The following is a description of the elements, types, and
attributes that compose the Common Result Format (CRF). Each of the
elements, types, and attributes that make up the CRF schema are
described in detail. This document is intended for developers and
assumes some familiarity with XML. A high level description of the
interaction between these objects is not outlined here.
This schema and the CRF specification are currently in DRAFT form.
The CRF Schema is maintained by The MITRE Corporation. For more
information, including how to get involved in the project and how
to submit change requests, please visit the CRF website at
http://crf.mitre.org.
Common Result Format (CRF)
0.2
9/10/2007 11:30:00 AM
The CommonResultSet element is the root element of a Common
Result Format document. This element serves as a wrapper around
a set of assessment results for any number of Assests where
those results may have compiled by any number of Assessors.
Each CommonResultSet has a Generator section that identifies
the application that compiled that document and when it was
complied.
The Generator element is based on the GeneratorType
and identifies the application that compiled the
document and when the document was compiled.
The Assessors element identifies the set of applications
that were used to assess Assets in the compiled CRF
document. A CRF document must include at least one
Assessor.
The Assets element identifies the set of Assets
that are compiled in the CRF document. A CRF
document must include at least one Asset.
The optional Signature element allows an XML Signature
as defined by the W3C to be attached to the document.
This allows authentication and data integrity to be
provided to the user. Enveloped signatures are
supported. More information about the official W3C
Recommendation regarding XML digital signatures can be
found at http://www.w3.org/TR/xmldsig-core/.
The GeneratorType complex type defines an element that is used
to hold information about when a CRF document was compiled,
what version of the schema was used, what tool compiled the
document, and what version of that tools was used.
Additional generator information is also allowed although it is
not part of the official Schema. Individual generators can
place application specific generator information in this section.
This information will be skipped during validation.
The CPE Name of the application that compiled the document.
The required schema_version specifies the version of
the CRF schema that the document has been written in
and that should be used for validation.
The required timestamp specifies when the particular
CRF document was compiled. The format for the timestamp
is yyyy-mm-ddThh:mm:ss.
This xsd:any element allows for xml defined in any other
namespace to be included in the Generator section of a
document. This space allows an application to encode
additional information as needed and still create valid
CRF documnets.
See the CPE specification for documentation of the strucuture
of the CPE Name. (http://cpe.mitre.org)
The AssessorType complex type defines an element that represents
an Assessor. Each Assessor is assigned a unique integer id.
Each Asset in the document refers up to an Assessor, which
allows each Asset to indicate what application was used to
assess it.
Additional assessor information is also allowed although it is
not part of the official Schema. Individual applications can
place application specific assessor information that they feel
is important in this section. This infomration will be skipped
during validation.
TODO: Add in contraint to ensure assessor ids are unique in the document.
The CPE Name of the application that compiled the document.
This xsd:any element allows for xml defined in any other
namespace to be included in the Assessor section of a
document. This space allows an application to encode
additional information as needed and still create valid
CRF documnets.
Each Assessor has a unique integer id. Assets refer
to Assessors by using their id.
The AssetType defines the structure of an Asset in CRF.
Each asset has a set of attributes that identify it and
an optional set of Findings.
TODO: Add in key constraint to enforce existance of assessorId in the CRF document.
The id element contains a set of attributes that identify
the asset.
The Findings element is a container for a set of individual
Findings for the Asset.
The assessorId attribute identifies the Assessor that did
the assessment of the asset.
The AssetType's timestamp attribute indicates the date
and time that the asset was assessed. Note that a given
asset may be included in one CRF document many times. Each
occurance of an asset will have a different id, and timestamp.
The AssetIdType defines a set of metadata that idenfies an asset.
The name of an asset is its fully qualified domain name.
The interfaces element is a container for one or more
interface elements. Each interface element is describes
an existing network interface on the asset.
Please refer to the description of the InterfaceType
for more information.
The properties element is an optional container or properies of an asset.
See the definition of the Property type for more information about a Property.
This xsd:any element allows for xml defined in any other
namespace to be included in the AssetId section of an
Asset. This space allows an application to encode
additional information as needed and still create valid
CRF documnets.
The InterfaceType complex type is used to describe an existing
network interface on the system. This information can help identify
a specific system on a given network. The name, ip_address, and
mac_address are all optional, but at a minimum an ip_address or
mac_address must be specified.
TODO: Add in contraint to enforce ip or mac address being specified.
The interface_name element is the name of the interface.
The ip_address element holds the ip address for the interface.
The mac_address element holds teh mac address for the interface.
The PropertyType defines an element with an name and value.
The name is a uri that is defined in the CRF specification.
Each name idenifies an attribute of an asset.
The name of the property.
