-
Notifications
You must be signed in to change notification settings - Fork 39
/
SecurityGuarantee.ttl
236 lines (181 loc) · 8.66 KB
/
SecurityGuarantee.ttl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
@prefix owl: <http://www.w3.org/2002/07/owl#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix dct: <http://purl.org/dc/terms/> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
@prefix ids: <https://w3id.org/idsa/core/> .
# Security profile - value ranges
@prefix idsc: <https://w3id.org/idsa/code/> .
# Instances
# ---------
# TODO: Clarify the relationship between guarantee values (does value FOO implies value BAR?)
ids:IntegrityGuarantee
a owl:Class;
rdfs:subClassOf ids:SecurityGuarantee ;
rdfs:label "Integrity protection and verification"@en ;
rdfs:comment "Level of integrity protection and verification of the installed software stack. Trusted boot is an example of local integrity protection, remote integrity verification comprises, for example, remote attestation."@en ;
owl:oneOf (
idsc:INTEGRITY_PROTECTION_NONE
idsc:INTEGRITY_PROTECTION_LOCAL
idsc:INTEGRITY_VERIFICATION_REMOTE
).
idsc:INTEGRITY_PROTECTION_NONE a ids:IntegrityGuarantee;
rdfs:label "Integrity Protection None".
idsc:INTEGRITY_PROTECTION_LOCAL a ids:IntegrityGuarantee;
rdfs:label "Integrity Protection Local".
idsc:INTEGRITY_VERIFICATION_REMOTE a ids:IntegrityGuarantee;
rdfs:label "Integrity Protection Remote".
ids:IntegrityVerificationScopeGuarantee
a owl:Class;
rdfs:subClassOf ids:SecurityGuarantee ;
rdfs:label "Integrity verification scope"@en ;
rdfs:comment "Level/extent of verifying the software stack."@en ;
owl:oneOf (
idsc:INTEGRITY_VERIFICATION_SCOPE_NONE
idsc:INTEGRITY_VERIFICATION_SCOPE_KERNEL_CORE_CONTAINER
idsc:INTEGRITY_VERIFICATION_SCOPE_KERNEL_CORE_CONTAINER_APPLICATION
).
idsc:INTEGRITY_VERIFICATION_SCOPE_NONE a ids:IntegrityVerificationScopeGuarantee;
rdfs:label "Integrity Verification Scope None".
idsc:INTEGRITY_VERIFICATION_SCOPE_KERNEL_CORE_CONTAINER a ids:IntegrityVerificationScopeGuarantee;
rdfs:label "Integrity Verification Scope Kernel Core Container".
idsc:INTEGRITY_VERIFICATION_SCOPE_KERNEL_CORE_CONTAINER_APPLICATION a ids:IntegrityVerificationScopeGuarantee;
rdfs:label "Integrity Verification Scope Kernel Core Container Application".
ids:AuthenticationGuarantee
a owl:Class;
rdfs:subClassOf ids:SecurityGuarantee ;
rdfs:label "Authentication"@en ;
rdfs:comment "Authentication mechanism applied prior to opening a connection. Examples are the verification server's identity or doing mutual authentication."@en ;
owl:oneOf (
idsc:AUTHENTICATION_NONE
idsc:AUTHENTICATION_SERVER_SIDE
idsc:AUTHENTICATION_MUTUAL
).
idsc:AUTHENTICATION_NONE a ids:AuthenticationGuarantee;
rdfs:label "Authentication None".
idsc:AUTHENTICATION_SERVER_SIDE a ids:AuthenticationGuarantee;
rdfs:label "Authentication Serverside".
idsc:AUTHENTICATION_MUTUAL a ids:AuthenticationGuarantee;
rdfs:label "Authentication Mutual".
