OASIS Open Command and Control (OpenC2) TC
Joe Brule (jmbrule@nsa.gov), National Security Agency
Duncan Sparrell (duncan@sfractal.com), sFractal Consulting LLC
Vasileios Mavroeidis (vasileim@ifi.uio.no), University of Oslo
Alex Everett (alex.everett@unc.edu), University of North Carolina at Chapel Hill
David Kemp (d.kemp@cyber.nsa.gov), National Security Agency
This prose specification is one component of a Work Product that also includes:
(Note: Any normative computer language definitions that are part of the Work Product, such as XML instances, schemas and Java(TM) code, including fragments of such, must be (a) well formed and valid, (b) provided in separate plain text files, (c) referenced from the Work Product; and (d) where any definition in these separate files disagrees with the definition found in the specification, the definition in the separate file prevails. Remove this note before submitting for publication.)This specification replaces or supersedes:
This specification is related to:
(remove "Related work" section or the "replaces" or "related" subsections if no entries)Actuator profiles identify the aspects of the OpenC2 language specification that are mandatory and/or meaningful in the context of a given actuator. Actuator Profiles also identify specifiers and options that are unique to the actuator. This document focuses on the use of OpenC2 to issue commands and parse responses to software that can control an anti-virus engine. This could be used to start or stop the engine, or scan a particular path.
This document was last revised or approved by the OASIS Open Command and Control (OpenC2) TC on the above date. The level of approval is also listed above. Check the "Latest version" location noted above for possible later revisions of this document. Any other numbered Versions and other technical work produced by the Technical Committee (TC) are listed at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=openc2#technical.
TC members should send comments on this specification to the TC's email list. Others should send comments to the TC's public comment list, after subscribing to it by following the instructions at the "Send A Comment" button on the TC's web page at https://www.oasis-open.org/committees/openc2/.
This specification is provided under the Non-Assertion Mode of the OASIS IPR Policy, the mode chosen when the Technical Committee was established. For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the TC's web page (https://www.oasis-open.org/committees/openc2/ipr.php).
Note that any machine-readable content (Computer Language Definitions) declared Normative for this Work Product is provided in separate plain text files. In the event of a discrepancy between any such plain text file and display content in the Work Product's prose narrative document(s), the content in the separate plain text file prevails.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] and [RFC8174] when, and only when, they appear in all capitals, as shown here.
When referencing this specification the following citation format should be used:
[AP-EDR-v1.0]
OpenC2 Actuator Profile for Anti-Virus Version 1.0. Edited by Vasileios Mavroeidis and Martin Evandt. 17 February 2021. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/openc2/ap-av/v1.0/csd01/ap-av-v1.0-csd01.html. Latest version: https://docs.oasis-open.org/openc2/ap-av/v1.0/ap-av-v1.0.html.
Copyright © OASIS Open 2021. All Rights Reserved.
Distributed under the terms of the OASIS IPR Policy.
The name "OASIS" is a trademark of OASIS, the owner and developer of this specification, and should be used only to refer to the organization and its official outputs.
For complete copyright information please see the Notices section in the Appendix.
Here is a customized command line which will generate HTML from this markdown file (named ap-av-v1.0-wd01.md):
pandoc -f gfm -t html ap-av-v1.0-wd01.md -c styles/markdown-styles-v1.7.3.css --toc --toc-depth=5 -s -o ap-av-v1.0-wd01.html --metadata title="OpenC2 Actuator Profile for Anti-Virus Version 1.0"
OASIS staff are currently using pandoc 2.6 from https://github.com/jgm/pandoc/releases/tag/2.6.
This also requires the presence of a .css file containing the HTML styles (like styles/markdown-styles-v1.7.3.css).
Note this command generates a Table of Contents (TOC) in HTML which is located at the top of the HTML document, and which requires additional editing in order to be published in the expected OASIS style. This editing will be handled by OASIS staff during publication. A TC may use other ways to generate HTML from markdown, which may generate a TOC in a different way.
