OpenC2 APs to be invoked for the execution of the object's OpenC2 command. + +An OpenC2 CACAO target SHALL be of type `security-category` as defined in +Section 7.11 of the [[CACAO v2.0 Specification](#cacao-security-playbooks-v20)]. +The CACAO `security-category-type-ov` is extended as follows: + +| **Type** | **Description** | +|-------------|:--------------------------------------------------------------------------------------| +| `openc2-consumer` | A category of CACAO targets representing OpenC2 Consumers supporting one or more OpenC2 APs| + +The `category` value of an OpenC2 CACAO target SHALL be set to `openc2-consumer`. + +The `security-category` target object is extended with a new field: `openc2-profile`. The resulting extended `security-category` target is structured as follows: + +| **Property Name** | **Data Type** | **Details** | +|-------------------------------|------------------------|------------------------------------------------------| +| **type** (required) | `string` | The value of this property **MUST** be `security-category`. | +| **category** (required) | `list` of `open-vocab` | The value for this property **MUST** be `openc2-consumer`. | +| **openc2-profile** (required) | `string` | The value for this property **SHOULD** be the "Property Name" of an OpenC2 AP. | + +The Property Names of registered OpenC2 APs are found in the [[OpenC2 Namespace Registry](#openc2-namespaces)]. For example an OpenC2 CACAO target for the Stateless Packet Filtering AP would specify the profile as follows: + +```json +"openc2-profile" : "slpf" +``` *** @@ -661,6 +690,10 @@ CACAO Security Playbooks Version 2.0. Edited by Bret Jordan and Allan Thomson. 2 MQTT Version 5.0. Edited by Andrew Banks, Ed Briggs, Ken Borgendale, and Rahul Gupta. 07 March 2019. OASIS Standard. https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html. Latest version: https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html. +###### [OpenC2-HTTPS-v1.1] + +_Specification for Transfer of OpenC2 Messages via HTTPS Version 1.1_. Edited by David Lemire. Latest stage: https://docs.oasis-open.org/openc2/open-impl-https/v1.1/open-impl-https-v1.1.html + ###### [OpenC2-Lang-v1.1] _Open Command and Control (OpenC2) Language Specification Version 1.1_. Edited by Duncan Sparrell and Toby Considine. Latest stage: https://docs.oasis-open.org/openc2/oc2ls/v1.1/oc2ls-v1.1.html @@ -669,9 +702,9 @@ _Open Command and Control (OpenC2) Language Specification Version 1.1_. Edited b Specification for Transfer of OpenC2 Messages via MQTT Version 1.0. Edited by David Lemire. 19 November 2021. OASIS Committee Specification 01. https://docs.oasis-open.org/openc2/transf-mqtt/v1.0/cs01/transf-mqtt-v1.0-cs01.html. Latest stage: https://docs.oasis-open.org/openc2/transf-mqtt/v1.0/transf-mqtt-v1.0.html -###### [OpenC2-HTTPS-v1.1] +###### [OpenC2-Namespaces] -_Specification for Transfer of OpenC2 Messages via HTTPS Version 1.1_. Edited by David Lemire. Latest stage: https://docs.oasis-open.org/openc2/open-impl-https/v1.1/open-impl-https-v1.1.html +_OpenC2 Namespace Registry_. ###### [OpenC2-SLPF-v1.1] From 1bc18edc09ebc06cae46967e40c48b9afca6840e Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 9 Jul 2024 13:51:22 -0400 Subject: [PATCH 2/5] add target example --- openc2-cacao-ext-v1.0.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/openc2-cacao-ext-v1.0.md b/openc2-cacao-ext-v1.0.md index 7a59a46..d4627a6 100644 --- a/openc2-cacao-ext-v1.0.md +++ b/openc2-cacao-ext-v1.0.md @@ -565,10 +565,23 @@ The Property Names of registered OpenC2 APs are found in the [[OpenC2 Namespace "openc2-profile" : "slpf" ``` +**Example 4.2 (OpenC2 Target)**
+*The IDs used in this example are notional and for illustrative purposes, they do not represent real objects.* + +```json +"target_definitions": { + "security-category--09b5b900-f333-41fd-9fdc-cb466e9b1f20": { + "type": "security-category", + "name": "OC2 Packet Filter", + "category": [ "openc2-consumer" ], + "openc2-profile" : "slpf" + } +} +``` + *** > **To-Do:** determine what, if anything, needs to be defined beyond the correlation of APs and CACAO Targets.
