Return to
Security_Events.mof
CVS log
Up to [Pegasus] / pegasus / Schemas / CIMPrelim29
|
Return to
Security_Events.mof
CVS log
|
Up to [Pegasus] / pegasus / Schemas / CIMPrelim29
|
|
File: [Pegasus] / pegasus / Schemas / CIMPrelim29 / Attic / Security_Events.mof
(download)
Revision: 1.2, Thu Feb 24 20:47:33 2005 UTC (19 years, 3 months ago) by a.dunfey Branch: MAIN CVS Tags: TASK-PEP362_RestfulService-merged_out_from_trunk, TASK-PEP348_SCMO-merged_out_from_trunk, TASK-PEP317_pullop-merged_out_from_trunk, TASK-PEP317_pullop-merged_in_to_trunk, TASK-PEP311_WSMan-root, TASK-PEP311_WSMan-branch, RELEASE_2_5_0-RC1, HPUX_TEST, HEAD Changes since 1.1: +4 -4 lines FILE REMOVED PEP#: 215 TITLE: Remove old schemas DESCRIPTION: Removing old, unneeded schema files from the repository: CIM 2.7 CIM 2.7.1 Preliminary CIM 2.8 Preliminary CIM 2.9 Preliminary |
// ===================================================================
// Title: Security Events
// $State: dead $
// $Date: 2005/02/24 20:47:33 $
// $Source: /cvs/MSB/pegasus/Schemas/CIMPrelim29/Attic/Security_Events.mof,v $
// $Revision: 1.2 $
// ===================================================================
//#pragma inLine ("Includes/copyright.inc")
// Copyright 1998-2004 Distributed Management Task Force, Inc. (DMTF).
// All rights reserved.
// DMTF is a not-for-profit association of industry members dedicated
// to promoting enterprise and systems management and interoperability.
// DMTF specifications and documents may be reproduced for uses
// consistent with this purpose by members and non-members,
// provided that correct attribution is given.
// As DMTF specifications may be revised from time to time,
// the particular version and release date should always be noted.
//
// Implementation of certain elements of this standard or proposed
// standard may be subject to third party patent rights, including
// provisional patent rights (herein "patent rights"). DMTF makes
// no representations to users of the standard as to the existence
// of such rights, and is not responsible to recognize, disclose, or
// identify any or all such third party patent right, owners or
// claimants, nor for any incomplete or inaccurate identification or
// disclosure of such rights, owners or claimants. DMTF shall have no
// liability to any party, in any manner or circumstance, under any
// legal theory whatsoever, for failure to recognize, disclose, or
// identify any such third party patent rights, or for such party's
// reliance on the standard or incorporation thereof in its product,
// protocols or testing procedures. DMTF shall have no liability to
// any party implementing such standard, whether such implementation
// is foreseeable or not, nor to any patent owner or claimant, and shall
// have no liability or responsibility for costs or losses incurred if
// a standard is withdrawn or modified after publication, and shall be
// indemnified and held harmless by any party implementing the
// standard from any and all claims of infringement by a patent owner
// for such implementations.
//
// For information about patents held by third-parties which have
// notified the DMTF that, in their opinion, such patent may relate to
// or impact implementations of DMTF standards, visit
// http://www.dmtf.org/about/policies/disclosures.php.
#pragma Locale ("en_US")
// ==================================================================
// SecurityIndication
// ==================================================================
[Indication, Experimental, Version ( "2.8.1000" ), Description (
"SecurityIndication provides a common superclass for the CIM "
"Security Events schema. SecurityIndications are messages "
"produced by Detectors that watch for and report on events that "
"have security implications. Detectors may include, but are not "
"limited to intrusion detection systems, antivirus scanners, "
"firewalls, vulnerability scanners, or operating system "
"sentries and subsystems. \n"
"Although often due to attacks or probes, security events can "
"also reflect normal activity, such as host or network login, "
"firewall connections, etc. Messages include information about "
"the Effect of the event, the Mechanism or method by which the "
"event occurred, and the Resource affected by the event. \n"
"Properties from the base class CIM_Indication that MUST be "
"populated are: IndicationIdentifier and IndicationTime. A "
"property from the superclass CIM_AlertIndication that MUST be "
"populated is: AlertType which MUST be set to \"Security\". "
"EventID, ProviderName and AlertingManagedElement in some "
"combination SHOULD be populated in a way that identifies the "
"device type and its source in an unambiguous way from the "
"Detector's point of view.")]