Text.
Note that text paragraphs in markdown should be separated by a blank line between them -
Otherwise the separate paragraphs will be joined together when the HTML is generated. Even if the text appears to be separate lines in the markdown source.
To avoid having the usual vertical space between paragraphs,
append two or more space characters (or space-backslash) to the end of the lines
which will generate an HTML break tag instead of a new paragraph tag
(as demonstrated here).
FIGURE EXAMPLE: <note caption is best placed ABOVE figure, so a hyperlink to it will actually display the figure, instead of rendering the figure off the screen above the caption. The same placement should be used for table captions>
(this image is missing)
Table 1-1. Table Label
| Item | Description |
|---|---|
| Item 1 | Something (second line) |
| Item 2 | Something |
| Item 3 | Something (second line) |
| Item 4 | text |
text.
| Title 1 | Title 2 | title 3 |
|---|---|---|
| something | something | something else that is a long string of text that might need to wrap around inside the table box and will just continue until the column divider is reached |
| something | something | something |
| Name | Description |
|---|---|
| content | Message body as specified by content_type and msg_type. |
Here is a reference to the table caption: Please see Table 1-5 or other meaningful label
Bulleted list:
Indented or multi-level bullet list - add two spaces per level before bullet character (* or -):
Numbered list:
Left-justified list without bullets or numbers: To list multiple items without full paragraph breaks between items, add space-backslash after each item except the last.
REFERENCES and ANCHORS
###### [RFC2119]Bradner, S., "Key words ..."
reference text has to be on a separate line below the tag
format cross-references (citations of the references) like: see [[RFC2119](#rfc2119)]
"see [RFC2119]"
(note the outer square brackets in markdown will appear in the visible HTML text)
The text in the Reference tag (following ###### ) will become an HTML anchor using the following conversion rules:
The same HTML anchor construction rules apply to cross-references and to section headings.
<a href="#12-glossary">"see [Section 1.2](#12-glossary)"Text to appear as an indented code block with grey background and monospace font - use three back-ticks before and after the code block.
Note the actual backticks will not appear in the HTML format. If it's necessary to display visible backticks, place a back-slash before them like: ``` .
{
"target": {
"x_kmip_2.0": {
{"kmip_type": "json"},
{"operation": "RekeyKeyPair"},
{"name": "publicWebKey11DEC2017"}
}
}
}
Text to be highlighted as code can also be surrounded by a single "backtick" character: code text
Add horizontal rule lines where page breaks are desired in the PDF - before each major section
<h1> tag)text.
text.
text.
text.
This is the deepest level, because six # gets transformed into a Reference tag.
text.
(Note: The OASIS TC Process requires that a specification approved by the TC at the Committee Specification Public Review Draft, Committee Specification or OASIS Standard level must include a separate section, listing a set of numbered conformance clauses, to which any implementation of the specification must adhere in order to claim conformance to the specification (or any optional portion thereof). This is done by listing the conformance clauses here. For the definition of "conformance clause," see OASIS Defined Terms.
See "Guidelines to Writing Conformance Clauses":
http://docs.oasis-open.org/templates/TCHandbook/ConformanceGuidelines.html.
Remove this note before submitting for publication.)
This appendix contains the normative and informative references that are used in this document. Normative references are specific (identified by date of publication and/or edition number or version number) and Informative references are either specific or non-specific.
While any hyperlinks included in this appendix were valid at the time of publication, OASIS cannot guarantee their long-term validity.
The following documents are referenced in such a way that some or all of their content constitutes requirements of this document.
(Reference sources: For references to IETF RFCs, use the approved citation formats at:
http://docs.oasis-open.org/templates/ietf-rfc-list/ietf-rfc-list.html.
For references to W3C Recommendations, use the approved citation formats at:
http://docs.oasis-open.org/templates/w3c-recommendations-list/w3c-recommendations-list.html.
