Duncan,
Just to follow up on this “And I believe the OASIS OpenC2 TC has OpenDxl as a draft spec that is currently empty awaiting McAfee input.”
Can you point me to literature on what input are we awaiting from McAfee on this ? I can get some traction on this
Sudeep
From:
"duncan sfractal.com" <duncan@sfractal.com>
Date: Sunday, January 19, 2020 at 6:16 PM
To: "Das, Sudeep" <Sudeep_Das@McAfee.com>, "openc2-plugfest-2019@lists.oasis-open.org" <openc2-plugfest-2019@lists.oasis-open.org>
Cc: "Vanjarapu, Vinod" <Vinod_Vanjarapu@McAfee.com>
Subject: Re: PlugFest Capabilities [McAfee]
CAUTION: External email. Do not click links or open attachments unless
you recognize the sender and know the content is safe.
|
Sudeep,
Looks like great stuff. I apologize is these questions have already been answered – I’ve been out of country so only communicating intermittently. What transport are you using – http/s, OpenDxL, Google Pub/sub,….? I believe some others
have expressed interest in OpenDxl so it would be interesting to do some interworking tests if you are supporting OpenDxl. And I believe the OASIS OpenC2 TC has OpenDxl as a draft spec that is currently empty awaiting McAfee input. So if you are using OpenDxl,
could you give some details (independent of the plugfest since we aren’t supposed to draft OASIS specs at the plugfest) so we can start putting text in the spec.
Thanks.
Duncan Sparrell
sFractal Consulting LLC
iPhone, iTypo, iApologize
I welcome VSRE emails. Learn more at http://vsre.info/
From:
"Das, Sudeep" <Sudeep_Das@McAfee.com>
Date: Saturday, January 18, 2020 at 8:16 AM
To: "openc2-plugfest-2019@lists.oasis-open.org" <openc2-plugfest-2019@lists.oasis-open.org>
Cc: "Vanjarapu, Vinod" <Vinod_Vanjarapu@McAfee.com>
Subject: PlugFest Capabilities [McAfee]
Greetings, fellow Plug Fest participants!
Here's a menu of what we're working on for the Plug Fest.
A. Mcafee ePO as an actuator
a. For accessing inventory of mcafee endpoints. You can use the query action on a properties target with x-mfe-sbom actuator
i. sbom (software bill of materials, currently limited to mcafee security products installed on a device/end point)
ii. asset_id : Mcafee's own assetid for an end point ( For those familiar with ePO, this is the agentguid)
While implementing, we encountered difficulty in specifying a device more fully, and we would like to propose enhancements to the device target to be able to identify a device based on a combination of one or more device attributes. I believe the spec does
allow extensions, but standardizing a minimal set of filterable attributes would help
3. <anyother> : We will have the ability to enhance the attributes on the fly during plugfest, limited to the attributes that we natively know about a managed device
2. For triggering software update on a device, currently limited to updating mcafee software and AV signature definitions
- You will use update action on a device target with x-mfe-update actuator
2. A sample actuator that implements a firewall allow for an ipv4 connection on an AWS VPC NACL
3. A sample "sensor" producer that
a. detects an "outbound" http(s) request,
b. queries the actuators for sbom,
c. validates compliance ( restricted to checking specific software and versions ) by interfacing with the above actuators,
d. Triggers "update" actuator if non compliant
e. Triggers "allow" on the sample firewall
Work in progress, but some of the interfaces may be seen at
https://app.swaggerhub.com/apis/sudeepd/openc2/1.0.0#/default/openc2Command
There are sample requests and responses included in the swagger spec.
We will have a sample environment accessible and running.
-Sudeep