[Accueil] [Plan] [Rem] [Parti] [Agnd] [TLS] [STP] [Pol] [LSD] [SECSH] [SMIME] [PKIX] [IETF] [IAB] [IESG] [nIANA] [SSH] [OpenPGP] [Actions] [SAF] [Enseig] [+/-] [Concl]
![[début]](../icons/info.gif)
|
 SAF : Security Advisory Format |
![[précédent]](../icons/prev.gif)
|
![[suivant]](../icons/next.gif)
|
|
draft-ietf-grip-csaf-01.txt T. Debeaupuis
INTERNET DRAFT HSC
Expires: 25 Feb 1999 25 August 1998
Common Security Advisory Format
Status of this Memo
Abstract
This is the first Internet-draft of the Security Advisory Format.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress".
To learn the current status of any Internet-Draft, please check the
1id-abstracts.txt listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim),
ds.internic.net (US East Coast).
Distribution of this document is unlimited.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and
'OPTIONAL' in this document are to be interpreted as described in
RFC 2119 [RFC2119].
This memo describes a format for security advisories. An advisory is
a document describing a vulnerability of a program, an operating
system or, more generaly, a software or hardware component of the
information system.
This specification tries to minimize changes in issuer and readers
current pratices (messages style), and by trying to help a program
re-read the advisory tries also to keep advisories easily and
friendly readable by humans. It focuses on structure of documents.
This specification is primarily useful for advisories issuers such as
CSIRTs.
Debeaupuis [Page 1]�
INTERNET-DRAFT Common Security Advisory Format 25 august 1998
Copyright Notice
Copyright (C) The Internet Society (1998). All Rights Reserved.
Introduction
We face different information issuers :
- CSIRTs
- Vendors
- Groups of people studying vulnerabilities
Different needs :
- Advisory submitters will find in this format a more efficient way
to inform the or their community. Internaly to the Advisory
submitter organisation, this format can also be used to ease the
handling of advisories.
- IT security officers : within organizations, IT security officers
need to know know what are the vulnerabilities of a specific
operating system or software, and in a more general way, a software
or hardware component.
- Numerous categories of people (researchers, vendors, security
consulting firms) are commonly working on advisories as a building
block of their work : investigations, auditing softwares (on system
or network), etc. A common format will help them entering datas in
the databases without spending time to re-organized and formalized
advisories.
The problem that we are facing today is a lake of standardization
between the different formats used to report vulnerabilities.
Common Security Advisory Format
CSAF is a token based labeling language, advisories are encoded
using
Example of advisory in CSAF
Issuer:
----------------------------------------------------
The Antartic Department of Defense
Computer Security Incident Response Team
Debeaupuis [Page 2]�
INTERNET-DRAFT Common Security Advisory Format 25 august 1998
----------------------------------------------------
Sum-up:
Title: Penguins speed vulnerabilities with hurricanes
Objects: God/Penguins-1.0/
Date: 08.25.1998
Date-Revised: 08.26.1998
Summary: Penguins cannot move proparly during hurricanes
Description:
It seems that penguins are vulnerable to hurricanes.
Security Considerations
This document describes a format which aim is not to improve of
security of advisories (transmission, trust, archiving). It can help
security officers having a better view of the vulnerabilities impacts
on their systems by facilitating advisories retreatment by automatic
or semi-automatic programs.
References
[ABNF] "Augmented BNF for Syntax Specifications: ABNF", D. Crocker,
P. Overell, RFC 2234, November 1997.
[GRIP-FRWK]
[RFC2119] Key works for use in RFCs to Indicate Requirement Levels,
S. Bradner, RFC 2119, March 1997.
CERT
APPENDIX 1 - Current advisories structures
Nota : the annexes are only for information. They are helpful and
will be deleted in the future because we are not trying to
standardize CISTs current pratices, but to propose an evolution of
this format.
CERT
Types of advisories :
- Vendor initiated bulletins
<CERT-VB> :
<HEADING> <INTRODUCTION>
<FORWARDED-TEXT>
Debeaupuis [Page 3]�
INTERNET-DRAFT Common Security Advisory Format 25 august 1998
<HOW-TO-CONTACT>
<CERTCC-INFORMATIONS>
- CERT advisories
<CERT-BULLETIN> :
<HEADING> <INTRODUCTION>
<DESCRIPTION>
<IMPACT>
<SOLUTION>
<APPENDIX>*
<NO-WARRANTY>
<HOW-TO-CONTACT>
<CERTCC-INFORMATIONS>
<COPYRIGHT>
<APPENDIX> :
<VENDOR-INFORMATION>+
<VENDOR-INFORMATION> :
<VENDOR-NAME>
<CURRENT-STATE>
- Advisories released by other CSIRTs and forwarded by CERT with or
without
added-value.