Remove this note before submitting for publication.)
Specification for Transfer of OpenC2 Messages via HTTPS Version 1.0. Edited by David Lemire. Latest version: http://docs.oasis-open.org/openc2/open-impl-https/v1.0/open-impl-https-v1.0.html
Open Command and Control (OpenC2) Profile for Stateless Packet Filtering Version 1.0. Edited by Joe Brule, Duncan Sparrell, and Alex Everett. Latest version: http://docs.oasis-open.org/openc2/oc2slpf/v1.0/oc2slpf-v1.0.html
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, http://www.rfc-editor.org/info/rfc2119.
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, http://www.rfc-editor.org/info/rfc8174.
Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, DOI 10.17487/RFC3552, July 2003, https://www.rfc-editor.org/info/rfc3552.
(Note: OASIS strongly recommends that Technical Committees consider issues that might affect safety, security, privacy, and/or data protection in implementations of their specification and document them for implementers and adopters. For some purposes, you may find it required, e.g. if you apply for IANA registration.
While it may not be immediately obvious how your specification might make systems vulnerable to attack, most specifications, because they involve communications between systems, message formats, or system settings, open potential channels for exploit. For example, IETF [RFC3552] lists “eavesdropping, replay, message insertion, deletion, modification, and man-in-the-middle” as well as potential denial of service attacks as threats that must be considered and, if appropriate, addressed in IETF RFCs.
In addition to considering and describing foreseeable risks, this section should include guidance on how implementers and adopters can protect against these risks.
We encourage editors and TC members concerned with this subject to read Guidelines for Writing RFC Text on Security Considerations, IETF [RFC3552], for more information.
Remove this note before submitting for publication.)
Note: A Work Product approved by the TC must include a list of people who participated in the development of the Work Product. This is generally done by collecting the list of names in this appendix. This list shall be initially compiled by the Chair, and any Member of the TC may add or remove their names from the list by request. Remove this note before submitting for publication.
Substantial contributions to this document from the following individuals are gratefully acknowledged:
Participant Name, Affiliation or "Individual Member"
The following individuals have participated in the creation of this specification and are gratefully acknowledged:
OpenC2 TC Members:
| First Name | Last Name | Company |
|---|---|---|
| Philippe | Alman | Something Networks |
| Alex | Amirnovman | Company B |
| Kris | Anderman | Mini Micro |
| Darren | Anstman | Big Networks |
| Revision | Date | Editor | Changes Made |
|---|---|---|---|
| specname-v1.0-wd01 | yyyy-mm-dd | Editor Name | Initial working draft |
Copyright © OASIS Open 2021. All Rights Reserved.
All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
As stated in the OASIS IPR Policy, the following three paragraphs in brackets apply to OASIS Standards Final Deliverable documents (Committee Specification, Candidate OASIS Standard, OASIS Standard, or Approved Errata).
[OASIS requests that any OASIS Party or any other party that believes it has patent claims that would necessarily be infringed by implementations of this OASIS Standards Final Deliverable, to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this deliverable.]
[OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of any patent claims that would necessarily be infringed by implementations of this OASIS Standards Final Deliverable by a patent holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this OASIS Standards Final Deliverable. OASIS may include such claims on its website, but disclaims any obligation to do so.]
[OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this OASIS Standards Final Deliverable or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS' procedures with respect to rights in any document or deliverable produced by an OASIS Technical Committee can be found on the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this OASIS Standards Final Deliverable, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any information or list of intellectual property rights will at any time be complete, or that any claims in such list are, in fact, Essential Claims.]
The name "OASIS" is a trademark of OASIS, the owner and developer of this specification, and should be used only to refer to the organization and its official outputs. OASIS welcomes reference to, and implementation and use of, specifications, while reserving the right to enforce its marks against misleading uses. Please see https://www.oasis-open.org/policies-guidelines/trademark for above guidance.