class CIM_SecurityIndication : CIM_AlertIndication {
[Required, Override ( "IndicationIdentifier" ), Description (
"An identifier for the Indication. This property is similar "
"to a key value in that it can be used for identification, "
"when correlating Indications (see the CorrelatedIndications "
"array). Its value SHOULD be unique as long as Alert "
"correlations are reported, but MAY be reused or left NULL "
"if no future Indications will reference it in their "
"CorrelatedIndications array."),
MappingStrings { "Recommendation.ITU|X733.Notification "
"identifier" }]
string IndicationIdentifier;
[Required, Override ( "AlertType" ), Description (
"Primary classification of the Indication. The following "
"value is the only value permitted from AlertIndication: \n"
"8 - Security Alert. An Indication of this type is "
"associated with security violations, detection of viruses, "
"and similar issues."),
ValueMap { "8" },
Values { "Security Alert" },
MappingStrings { "Recommendation.ITU|X733.Event type" }]
uint16 AlertType=8;
[Required, Description (
"MessageType is an identifier distinguishing the instance of "
"a SecurityIndication semantically. Instances of this class "
"or its subclasses have different meaning depending upon the "
"value of MessageType. For example, overrides of this "
"property in subclasses can define new MethodTypes, such as "
"\"Virus Found\" or \"Vulnerability Detected\". A range of "
"values, DMTF_Reserved, and Vendor Reserved, has been "
"defined that allows subclasses to override and define their "
"specific event message types. \n"
"Note that MessageType does not correspond to the "
"CIM_AlertIndication \"Message\" property, which holds a "
"formatted string for general AlertIndications. "
"CIM_AlertIndication.Message MAY be used to contain message "
"text sent by the Detector, but in addition to, rather than "
"in lieu of SecurityIndication specific properties."),
ValueMap { "0", "2", "3..15999", "16000.." },
Values { "Unknown", "Not Applicable", "DMTF Reserved",
"Vendor Reserved" }]
uint16 MessageType;
[Required, Override ( "IndicationTime" ), Description (
"The time and date of creation of the Indication. The "
"property may be set to NULL if the entity creating the "
"Indication is not capable of determining this information. "
"Note that IndicationTime may be the same for two "
"Indications that are generated in rapid succession."),
ModelCorrespondence { "CIM_SecurityIndication.IndicationEndTime"
}]
datetime IndicationTime;
[Description (
"The end time and date of a range of events represented by "
"the Indication whose beginning is IndicationTime. If the "
"Indication represents a single event, this property MUST be "
"set to NULL. If the Indication represents multiple events "
"over time, the EventCount property MUST be greater than 1 "
"and this property MUST be greater than or equal to the "
"IndicationTime value. In this case, the Indication "
"represents an event aggregate with the aggregate amplitude "
"being the EventCount property. The time range or EventCount "
"does not imply a threshold in and of itself, but a time or "
"amplitude threshold MAY be used in determining how a "
"Detector populates this property."),
ModelCorrespondence { "CIM_SecurityIndication.EventCount",
"CIM_SecurityIndication.IndicationTime" }]
datetime IndicationEndTime;
[Description (
"The number of events represented by this Indication. If "
"IndicationEndTime is not NULL, EventCount MUST be greater "
"than 1 which means that the Indication represents an event "
"aggregate."),
Counter, MinValue ( 1 ),
ModelCorrespondence { "CIM_SecurityIndication.IndicationEndTime"
}]
uint16 EventCount = 1;
[Required, Description (
"An array of enumerated values that describes the effect(s) "
"of an event from the Detector's point of view. Some "
"security devices such as simple packet filters may not be "
"able to detect the notion of an event's Effect. In these "
"cases, the Effect is \"Unknown\". Although in many cases "
"the Effect of an attack is intended, not all attacks have a "
"known intent, such as viruses or other malicious code, "
"which may have multiple varied Effects. If there is more "
"than one Effect, the first element in the array SHOULD "
"represent the most significant or most severe Effect, from "
"the Detector's point of view. The following values are "
"defined: \n"
"0 - Unknown means the Effect of the event is purely "
"unknown. \n"
"2 - Degradation. The message indicates that an attempt was "
"made to damage or impair usability, performance, service "
"availability, etc. \n"
"3 - Reconnaissance. The message indicates that there was an "
"attempt to gather information useful for attacks, or probe "
"for vulnerabilities without necessarily exploiting them. \n"
"4 - Access. The message indicates that access has been "
"attempted or made to data or services. \n"
"5 - Integrity. The message indicates that there was an "
"attempt to modify or delete data."),
ValueMap { "0", "2", "3", "4", "5", "6..15999", "16000.." },
Values { "Unknown", "Degradation", "Reconnaissance", "Access",
"Integrity", "DMTF Reserved", "Vendor Reserved" },
ModelCorrespondence {
"CIM_SecurityIndication.MoreSpecificEffects" }]
