Draft CPE 2.3 Specifications Released

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Draft CPE 2.3 Specifications Released

Waltermire, David A.

Community Members,

 

I am pleased to announce the public comment release of two Draft NIST Interagency Reports (IR) on the Common Platform Enumeration (CPE) specification version 2.3. CPE, which is one of the fundamental components of the Security Content Automation Protocol (SCAP), provides a standardized way to identify and describe software and hardware devices present in an enterprise's computing asset inventory. Draft NISTIR 7697 (second public draft) defines the CPE Dictionary specification, including the semantics of its data model and the rules associated with CPE dictionary creation and management. Draft NISTIR 7698 (initial public draft) provides the CPE Applicability Language specification, which allows construction of complex logical groupings of CPE names to describe IT platforms.

 

Two other new reports (2nd draft) released earlier propose the remaining specifications as part of CPE version 2.3. Draft NIST IR 7695 defines the CPE naming specification, including the logical structure of well-formed CPE names and the procedures for binding and unbinding these names with machine-readable encodings. Draft NIST IR 7696 provides the CPE matching specification, which defines procedures for comparing CPE names to determine whether they refer to some or all of the same products or platforms.

 

NIST requests comments on draft IRs 7695, 7696, 7697 and 7698 by Friday, June 24th, 2011. Please submit submit public comments to [hidden email] or private comments to [hidden email].

 

The CPE 2.3 draft specifications can be accessed at:

 

http://scap.nist.gov/specifications/cpe/

 

Sincerely,

 

David Waltermire

SCAP Architect

National Institute of Standards and Technology

(301) 975-3390

[hidden email]

 

Reply | Threaded
Open this post in threaded view
|

Re: Follow-up from SCAP Developer Days on autoconversion to CPE-compliant text (UNCLASSIFIED)

WOLFKIEL, JOSEPH L CIV DISA PEO-MA
Classification:  UNCLASSIFIED
Caveats: NONE

Noting that it's been quite a while since I posted an update to the CPE list on where we are with auto-generating CPE candidates from Windows registry.  Here's the latest.

We have completed development of a tool that does a registry scrape on Windows NT and later and returns CPE-formatted names.  The tool pulls data from the following registry keys:

\HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
\HKLM\Software\Microsoft\Internet Explorer
\HKLM\Software\Microsoft\MediaPlayer\Setup

It also pulls from \HKLM\Software\Microsoft\Windows\CurrentVersion\Installer through the MSI API functions.

Once the vendor, product, and version info is pulled, it's encoded into CPE 2.2/2.3 compliant URI text by using the attached lookup lists (in the "Windows cpe converter.py file).  This produces CPE 2.2/2.3 REGEX compliant text strings that we'll be using in policy and reporting. Characters that don't appear in the Listin enumeration are dropped to eliminate the opportunity for potentially malicious non-printing characters to be picked up and sent as part of a CPE name.  I've included a file that shows sample CPE 2.2/2.3-compliant names recovered from sample VMs I have including MS SQL Server 2003, Windows 7, and Windows XP.

One "special" twist, is that Microsoft sometimes doesn't include the kb number in the product name, so the kb number will be recovered separately and appended to the patch name with a tilde to ensure that the kb number is always present.  In some cases, this means the kb number will appear 2X, but I'd rather have that than not have it at all.

We'll are doing similar transforms for Solaris, Red Hat, Ubuntu, MacOS, and HPUX.


Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(301) 225-8820
[hidden email]

    Classification:  UNCLASSIFIED
Caveats: NONE


Windows_cpe_converter.py (2K) Download Attachment
2011-06-30 ACCM CPEs.txt (90K) Download Attachment
smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Follow-up from SCAP Developer Days on autoconversion to CPE-compliant text (UNCLASSIFIED)

Stav Raviv

Hi,

I’ve been (quietly) following this list for quite some time now.

I'm sorry for the late response, and please excuse me if I’m repeating something that has already been discussed.

 

There're some things I don't understand, and I’d appreciate if you could clear this up:

 

·         According to the attached file (2011-06-30 ACCM CPEs.txt ) the CPE compliant names don’t have a “part” component. Does this still count as CPE compliant?

·         I also don’t understand how comes the KB is part of the CPE. Shouldn’t the CPE list products? Or also patches??

 

Thanks in advance,

 

Stav Kaufman

Content Team

(T)  +972-9-9545922

[hidden email]

 

Description: Description: SkyboxLogo_notag  Description: Description: Twitter-icon.jpg Description: Description: linkedin.png 

 

Learn More about Skybox Solutions and Technology: www.skyboxsecurity.com

 

 

 

-----Original Message-----
From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA [mailto:[hidden email]]
Sent: Thursday, June 30, 2011 3:07 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Follow-up from SCAP Developer Days on autoconversion to CPE-compliant text (UNCLASSIFIED)

 

Classification:  UNCLASSIFIED

Caveats: NONE

 

Noting that it's been quite a while since I posted an update to the CPE list on where we are with auto-generating CPE candidates from Windows registry.  Here's the latest.

 

We have completed development of a tool that does a registry scrape on Windows NT and later and returns CPE-formatted names.  The tool pulls data from the following registry keys:

 

\HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall

\HKLM\Software\Microsoft\Internet Explorer

\HKLM\Software\Microsoft\MediaPlayer\Setup

 

It also pulls from \HKLM\Software\Microsoft\Windows\CurrentVersion\Installer through the MSI API functions.

