Download A SCAP Database Model

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
Document related concepts

Microsoft Jet Database Engine wikipedia , lookup

IMDb wikipedia , lookup

Database wikipedia , lookup

Entity–attribute–value model wikipedia , lookup

Functional Database Model wikipedia , lookup

Relational model wikipedia , lookup

Object-relational impedance mismatch wikipedia , lookup

Extensible Storage Engine wikipedia , lookup

Clusterpoint wikipedia , lookup

Database model wikipedia , lookup

Transcript 
A SCAP Database Model
All of SCAP data in a Relational Database
[email protected]
www.lumension.com
A mini-system to learn SCAP
A SCAP database with all of the SCAP data in it
Examples (with source code)
 Automatic updates utility
 Automatic import of client data
 Detection of equivalent OVAL elements
Schema-change tolerant DB design
 SCAP data formats (schema) are constantly change
 Authors can lag in updating
 Tools and data formats may be out of sync
www.lumension.com
XML and Databases
Xml is excellent for distribution, poor for analysis and
reporting (databases are better)
 XML is single computer/thread centric (no sharing)
 DB is data set centric with concurrent access
Exposes XML data as regular columns / rows
 Reporting staff do not need to learn XML
www.lumension.com
A simple logical database model
AlternativeCVSS
HREF
CPE
XCCDF
CveID
href
CpeID
Xml
CVSS
MimeTypeID
Description
XccdfGuid
Text
Xml
AddDate
NamespaceUri
Oval
CVE
OvalID
localName
CCE
CceID
XccdfElement
CveID
OvalGuid
Xml
Xml
Xml
XccdfGuid
ImportTimeStamp
Definition
Version
ElementID
NamespaceUri
Xml
AddDate
XccdfElementGuid
ID
VendorStatements
Xml
CveID
www.lumension.com
Device_OvalState
Device
DeviceGuid
DeviceGuid
OvalID
HostName
State
Description
AsOf
Xml
Device_XccdfProfile
DeviceGuid
AddDate
ChangedDate
What we will cover
Importing SCAP Xml files