uint16 Effects[];
[Description (
"If more details are known about the effect of an attack or "
"probe, this property can contain that information. For "
"example, if one of the values of Effects is Access, a more "
"specific Effect might be HostCompromised. Or, if the Effect "
"is Degradation, a more specific effect might be "
"DistributedDoS. \n"
"String values for this property are vendor or Detector "
"specific and as such, the property "
"CIM_AlertIndication.OwningEntity SHOULD be populated to "
"identify the business entity or standards body defining the "
"possible values."),
ModelCorrespondence { "CIM_SecurityIndication.Effects",
"CIM_AlertIndication.OwningEntity" }]
string MoreSpecificEffects[];
[Required, Description (
"An integer indicating the method(s) used in an attack, "
"probe, or other action. Mechanism values can be used with "
"any of the Effect values, depending on the method employed "
"in an attack or probe. For example, if the Effect is "
"Degradation such as a DoS attack using ICMP packets, the "
"Mechanism would be NetworkICMP. If the Effect is "
"Reconnaissance using a port sweep then the Mechanism would "
"be PortSweep."),
ValueMap { "0", "2", "3", "4", "5", "6", "7", "8", "9", "10",
"11", "12", "13", "14", "15", "16", "17", "18", "19", "20",
"21", "22", "23", "24..15999", "16000.." },
Values { "Unknown", "ArpPoisoning", "Backdoor", "Rootkit",
"Trojan", "BufferOverflow", "GuessPassword", "ReplayAttack",
"SQLInjection", "SpoofIdentity", "PortSweep", "HostSweep",
"NetworkSweep", "NetworkICMP", "NetworkTCP", "NetworkUDP",
"Worm", "Virus", "Non-viral malicious", "Spyware", "Adware",
"Login", "Logout", "DMTF Reserved", "Vendor Reserved" },
ModelCorrespondence {
"CIM_SecurityIndication.MoreSpecificMechanisms" }]
uint16 Mechanisms[];
[Description (
"Specifies a more specific mechanism based on a value "
"specified in the Mechanisms property. For example, if one "
"of the values of Mechanisms is Trojan, then a "
"MoreSpecificMechanisms might be Connect for a trojan that "
"opens a port and listens for connections. A different "
"method might be Response if the trojan sends information. \n"
"String values for this property are vendor or Detector "
"specific and as such, the property "
"CIM_AlertIndication.OwningEntity SHOULD be populated to "
"identify the business entity or standards body defining the "
"possible values."),
ModelCorrespondence { "CIM_SecurityIndication.Mechanisms",
"CIM_AlertIndication.OwningEntity" }]
string MoreSpecificMechanisms[];
[Required, Description (
"An integer indicating the type(s) of resource affected by "
"an attack or probe. For example, DB indicates that an "
"attack was made against a database server, where Mail "
"indicates that some type of email server is affected. DB, "
"DNS, and other values can mean a server or service, e.g. "
"there is no distinction between a DNS server resource and a "
"DNS service resource. Web means a web server/service but "
"more specific resources of this type can be specified using "
"the MoreSpecificResources property, e.g. IIS, Apache, "
"iPlanet, etc."),
ValueMap { "0", "2", "3", "4", "5", "6", "7", "8", "9", "10",
"11", "12", "13", "14", "15", "16", "17", "18", "19", "20",
"21", "22", "23", "24", "25", "26", "27", "28", "29", "30",
"31..15999", "16000.." },
Values { "Unknown", "DB", "DNS", "FTP", "Mail", "RPC", "SNMP",
"Web", "Host", "Firewall", "Registry", "NetworkDevice",
"Hardware", "User Activity", "Cookies", "Network Data",
"Application Data", "Application Configuration", "OS Kernel",
"OS Configuration", "OS Session", "File System", "Process",
"Service", "Network Session", "URL", "User Account",
"Privileges", "User Policy", "Group", "DMTF Reserved",
"Vendor Reserved" },
ModelCorrespondence {
"CIM_SecurityIndication.MoreSpecificResources" }]
uint16 Resources[];
[Description (
"Specifies a more specific resource based on a value "
"specified in the Resources property. For example, if one of "
"the values of Resources is Web, then a MoreSpecificResource "
"might be Apache for an attack or probe against an Apache "
"web server. \n"
"String values for this property are vendor or Detector "
"specific and as such, the property "
"CIM_AlertIndication.OwningEntity SHOULD be populated to "
"identify the business entity or standards body defining the "
"possible values."),
ModelCorrespondence { "CIM_SecurityIndication.Resources",
"CIM_AlertIndication.OwningEntity" }]
string MoreSpecificResources[];
};
// ==================================================================
// IPNetworkSecurityIndication
// ==================================================================
[Indication, Experimental, Version ( "2.8.1000" ), Description (
"IPNetworkSecurityIndication is a class that represents events "
"that have a network context, i.e. a source or destination "
"address is a necessary property of the indication. More "
"specific Indication subclasses that can derive from this class "
"are for example, firewall or intrusion detection subclasses. "
"This class is not limited to use on IPv4 networks but has "
"numerical property support for IPv4 networks that can be used "
"for efficient implementations of search and analysis.")]