The FindingType defines the strucutre of a Finding on an asset.
Each finding is based on a type an identifer which together
indicate the common name of the issue being reported on for the
current asset.
TODO: document the relationships between result value and finding type.
Thsi is done in the specification does it need to happen here too?
The check element allows Assessors to insert detailed check infomation
for a finding on an asset. See the description of the CheckType for
more information on the structure of the check element.
The type of finding being reported on.
The identifier of the finding beinf reported on. The format
of this identifier is dictated by the type of the finding.
TODO: Determine if a contraint can be added to force the
id format to align with the id type.
The result determined by the assessor for the identified
issue on the asset. See the definition of the ResultEnum
for possible result values.
The CheckType defines who CRF supports the incusion of
detailed checking information for a finding.
TODO: determine how to force at least one of check or check result reference.
The parameter element allows assessors to encode any parameters
that were passed to the check durring assessment.
TODO: determine how to strongly encourage inclusiion of parameters
for CCE based findings.
A reference to the actual check content used.
See the description of the CheckContentReferenceType
for details on its structure.
A reference to the detailed results returned for the check.
See the description of the CheckResultReferenceType
for details on its structure.
The standard checking system that the check is based on.
TODO: restirct this to just OVAL and XCCDF
The CheckParamaterType defines the structure of
a paramter passed to a check. Each parammeter
has an optional name and required value.
TODO: require the value to not be null.
The optional name of the parameter passed to the check.
The name should be specified if the check used identifies
its paramters by name. The name should match the name of the
paramater in the check.
The CheckContentReferenceType defines the structure of a
reference out of a CRF document to a document that contains
a check or set of checks. If the docuement contians a set of
checks a single check must be idenitfied by name.
Optionally a signature may be included. In this case the signature
is over the contents of the referenced document.
The optional Signature element allows an XML Signature
as defined by the W3C to be generated foor the referenced
docuemnt and included along with the reference to the check.
Including a singature allows assessors to ensure that referenced
documents remain unchanged. More information about the official
W3C Recommendation regarding XML digital signatures can be
found at http://www.w3.org/TR/xmldsig-core/.
A reference to the document that contains the check.
The optional name of the check that was used. If
the document that contains the check contains more
than one check a name must be specified. The name
identifies the single check in the set of checks in
the docuement.
The CheckResultReferenceType defines the structure of a
reference out of a CRF document to a document that contains
detailed check results or set of check results. If the
docuement contians a set of check results a single check result
must be idenitfied by name.
Optionally a signature may be included. In this case the signature
is over the contents of the referenced document.
The optional Signature element allows an XML Signature
as defined by the W3C to be generated foor the referenced
docuemnt and included along with the reference to the check results.
Including a singature allows assessors to ensure that referenced
documents remain unchanged. More information about the official
W3C Recommendation regarding XML digital signatures can be
found at http://www.w3.org/TR/xmldsig-core/.
A reference to the document that contains the detailed check results.
The optional name of the check result. If the document
that contains the check result contains more than one
check result a name must be specified. The name identifies
the single check result in the set of checks in the docuement.
This enumeration defines the set of allowed finding types.
CRF uses CCE to identify configuration items.
See http://cce.mitre.org for more information
about CCE and the structure of a CCE identifier.
See http://cpe.mitre.org for more information
about CPE and the structure of a CPE Name.
CRF uses CVE to name vulnerabilities. A value
of CVE indicates that that type of finding is
based on a CVE name. See http://cve.mitre.org
for more information about CVE and the structure
of a CVE name.
See http://cwe.mnitre.org for more information
about CWE and the structure of a CWE identifier.
See the “Patch Naming” section of the CRF Specification
for more information about the structure of a patch names.
The ResultEnum defines the set of possible result values
for a finding.
The meaning of a ‘true’ result varies depending on
the type of Finding. See the documentation of the
Finding class for a table that defines the meaning
of a ‘true’ result for each type of Finding.
The meaning of a ‘false’ result varies depending
on the type of Finding. See the documentation of
the Finding class for a table that defines the
meaning of a ‘false’ result for each type of Finding.
A result value of 'error' means that the assessor
encountered an error while assessing the asset.
A result value of 'unknown' means that the Assessor
was unable to determine a ‘true’ or ‘false’ result.
The Assessor determined that the specified item is not
valid on the Asset.
A choice was made not to check the asset for the
identified item. The actual result is in essence
unknown since if evaluation had occurred it could
have been either true or false.
The PropertyNameEnum defines the set of valid property names
and their meanings.
TODO: complete this set of names.
In a future revision find a place to put these names outside
the crf specification since this set of names is common to
several standards.
A mac address.
A version 4 ip address.
A version 6 ip address.
A fully qualified domain name.