- CERT Summaries
CIAC
- CIAC Bulletin
<CIAC-BUL> :
<HEADING> <SUMUP> <DESCRIPTION>
<VENDOR-SPECIFIC-INFORMATION>*
<HEADING> :
<LOGO> crlf <TYPEOFBULLETIN> crlf crlf <TITLE> crlf
crlf <DATE><ADVISORY-NUMBER>
<SUMUP> :
<HRULE> crlf <PROBLEM> crlf <PLATFORM> crlf <DAMAGE>
crlf <SOLUTION> crlf <HRULE> <VULNERABILITY> crlf
<ASSESSMENT>
Debeaupuis [Page 4]�
INTERNET-DRAFT Common Security Advisory Format 25 august 1998
<DESCRIPTION> :
<VENDOR-SPECIFIC-INFORMATION> :
- CIAC Notes
To be done.
AUSCERT
To be done.
IBM
To be done.
SUN
To be done.
MICROSOFT
<MICROSOFT-BUL> : <TITLE>
<POSTED-DATE>
<REVISED-DATE>
<SUMMARY>
<ISSUE>
<AFFECTED-SOFTWARE>
<WHAT-MICROSOFT-DOING>
<WHAT-TO-DO>
<WORKAROUND>
<MORE-INFORMATION>
<REVISIONS>
<WARRANTY>
<COPYRIGHT>
<MAILING-LIST-INFO>
HEWLETT PACKARD
To be done.
CISCO
<CISCO-SEC-NOTICE> : <FIELD-NOTICE> <HRULE>
Debeaupuis [Page 5]�
INTERNET-DRAFT Common Security Advisory Format 25 august 1998
<REVISION>
<RELEASE-DATE>
<CONFIDENTIALITY>
<SUMMARY>
<AFFECTED-TEXT>
<IMPACT>
<BUGREF>
<LIST-OF-AFFECTED-AND-PATCHES>
<WORKAROUND>
<EXPLOITATION>
<NOTICE-STATUS>
<DISTRIBUTION-REFERENCES>
<REVISION-HISTORY>
<CISCO-SECURITY-PROCEDURES>
<HRULE>
<COPYRIGHT>
SGI
To be done.
SCO
To be done.
FreeBSD
To be done.
Debian
To be done.
Red Hat
To be done.
SCO
To be done.
SGI
<SGI-ADV> :
<HEADINGS>
<WARNING>
Debeaupuis [Page 6]�
INTERNET-DRAFT Common Security Advisory Format 25 august 1998
<DESCRIPTION>
<IMPACT>
<WORKAROUND>?
<SOLUTION>
<ACKNOWLEDGMENTS>
<SGI-CONTACTS>
<HEADINGS> :
<TITLE>
<NUMBER>
<DATE>
<SOLUTION> :
<PATCH-URL>
(<OS-NAME> <VULNERABLE> <PATCH-NUMBER> <ACTION>)+
SRI
To be done.
RSI
To be done.
L0pht
<L0PHT-ADV> :
<HEADINGS>
<DESCRIPTION>
<IMPACT>
<SOLUTION>
<HEADINGS> :
<URL-REF>
<RELEASE-DATE>
<COMPONENT-IMPACTED>
<OPERATING-SYSTEM>
<IMPACT>
<PATCH-AVAILABILITY>
To be done.
Acknowledgements
Debeaupuis [Page 7]�
INTERNET-DRAFT Common Security Advisory Format 25 august 1998
Thanks to my sponsors, Ministère Français de la Culture, Délégation Générale à
la Langue Française (DGLF) and Hervé Schauer Consultants. Also many thanks to
Jean-Michel Cornu for his support.
Author's Address
Tristan Debeaupuis
Herve Schauer Consultants
142, rue de Rivoli
FR-75039 Paris Cedex 01
France
EMail: Tristan.Debeaupuis@hsc.fr
Debeaupuis [Page 8]�
® © Hervé Schauer Consultants 1995-1997 -
142, rue de Rivoli -
75001 Paris
Téléphone : +33 141 409 700 -
Télécopie : +33 141 409 709 -
Courriel : <secretariat@hsc.fr>
|
- Page 20 -
|