class CIM_IPNetworkSecurityIndication : CIM_SecurityIndication {
[Required, Override ( "MessageType" ), Description (
"An integer indicating the type of message to which the "
"Indication applies. Generic indications of this class "
"SHOULD set the value to Unknown. DMTF subclasses will "
"define specific values from the DMTF Class Reserved range."),
ValueMap { "0","2","3..500","501..15999","16000.." },
Values { "Unknown", "Not Applicable", "DMTF Class Reserved",
"DMTF Reserved","Vendor Reserved" }]
uint16 MessageType;
[Required, Description (
"An integer indicating the type of network protocol for the "
"traffic associated with this Indication."),
ValueMap { "0","2","3","4","5","6" },
Values { "Unknown","ARP","TCP","UDP","ICMP","IGMP" }]
uint16 Protocol;
[Required, Description (
"This property explicitly defines support for different "
"versions of the IP protocol for the traffic associated with "
"this Indication."),
ValueMap { "0", "2", "3" },
Values { "Unknown", "IPv4", "IPv6" }]
uint16 IPVersionSupport;
[Description (
"The address for the originator of the network traffic "
"associated with this Indication from the Detector's point "
"of view. This address MUST be identical to the "
"IPv4NumericSourceAddress if both property values are not "
"NULL and the IPVersionSupport property is \"IPv4\" ."),
ModelCorrespondence {
"CIM_IPNetworkSecurityIndication.IPv4NumericSourceAddress",
"CIM_IPNetworkSecurityIndication.IPVersionSupport" }]
string SourceAddress;
[Description (
"The IPv4 source address in numeric form. This address MUST "
"be identical to the SourceAddress property if both property "
"values are not NULL and the IPVersionSupport property is "
"\"IPv4\"."),
ModelCorrespondence {
"CIM_IPNetworkSecurityIndication.SourceAddress",
"CIM_IPNetworkSecurityIndication.IPVersionSupport" }]
uint32 IPv4NumericSourceAddress;
[Description (
"The prefix length for the IPv6 address for the originator "
"of the network traffic associated with this Indication from "
"the Detector's point of view."),
ModelCorrespondence {
"CIM_IPNetworkSecurityIndication.SourceAddress",
"CIM_IPNetworkSecurityIndication.IPVersionSupport" }]
uint8 SourcePrefixLength;
[Description (
"The address for the destination of the network traffic "
"associated with this Indication from the Detector's point "
"of view. This address MUST be identical to the "
"IPv4NumericDestAddress if both property values are not NULL "
"and the IPVersionSupport property is \"IPv4\"."),
ModelCorrespondence {
"CIM_IPNetworkSecurityIndication.IPv4NumericDestAddress",
"CIM_IPNetworkSecurityIndication.IPVersionSupport" }]
string DestAddress;
[Description (
"The IPv4 destination address in numeric form. This address "
"MUST be identical to the DestAddress property if both "
"property values are not NULL and the IPVersionSupport "
"property is \"IPv4\"."),
ModelCorrespondence {
"CIM_IPNetworkSecurityIndication.DestAddress",
"CIM_IPNetworkSecurityIndication.IPVersionSupport" }]
uint32 IPv4NumericDestAddress;
[Description (
"The prefix length for the IPv6 address for the destination "
"of the network traffic associated with this Indication from "
"the Detector's point of view."),
ModelCorrespondence {
"CIM_IPNetworkSecurityIndication.DestAddress",
"CIM_IPNetworkSecurityIndication.IPVersionSupport" }]
uint8 DestPrefixLength;
[Description (
"The port for the source address for this message from the "
"Detector's point of view."),
ModelCorrespondence {
"CIM_IPNetworkSecurityIndication.SourceAddress",
"CIM_IPNetworkSecurityIndication.IPv4NumericSourceAddress" }]
uint32 SourcePort;
[Description (
"The port for the destination address for this message from "
"the Detector's point of view."),
ModelCorrespondence {
"CIM_IPNetworkSecurityIndication.DestAddress",
"CIM_IPNetworkSecurityIndication.IPv4NumericDestAddress" }]