-> **To-Do:** provide examples of CACAO targets for OpenC2 APs *** From 95febb5675d4d5c70661bf4e10db0c2f7662f944 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 9 Jul 2024 13:53:31 -0400 Subject: [PATCH 3/5] remove extraneous vocab extension --- openc2-cacao-ext-v1.0.md | 1 - 1 file changed, 1 deletion(-) diff --git a/openc2-cacao-ext-v1.0.md b/openc2-cacao-ext-v1.0.md index d4627a6..a7a0f20 100644 --- a/openc2-cacao-ext-v1.0.md +++ b/openc2-cacao-ext-v1.0.md @@ -229,7 +229,6 @@ Actuator Profile concept. The logical flow is as follows: - `agent-target-type-ov` "Devices and Equipment" vocabulary is extended with the following types: - `mqtt-broker` agent type for message transfer via MQTT (see [Section 4.1.1](#411-mqtt-broker-agent)) - `openc2-https` agent type for message transfer via HTTPS (see [Section 4.1.2](#412-https-agent) - - `openc2-profile` target type (see [Section 4.2](#42-openc2-cacao-targets)) - `security-category-type-ov` is extended with the following types: - `openc2-consumer` (see [Section 4.2](#42-openc2-cacao-targets)) - `variable-type-ov` is extended with the following types From 0dc015c43451e12ac1ee64338e2616049116f17a Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 9 Jul 2024 13:54:42 -0400 Subject: [PATCH 4/5] terminology fix; source formatting --- openc2-cacao-ext-v1.0.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/openc2-cacao-ext-v1.0.md b/openc2-cacao-ext-v1.0.md index a7a0f20..d134ff4 100644 --- a/openc2-cacao-ext-v1.0.md +++ b/openc2-cacao-ext-v1.0.md @@ -550,7 +550,9 @@ The CACAO `security-category-type-ov` is extended as follows: The `category` value of an OpenC2 CACAO target SHALL be set to `openc2-consumer`. -The `security-category` target object is extended with a new field: `openc2-profile`. The resulting extended `security-category` target is structured as follows: +The `security-category` target object is extended with a new property: +`openc2-profile`. The resulting extended `security-category` target is +structured as follows: | **Property Name** | **Data Type** | **Details** | |-------------------------------|------------------------|------------------------------------------------------| @@ -558,7 +560,10 @@ The `security-category` target object is extended with a new field: `openc2-prof | **category** (required) | `list` of `open-vocab` | The value for this property **MUST** be `openc2-consumer`. | | **openc2-profile** (required) | `string` | The value for this property **SHOULD** be the "Property Name" of an OpenC2 AP. | -The Property Names of registered OpenC2 APs are found in the [[OpenC2 Namespace Registry](#openc2-namespaces)]. For example an OpenC2 CACAO target for the Stateless Packet Filtering AP would specify the profile as follows: +The Property Names of registered OpenC2 APs are found in the +[[OpenC2 Namespace Registry](#openc2-namespaces)]. +For example an OpenC2 CACAO target for the +Stateless Packet Filtering AP would specify the profile as follows: ```json "openc2-profile" : "slpf" From c4d0dd1d6d5b620337a5c819260e5c675548b024 Mon Sep 17 00:00:00 2001 From: David Lemire Date: Tue, 9 Jul 2024 13:55:51 -0400 Subject: [PATCH 5/5] qualify: "registered" openc2 ap --- openc2-cacao-ext-v1.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openc2-cacao-ext-v1.0.md b/openc2-cacao-ext-v1.0.md index d134ff4..b2a38c1 100644 --- a/openc2-cacao-ext-v1.0.md +++ b/openc2-cacao-ext-v1.0.md @@ -558,7 +558,7 @@ structured as follows: |-------------------------------|------------------------|------------------------------------------------------| | **type** (required) | `string` | The value of this property **MUST** be `security-category`. | | **category** (required) | `list` of `open-vocab` | The value for this property **MUST** be `openc2-consumer`. | -| **openc2-profile** (required) | `string` | The value for this property **SHOULD** be the "Property Name" of an OpenC2 AP. | +| **openc2-profile** (required) | `string` | The value for this property **SHOULD** be the "Property Name" of a registered OpenC2 AP. | The Property Names of registered OpenC2 APs are found in the [[OpenC2 Namespace Registry](#openc2-namespaces)].