CVE - Vulnerability
CVSS – Scoring
OVAL -- Assessment
CPE – Product
XCCDF – Checklist
CCE – Configuration
Importing OVAL result files from clients
Querying OVAL elements for equivalency
 Reduce client test load by 25+%
www.lumension.com
Examples of importing / exporting data
Import of OVAL results into the database
 Files are dropped into a folder
 Utility will pick up and insert into the database automatically
Export of equivalent OVAL element
 Eliminate redundant and duplicate data
 OVAL comes from multiple sources
 Duplications must be expected and handled
www.lumension.com
SCAP Import Utility
Two mode of operation:
 Drop the Xml files in a folder
 Edit DataFiles.Xml to point to locations you want checked for
changes.
Files are uploaded into DB and processed automatically
sqlXml = new SqlXml(new XmlTextReader(fileName));
db = new ImportDataBase();
cmd = db.StoredProcedure("ImportScapXmlFile");
cmd.Parameters.AddWithValue("FileName", fi.Name);
cmd.Parameters.AddWithValue("ScapXml", sqlXml);
cmd.ExecuteNonQuery();
www.lumension.com
Common Vulnerability Enumeration (CVE) http://nvd.nist.gov/
The physical data is simple – 2 columns
The logical data can consist of many columns and
additional rows.
 Calculated columns generates the logical columns.
 Cross Apply generates the logical rows
www.lumension.com
Example of Computed Columns
XQuery is used to convert XML into Columns
 SELECT xml.value('(/*/@CVSS_score)[1]','float') as
CVSS_Score
Proper design tolerates change of schema
 Note: cve/1.2 and no namespace above
www.lumension.com
Example of Logical Rows
All of the data can be
extracted into computed views
 We get multiple logical rows from
one physical row.
Tolerates typical evolution of
schema
Create View vCVE_VendorProduct As
select
CVEID,
item.value('./@name','varchar(100)') as ProductName,
item.value('./@vendor','varchar(100)') as Vendor
from CVE Cross Apply
Xml.nodes('//*[@name and @vendor]') as prod(item)
www.lumension.com
More logical rows examples
www.lumension.com
Common Vulnerability Scoring System (CVSS)
All CVEs come with a generic NIST determined CVSS
score and vector
Organizations may wish to determine their own score
and vectors.
Computed column can automatically replace NIST value
with your own.
CVE
CveID
Xml
ImportTimeStamp
localName
NamespaceUri
CVSS_vector
Published
Modified
severity
CVSS_Score
www.lumension.com
AlternativeCVSS
CveID
CVSS
Open Vulnerability and Assessment Language (OVAL)
Physical table slightly more complex
 OvalID (could be computed)
 Element Version (could be computed)
 SchemaVersion is the version of OVAL
 Comes from header of imported file
www.lumension.com
OVAL Logical Columns and Logical Rows
SELECT localname, count(*) as [Count]
from OVAL group by localname
SELECT namespaceuri, count(*) as
[Count] from OVAL group by
namespaceuri
Over 70 different logical record
layouts
www.lumension.com
Some OVAL Logical Rows
www.lumension.com
Data is often hierarchical in the XML
Extract of hierarchy is easy
 definition  test  state
 Object var
 State var
www.lumension.com
Common Platform Enumeration (CPE)
CPE has a 2 column physical structure
<cpe-item name="cpe:///0verkill:0verkill">
<title>0verkill 0verkill</title>
</cpe-item>
www.lumension.com
Putting the parts together
OVAL-CVE (CVSS) -CPE
www.lumension.com
Extensible Configuration Checklist Description Format
(XCCDF)
No Global Identifiers results in more columns
One table is for identification only.
XCCDF
Xml
XccdfElement
XccdfGuid
XccdfGuid
AddDate
ElementID
NamespaceUri
Xml
localName
XccdfElementGuid
Version
ID
Status
NamespaceUri
StatusDate
localName
Title
Platform
www.lumension.com
XCCDF computed and cross-apply
www.lumension.com
Putting SCAP into play
Identifying devices/computers…
Recording automated results
Recording manual results
www.lumension.com
Device / Host Identification
OVAL’s system_info node provides the pattern (included
with all OVAL results)
Physical Table is just two columns
www.lumension.com
Device information
OVAL interpreters returns a <system_info>
 Contains sufficient information to uniquely identify the device
99.9% of the time
www.lumension.com
Device computed columns and logical rows
www.lumension.com
OVAL Results
Uploaded just like SCAP files
 Put into a folder and utility will upload
Complete history is kept (purge as needed)
 UploadID points to source document
www.lumension.com
Using the database to improve performance
OVAL data is coming from multiple authors
 Often the same element content is seen with many different ids
 Some sources have 20% duplicate internally
If we can identify duplicate contents and eliminate it,
then
 Size of the OVAL file to download is reduced
 Number of tests and executions on the client is reduced and less
work (i.e. CPU usage, memory) on the client.
Utility identifies duplicate content
www.lumension.com
This is just a start …
We have
 Viewed how SCAP elements are related
 An elegant but simple design for a SCAP database
 Supports reporting across multiple devices
 Runs on free software (SQLExpress 2005)
 Will support up to 4 gigs (with Express) for each of:
» Device history data
» SCAP import data history
» Current State data of devices
 Automated import of SCAP data
 Automated import of Device result files
www.lumension.com
Where do you get this stuff
Source:
 http://oval.lassesen.com/Nist2007/
Database: (Free – no expiry)
 Microsoft SQL Server Management Studio Express
 Microsoft SQL Server 2005 Express Edition with Advanced
Services Service Pack 2
 Allows full text search of XML
www.lumension.com
Related documents
Endpoint Security Device Control (formerly Sanctuary)
Endpoint Security Device Control (formerly Sanctuary)
Eucalyptus polyanthemos
Eucalyptus polyanthemos
IS605/606: Information Systems Instructor: Dr. Boris Jukic
IS605/606: Information Systems Instructor: Dr. Boris Jukic
World Wide Web Conference
World Wide Web Conference
Function Definition
Function Definition
FinalExamReview
FinalExamReview
A new programming language: what for?
A new programming language: what for?
XML Parsing Using JAXP
XML Parsing Using JAXP
02-Shape Game - TeachersTeacherProjects
02-Shape Game - TeachersTeacherProjects
XML machine the successor to von Neumann?
XML machine the successor to von Neumann?
Streilein
Streilein
May 29, 2001
May 29, 2001