uint32 DestPort;
[Description (
"The MAC address for the source address for this message "
"from the Detector's point of view."),
ModelCorrespondence {
"CIM_IPNetworkSecurityIndication.SourceAddress",
"CIM_IPNetworkSecurityIndication.IPv4NumericSourceAddress" }]
string SourceMACAddress;
[Description (
"The MAC address for the destination address for this "
"message from the Detector's point of view."),
ModelCorrespondence {
"CIM_IPNetworkSecurityIndication.DestAddress",
"CIM_IPNetworkSecurityIndication.IPv4NumericDestAddress" }]
string DestMACAddress;
};
// ==================================================================
// IPPacketFilterIndication
// ==================================================================
[Indication, Experimental, Version ( "2.8.1000" ), Description (
"The IPPacketFilterIndication class is intended to provide a "
"base set of properties to allow for common data to be logged "
"by all packet filtering services and devices in a consistent "
"manner. This single consistent model of data will allow for "
"common reporting of many messages across different packet "
"filtering systems, which will help improve security "
"information management by providing a single view of the "
"information.")]
class CIM_IPPacketFilterIndication : CIM_IPNetworkSecurityIndication {
[Required, Override ( "MessageType" ), Description (
"An integer indicating the type of message to which the "
"indication applies. DMTF subclasses will define specific "
"values from the DMTF Class Reserved range."),
ValueMap { "0","2","3","4","5","6..100","101..15999","16000.." },
Values { "Unknown","Not Applicable",
"Connection Accepted","Connection Rejected",
"Connection Dropped","DMTF Class Reserved",
"DMTF Reserved","Vendor Reserved" }]
uint16 MessageType;
[Required, Description (
"An integer indicating the direction of packet traffic from "
"the standpoint of the packet filter."),
ValueMap { "0","1" },
Values { "Ingress","Egress" }]
uint16 Direction;
[Description (
"An integer indicating the naming convention used for host "
"names reported by the packet filter. The default is "
"\"DNS\"."),
ValueMap { "0","1" },
Values { "DNS","NETBIOS" }]
uint16 NamingConvention = 0;
[Description (
"The name of the host that corresponds to the "
"IPv4SourceAddress or IPv6SourceAddress."),
ModelCorrespondence {
"CIM_IPPacketFilterIndication.NamingConvention" }]
string SourceHostName;
[Description (
"The name of the host that corresponds to the "
"IPv4DestinationAddress or IPv6DestinationAddress."),
ModelCorrespondence {
"CIM_IPPacketFilterIndication.NamingConvention" }]
string DestinationHostName;
[Description (
"The name of the TCP or UDP service that corresponds to the "
"DestPort.")]
string DestinationServiceName;
[Description (
"The source port after translation when Network Address "
"Translation is performed by the packet filter.")]
uint16 TranslatedSourcePort;
[Description (
"The source IPv4 address after translation when Network "
"Address Translation is performed by the packet filter.")]
uint32 TranslatedSourceIPv4NumericAddress;
[Description (
"The source address after translation when Network Address "
"Translation is performed by the packet filter.")]
string TranslatedSourceAddress;
[Description (
"The destination port after translation when Network Address "
"Translation is performed by the packet filter.")]
uint16 TranslatedDestPort;
[Description (
"The destination IPv4 address after translation when Network "
"Address Translation is performed by the packet filter.")]
uint32 TranslatedDestIPv4NumericAddress;
[Description (
"The destination address after translation when Network "
"Address Translation is performed by the packet filter.")]
string TranslatedDestAddress;
};
| No CVS admin address has been configured |
Powered by ViewCVS 0.9.2 |