OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

openc2-imple message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [Non-DoD Source] Re: OpenDxl as OpenC2 transport


âGiven the age and discontinuity of everything, we may be better off just using the HTTPS or MQTT specs as a template then take it from there.  Sound logical? â

Absolutely. My motivation was to be able to map the http(s)  transport to opendxl, as the starting point.

-Sudeep

 

 

From: "Brule, Joseph M" <jmbrule@radium.ncsc.mil>
Date: Thursday, January 23, 2020 at 7:45 AM
To: "dave.lemire" <dave.lemire@g2-inc.com>, "duncan sfractal.com" <duncan@sfractal.com>
Cc: "Das, Sudeep" <Sudeep_Das@McAfee.com>, Michelle Barry <mb8523@att.com>, "openc2-imple@lists.oasis-open.org" <openc2-imple@lists.oasis-open.org>
Subject: RE: [Non-DoD Source] Re: OpenDxl as OpenC2 transport

 

CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 


Thanks Dave!  It is actually coming back to me now.  I remember she wrote up a draft for MQTT and I sent it to one of the McAfee guys because their OpenDXL actually includes a pub sub AND https tunnels. 

 

Sudeep,

 

Given the age and discontinuity of everything, we may be better off just using the HTTPS or MQTT specs as a template then take it from there.  Sound logical?

 

From: Dave Lemire <dave.lemire@g2-inc.com>
Sent: Thursday, January 23, 2020 10:39 AM
To: duncan sfractal.com <duncan@sfractal.com>
Cc: Das, Sudeep <Sudeep_Das@mcafee.com>; Michelle Barry <mb8523@att.com>; openc2-imple@lists.oasis-open.org; Brule, Joseph M <jmbrule@radium.ncsc.mil>
Subject: [Non-DoD Source] Re: OpenDxl as OpenC2 transport

 

There's a TC repo for an OpenDXL transfer spec (https://github.com/oasis-tcs/openc2-transf-odxl) but it has no content.

 

Joe Brule had been in contact with folks from McAfee (Kent Landfield, Scott MacGregor) regarding an OpenDXL transfer spec; last traffic I recall on that subject was long ago (many, many months, maybe August 2018?).  Sudeep was CC'd on some of that traffic.

 

I seem to recall Scott saying that he was supportive but was dependent on getting output from engineering resources that he didn't control.

 

Dave

 

David Lemire, CISSP

Systems Engineer

HII Mission Driven Innovative Solutions (HII-MDIS) â formerly G2, Inc.

Technical Solutions Division

302 Sentinel Drive | Annapolis Junction, MD 20701

Email: dave.lemire@g2-inc.com

Work: 301-575-5190 | Mobile: 240-938-9350

 

 

On Thu, Jan 23, 2020 at 9:37 AM duncan sfractal.com <duncan@sfractal.com> wrote:

Iâm replying to wider IC subcommittee that owns the work so someone who knows it better than I can reply. Dave, Michelle - can one of you as cochairs point Sudeep to whatever we have, and work with him wrt his volunteering to help draft it.

 

iPhone, iTypo, iApologize

 

Duncan Sparrell

sFractal Consulting, LLC

I welcome VSRE emails. Learn more at http://vsre.info/

 


From: Das, Sudeep <Sudeep_Das@McAfee.com>
Sent: Thursday, January 23, 2020 9:30 AM
To: duncan sfractal.com
Subject: Re: PlugFest Capabilities [McAfee]

 

Duncan,

                Just to follow up on this âAnd I believe the OASIS OpenC2 TC has OpenDxl as a draft spec that is currently empty awaiting McAfee input.â

Can you point me to literature on what input are we awaiting from McAfee on this ? I can get some traction on this

Sudeep

 

 

From: "duncan sfractal.com" <duncan@sfractal.com>
Date: Sunday, January 19, 2020 at 6:16 PM
To: "Das, Sudeep" <Sudeep_Das@McAfee.com>, "openc2-plugfest-2019@lists.oasis-open.org" <openc2-plugfest-2019@lists.oasis-open.org>
Cc: "Vanjarapu, Vinod" <Vinod_Vanjarapu@McAfee.com>
Subject: Re: PlugFest Capabilities [McAfee]

 

CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 


Sudeep,

Looks like great stuff. I apologize is these questions have already been answered â Iâve been out of country so only communicating intermittently.  What transport are you using â http/s, OpenDxL, Google Pub/sub,â.? I believe some others have expressed interest in OpenDxl so it would be interesting to do some interworking tests if you are supporting OpenDxl. And I believe the OASIS OpenC2 TC has OpenDxl as a draft spec that is currently empty awaiting McAfee input. So if you are using OpenDxl, could you give some details (independent of the plugfest since we arenât supposed to draft OASIS specs at the plugfest) so we can start putting text in the spec.

Thanks.

 

Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

From: "Das, Sudeep" <Sudeep_Das@McAfee.com>
Date: Saturday, January 18, 2020 at 8:16 AM
To: "openc2-plugfest-2019@lists.oasis-open.org" <openc2-plugfest-2019@lists.oasis-open.org>
Cc: "Vanjarapu, Vinod" <Vinod_Vanjarapu@McAfee.com>
Subject: PlugFest Capabilities [McAfee]

 

Greetings, fellow Plug Fest participants!

Here's a menu of what we're working on for the Plug Fest.

 

A.      Mcafee ePO as an actuator

a.       For accessing inventory of mcafee endpoints. You can use the query action on a properties target with x-mfe-sbom actuator

                                       i.            sbom (software bill of materials, currently limited to mcafee security products installed on a device/end point)

                                     ii.            asset_id  : Mcafee's own assetid for an end point ( For those familiar with ePO, this is the agentguid)

While implementing, we encountered difficulty in specifying a device more fully, and we would like to propose enhancements to the device target to be able to identify a device based on a combination of one or more device attributes. I believe the spec does allow extensions, but standardizing a minimal set of filterable attributes would help

                                     3.            <anyother> : We will have the ability to enhance the attributes on the fly during plugfest, limited to the attributes that we natively know about a managed device

2.       For triggering software update on a device, currently limited to updating mcafee software and AV signature definitions

    1. You will use update action on a device target with x-mfe-update actuator

 

2.       A sample actuator that implements a firewall allow for an ipv4 connection on an AWS VPC NACL

 

3.       A sample "sensor" producer that

a.       detects an "outbound" http(s) request,

b.        queries the actuators for sbom,

c.       validates compliance ( restricted to checking specific software and versions ) by interfacing with the above actuators,

d.       Triggers "update" actuator if non compliant

e.       Triggers "allow" on the sample firewall

 

Work in progress, but some of the interfaces may be seen at

https://app.swaggerhub.com/apis/sudeepd/openc2/1.0.0#/default/openc2Command

There are sample requests and responses included in the swagger spec.

 

We will have a sample environment accessible and running.

 

-Sudeep

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]