oasis-tcs / openc2-apsc-stateless-packet-filter

OASIS OpenC2 TC: A GitHub repository is to provide configuration management and to aid in the development of the first generation OpenC2 firewall profile
https://github.com/oasis-tcs/openc2-apsc-stateless-packet-filter
Other
6 stars 10 forks source link

slpf rule comment or description #115

Closed alevere closed 4 years ago

alevere commented 4 years ago

I propose an additional slpf argument is added which allows for a rule comment or rule description such as 'ticket 40342322' or 'dev web to dev db'. We should allow for a brief string (<64 chars) that a firewall admin or other user can use to place a note on a specific rule. This is often used at organizations to help document rules and allow for people to understand the rules that are in place.

jmbrule commented 4 years ago

I think the scope of the OpenC2 specification is focused on machine to machine communications in order to fulfill the 'act' portion of the OODA loop. One could argue that annotating the steps made in the 'decide' or 'orient' part of the ooda loop are beyond the scope of 'Act'. If we were to decide that it is appropriate to annotate the decision making process, then I suspect that it would be something that we store at the orchestrator (aka producer), is closer to where the decision was made.
I do not see how the annotation influences how the command is executed at the actuator.

alevere commented 4 years ago

Almost every firewall has a field for a comment for a given rule. Often, an enterprise enforces a requirement to have a comment, as this aids with audits. E.g. who made this rule, when was this rule created. This doesnt necessarily answer who made the decision, as the comment is left up to the org/process. If we push a command/action, I think it is expected that in many cases either a ticket or request number must be associated with the action for audit purposes. Let me know if you think that helps clarify or not.

Vasileios-Mavroeidis commented 4 years ago

Was thinking the same for the ids-ap and I remembered that we have the same unresolved "issue" here. I concur with Alex that an optional description property would be quite helpful for auditing reasons. Even though that does not provide any additional refinement with respect to the mechanics of the command we want at a later date to possibly get info as to the purpose of issuing that command.

alevere commented 4 years ago

Addressed issue in #134