 

Once the vendor, product, and version info is pulled, it's encoded into CPE 2.2/2.3 compliant URI text by using the attached lookup lists (in the "Windows cpe converter.py file).  This produces CPE 2.2/2.3 REGEX compliant text strings that we'll be using in policy and reporting. Characters that don't appear in the Listin enumeration are dropped to eliminate the opportunity for potentially malicious non-printing characters to be picked up and sent as part of a CPE name.  I've included a file that shows sample CPE 2.2/2.3-compliant names recovered from sample VMs I have including MS SQL Server 2003, Windows 7, and Windows XP.

 

One "special" twist, is that Microsoft sometimes doesn't include the kb number in the product name, so the kb number will be recovered separately and appended to the patch name with a tilde to ensure that the kb number is always present.  In some cases, this means the kb number will appear 2X, but I'd rather have that than not have it at all.

 

We'll are doing similar transforms for Solaris, Red Hat, Ubuntu, MacOS, and HPUX.

 

 

Joseph L. Wolfkiel

Engineering Group Lead

DISA PEO MA/IA52

(301) 225-8820

[hidden email]

 

    Classification:  UNCLASSIFIED

Caveats: NONE

 

Reply | Threaded
Open this post in threaded view
|

Re: Follow-up from SCAP Developer Days on autoconversion to CPE-compliant text (UNCLASSIFIED)

WOLFKIEL, JOSEPH L CIV DISA PEO-MA
Classification:  UNCLASSIFIED
Caveats: NONE

My apologies for that.  The CPEs in the file were a demonstration of what you would get if you auto-generate CPEs by doing a Windows registry scrape.  Since there isn't any machine logic to determine what is and isn't a patch, application, hardware driver, language pack, etc, you get what you get.  It's just in CPE REGEX format.

The idea is that all these "candidate" CPEs get reported up to a central location where some manual process differentiates between "valid" CPEs and non-valid CPEs.

This is my suggestion to the community of how to deal with automated software inventory using CPE.  It allows you to report "zero-day" discovered software and has the added benefit of exposing patches as well.

Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(301) 225-8820
[hidden email]

-----Original Message-----
From: Stav Raviv [mailto:[hidden email]]
Sent: Tuesday, August 16, 2011 3:36 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Follow-up from SCAP Developer Days on autoconversion to CPE-compliant text (UNCLASSIFIED)

Hi,

I've been (quietly) following this list for quite some time now.

I'm sorry for the late response, and please excuse me if I'm repeating something that has already been discussed.

 

There're some things I don't understand, and I'd appreciate if you could clear this up:

 

.         According to the attached file (2011-06-30 ACCM CPEs.txt ) the CPE compliant names don't have a "part" component. Does this still count as CPE compliant?

.         I also don't understand how comes the KB is part of the CPE. Shouldn't the CPE list products? Or also patches??

 

Thanks in advance,

 

Stav Kaufman

Content Team

(T)  +972-9-9545922

mailto:[hidden email] <mailto:[hidden email]>

 

Description: Description: SkyboxLogo_notag <http://www.skyboxsecurity.com/>   Description: Description: Twitter-icon.jpg <http://twitter.com/skyboxsecurity>  Description: Description: linkedin.png <http://www.linkedin.com/companies/skybox-security>  

 

Learn More about Skybox Solutions and Technology: www.skyboxsecurity.com <http://www.skyboxsecurity.com>

 

 

 

-----Original Message-----
From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA [mailto:[hidden email]]
Sent: Thursday, June 30, 2011 3:07 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Follow-up from SCAP Developer Days on autoconversion to CPE-compliant text (UNCLASSIFIED)

 

Classification:  UNCLASSIFIED

Caveats: NONE

 

Noting that it's been quite a while since I posted an update to the CPE list on where we are with auto-generating CPE candidates from Windows registry.  Here's the latest.

 

We have completed development of a tool that does a registry scrape on Windows NT and later and returns CPE-formatted names.  The tool pulls data from the following registry keys:

 

\HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall

\HKLM\Software\Microsoft\Internet Explorer

\HKLM\Software\Microsoft\MediaPlayer\Setup

 

It also pulls from \HKLM\Software\Microsoft\Windows\CurrentVersion\Installer through the MSI API functions.

 

Once the vendor, product, and version info is pulled, it's encoded into CPE 2.2/2.3 compliant URI text by using the attached lookup lists (in the "Windows cpe converter.py file).  This produces CPE 2.2/2.3 REGEX compliant text strings that we'll be using in policy and reporting. Characters that don't appear in the Listin enumeration are dropped to eliminate the opportunity for potentially malicious non-printing characters to be picked up and sent as part of a CPE name.  I've included a file that shows sample CPE 2.2/2.3-compliant names recovered from sample VMs I have including MS SQL Server 2003, Windows 7, and Windows XP.

 

One "special" twist, is that Microsoft sometimes doesn't include the kb number in the product name, so the kb number will be recovered separately and appended to the patch name with a tilde to ensure that the kb number is always present.  In some cases, this means the kb number will appear 2X, but I'd rather have that than not have it at all.

 

We'll are doing similar transforms for Solaris, Red Hat, Ubuntu, MacOS, and HPUX.

 

 

Joseph L. Wolfkiel

Engineering Group Lead

DISA PEO MA/IA52

(301) 225-8820

[hidden email] <mailto:[hidden email]>  

 

    Classification:  UNCLASSIFIED

Caveats: NONE

 

Classification:  UNCLASSIFIED
Caveats: NONE


smime.p7s (7K) Download Attachment