ids:ServiceIsolationGuarantee
a owl:Class;
rdfs:subClassOf ids:SecurityGuarantee ;
rdfs:label "Service isolation"@en ;
rdfs:comment "Service isolation mechanism supported by the Connector. Examples are process group (Docker) or by least privilege with clear separation and support for additional security modules as done by trustme."@en ;
owl:oneOf (
idsc:SERVICE_ISOLATION_NONE
idsc:SERVICE_ISOLATION_PROCESS_GROUP
idsc:SERVICE_ISOLATION_LEAST_PRIVILEGE
).
idsc:SERVICE_ISOLATION_NONE a ids:ServiceIsolationGuarantee;
rdfs:label "Service Isolation None".
idsc:SERVICE_ISOLATION_PROCESS_GROUP a ids:ServiceIsolationGuarantee;
rdfs:label "Service Isolation Process Group".
idsc:SERVICE_ISOLATION_LEAST_PRIVILEGE a ids:ServiceIsolationGuarantee;
rdfs:label "Service Isolation Least Privilege".
# TODO: unclear / name and description does not match the values -> revise
ids:AppExecutionResources
a owl:Class;
rdfs:subClassOf ids:SecurityGuarantee ;
rdfs:label "App execution resources"@en ;
rdfs:comment "Resource control for deployed services."@en ;
owl:oneOf (
idsc:APP_RESOURCES_NONE
idsc:APP_RESOURCES_LOCAL_ENFORCEMENT
idsc:APP_RESOURCES_REMOTE_VERIFICATION
).
idsc:APP_RESOURCES_NONE a ids:AppExecutionResources;
rdfs:label "App Resources None".
idsc:APP_RESOURCES_LOCAL_ENFORCEMENT a ids:AppExecutionResources;
rdfs:label "App Resources Local Enforcement".
idsc:APP_RESOURCES_REMOTE_VERIFICATION a ids:AppExecutionResources;
rdfs:label "App Resources Remote Verification".
ids:UsageControlGuarantee
a owl:Class;
rdfs:subClassOf ids:SecurityGuarantee ;
rdfs:label "Usage control"@en ;
rdfs:comment "Extent of supporting usage control."@en ;
owl:oneOf (
idsc:USAGE_CONTROL_NONE
idsc:USAGE_CONTROL_POLICY_ENFORCEMENT
idsc:USAGE_CONTROL_REMOTE_COMPLIANCE_VERIFICATION
).
idsc:USAGE_CONTROL_NONE a ids:UsageControlGuarantee;
rdfs:label "Usage Control None".
idsc:USAGE_CONTROL_POLICY_ENFORCEMENT a ids:UsageControlGuarantee;
rdfs:label "Usage Control Policy Enforcement".
idsc:USAGE_CONTROL_REMOTE_COMPLIANCE_VERIFICATION a ids:UsageControlGuarantee;
rdfs:label "Usage Control Remote Compliance Verification".
ids:AuditGuarantee
a owl:Class;
rdfs:subClassOf ids:SecurityGuarantee ;
rdfs:label "Audit guarantee"@en ;
rdfs:comment "Local audit logging (including integrity protection) is the baseline for auditing and clearing. Remote audit log tracing provides means to do external audit verification."@en ;
owl:oneOf (
idsc:AUDIT_NONE
idsc:AUDIT_LOCAL_LOGGING
idsc:AUDIT_REMOTE_TRACING
).
idsc:AUDIT_NONE a ids:AuditGuarantee;
rdfs:label "Audit None".
idsc:AUDIT_LOCAL_LOGGING a ids:AuditGuarantee;
rdfs:label "Audit Local Logging".
idsc:AUDIT_REMOTE_TRACING a ids:AuditGuarantee;
rdfs:label "Audit Remote Tracing".
ids:LocalDataConfidentialityGuarantee
a owl:Class;
rdfs:subClassOf ids:SecurityGuarantee ;
rdfs:label "Local data confidentiality"@en ;
rdfs:comment "Means by which local data is protected."@en ;
owl:oneOf (
idsc:LOCAL_DATA_CONFIDENTIALITY_NONE
idsc:LOCAL_DATA_CONFIDENTIALITY_SECURE_ERASURE
idsc:LOCAL_DATA_CONFIDENTIALITY_FULL_ENCRYPTION
).
