Is Asset Inventory within in PACE scope

[sparrell]

Clearly asset inventory is needed in many use cases involving PACE. The question is whether the asset inventory system is within the PACE system or is it a separate system that is a peer to PACE.

[sparrell]

Duncan advocates that the asset inventory system is outside of PACE. The asset inventory system would know you have:

• 100K instantiations of the DuncanFarmBot
• where each one is
• All are hardware version 7.3
• 95K of them (and which ones) have DuncanFarmBot version 1.0 software
• 4,999 have DuncanFarmBot version 1.1 software
• 1 has DuncanFarmBot version 0.7 software

The PACE system would have the SBOMs for DuncanFarmBot software versions 0.7, 0.8, 1.0, 1.1, 1,2 and would be able to evaluate the security posture information (eg correlate with NVD, Vex, ....) of each version.

If the PACE system needs asset inventory information (eg the PCS needs to directly query a device for it's SBOM) it is an open question whether that info would be provided as part of the command that requested the PCS or whether the PCS would have the ability to query the asset inventory system. Either way, the asset inventory system would be outside PACE.

[slarchacki22]

This has been discussed and the Asset Inventory is out of scope - 02-14-2022.

[sparrell]

Should we add text somewhere saying "Asset inventory is currently out-of-scope"? Where should be put these resolutions of our scope issues?

[davaya]

IT Asset Management, e.g., https://www.solarwinds.com/solutions/it-asset-management, is outside the PACE boundary but must be in-scope for both the architecture (#31) and even a first / minimum-viable prototype. In order to get started on a prototype, we will at least need a spreadsheet of "Components whose architecture is assessed", but in order to make even a spreadsheet realistic we'll need to learn what data is maintained in ITAM products (e.g., https://snipeitapp.com/). Hardware and software versions might or might not be included.

I'm thinking the PAR interface should allow querying ITAM-maintained data as well as posture data.

[dlemire60]

In order to get started on a prototype, we will at least need a spreadsheet of "Components whose architecture is assessed", but in order to make even a spreadsheet realistic we'll need to learn what data is maintained in ITAM products (e.g., https://snipeitapp.com/). Hardware and software versions might or might not be included.

After taking a closer look at the SnipeIT demo, it doesn't look like a good model for our needs. It's function appears to be tracking of physical assets and licenses. The only network information stored appears to be MAC address, whereas in the PACE context we likely need something a bit richer and more network- & software-oriented.

To a degree I'm interpreting Duncan's list of information, specifically:

where each one is

to mean "where" in logical / network terms, not physical / geographic terms. Certainly as we look to leverage the OIF-Orchestrator to function as a PCS, it cares where to find assets on the network in order to collect posture information.

As we work through an interesting question to examine is how much / how specific asset knowledge is required by the PCS versus the elements that invoke the PCS.

[dlemire60]

HashiCorp's Consul is an open source-based product with a community edition that looks like something we might be able to usefully leverage for asset management in the PACE prototype.

• Documentation: https://www.consul.io/docs
• GitHub repo: https://github.com/hashicorp/consul

[dlemire60]

Here's a cut at IT asset management information that seems useful to consider for the PACE prototype:

Data Fields in SNIPE-IT (based on on-line demo) • Name • Image (graphic) • Tag (number) • Serial (look like UUIDs) • Model (text [constrained?]) • Category (select list, or computed?) • Status (select list) • Location (select list) • Purchase / Warranty info

Other Fields of Interest • Network Info ◇ MAC Address ◇ IPv4 Address ◇ IPv6 Address ◇ VLAN ◇ (other network data?) • OS Info ◇ OS Type ◇ Version (maj / min / build) ◇ Default Language • OpenC2 Info ◇ APs Supported ◇ Transfer Protocols supported • Hardware Info ◇ Hardware Type ◇ Hardware Version ◇ Firmware Version

[slarchacki22]

Added to FAQ at the 4/25/2022 PACE meeting

[adammontville]

Which of these (or which collection of these) might be useful as a unique identifier that could be useful to any software connected to the ecosystem?

Also, Consul looks interesting. It seems to to a lot more than service cataloging. Do we want to look into that for other PACE needs as well?

On Mar 23, 2022, at 3:51 PM, David Lemire @.***> wrote:

Here's a cut at IT asset management information that seems useful to consider for the PACE prototype:

Data Fields in SNIPE-IT (based on on-line demo) • Name • Image (graphic) • Tag (number) • Serial (look like UUIDs) • Model (text [constrained?]) • Category (select list, or computed?) • Status (select list) • Location (select list) • Purchase / Warranty info

Other Fields of Interest • Network Info ◇ MAC Address ◇ IPv4 Address ◇ IPv6 Address ◇ VLAN ◇ (other network data?) • OS Info ◇ OS Type ◇ Version (maj / min / build) ◇ Default Language • OpenC2 Info ◇ APs Supported ◇ Transfer Protocols supported • Hardware Info ◇ Hardware Type ◇ Hardware Version ◇ Firmware Version

— Reply to this email directly, view it on GitHub https://github.com/opencybersecurityalliance/PACE/issues/28#issuecomment-1076807514, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAQVELHWPVIOORBSRL3YW2DVBN74BANCNFSM5NYJMIMQ. You are receiving this because you are subscribed to this thread.