idsc:LOCAL_DATA_CONFIDENTIALITY_NONE a ids:LocalDataConfidentialityGuarantee;
rdfs:label "Local Data Confidentiality None".
idsc:LOCAL_DATA_CONFIDENTIALITY_SECURE_ERASURE a ids:LocalDataConfidentialityGuarantee;
rdfs:label "Local Data Confidentiality Secure Erasure".
idsc:LOCAL_DATA_CONFIDENTIALITY_FULL_ENCRYPTION a ids:LocalDataConfidentialityGuarantee;
rdfs:label "Local Data Confidentiality Full Encryption".
# Individuals, i.e. default profiles
# ----------------------------------
# NOTE: Only explicitly supported guarantees are listed!
idsc:BASE_SECURITY_PROFILE
a ids:SecurityProfile;
rdfs:label "Base security profile"@en;
rdfs:comment "Default security profile of a certified IDS Connector."@en;
ids:securityGuarantee idsc:INTEGRITY_PROTECTION_NONE;
ids:securityGuarantee idsc:INTEGRITY_VERIFICATION_SCOPE_NONE;
ids:securityGuarantee idsc:APP_RESOURCES_NONE;
ids:securityGuarantee idsc:USAGE_CONTROL_NONE;
ids:securityGuarantee idsc:LOCAL_DATA_CONFIDENTIALITY_NONE;
ids:securityGuarantee idsc:AUTHENTICATION_MUTUAL;
ids:securityGuarantee idsc:SERVICE_ISOLATION_PROCESS_GROUP;
ids:securityGuarantee idsc:AUDIT_LOCAL_LOGGING;
.
idsc:TRUST_SECURITY_PROFILE
a ids:SecurityProfile;
rdfs:label "Trust security profile"@en;
rdfs:comment "The Security Profile TRUST as defined by the IDS certification criteria."@en;
ids:securityGuarantee idsc:INTEGRITY_VERIFICATION_REMOTE;
ids:securityGuarantee idsc:AUTHENTICATION_MUTUAL;
ids:securityGuarantee idsc:SERVICE_ISOLATION_LEAST_PRIVILEGE;
ids:securityGuarantee idsc:INTEGRITY_VERIFICATION_SCOPE_KERNEL_CORE_CONTAINER;
ids:securityGuarantee idsc:APP_RESOURCES_LOCAL_ENFORCEMENT;
ids:securityGuarantee idsc:USAGE_CONTROL_POLICY_ENFORCEMENT;
ids:securityGuarantee idsc:AUDIT_LOCAL_LOGGING;
ids:securityGuarantee idsc:LOCAL_DATA_CONFIDENTIALITY_FULL_ENCRYPTION;
.
idsc:TRUST_PLUS_SECURITY_PROFILE
a ids:SecurityProfile;
rdfs:label "Trust Plus security profile"@en;
rdfs:comment "The Security Profile TRUST+ as defined by the IDS certification criteria."@en;
ids:securityGuarantee idsc:INTEGRITY_VERIFICATION_REMOTE;
ids:securityGuarantee idsc:AUTHENTICATION_MUTUAL;
ids:securityGuarantee idsc:SERVICE_ISOLATION_LEAST_PRIVILEGE;
ids:securityGuarantee idsc:INTEGRITY_VERIFICATION_SCOPE_KERNEL_CORE_CONTAINER_APPLICATION;
ids:securityGuarantee idsc:APP_RESOURCES_REMOTE_VERIFICATION;
ids:securityGuarantee idsc:USAGE_CONTROL_REMOTE_COMPLIANCE_VERIFICATION;
ids:securityGuarantee idsc:AUDIT_REMOTE_TRACING;
ids:securityGuarantee idsc:LOCAL_DATA_CONFIDENTIALITY_FULL_ENCRYPTION;
.