Definition of "Attribute"

[adammontville]

The definition of attribute presently relies on RFC5209, which defines an attribute as a "data element including any requisite meta-data describing an observed, expected, or the operational status of an endpoint feature (e.g., anti-virus software is currently in use)." We augment this definition by stating that an attribute is atomic and equivalent to (synonymous with??) attribute-value-pairs. We further state that an attribute is a component of a subject.

This feels overly complicated for what we need. There are subjects, and these subjects have attributes. These attributes have values. The AV description provided does not seem like a single attribute, but a collection of attributes for different subjects. Endpoint has_installed anti-virus software. Anti-virus software has_execution_state running.

Is our definition of attribute granular enough?

[henkbirkholz]

Referencing the NEA definitions seems approriate as seems to be the biggest component used in SACM at the moment.
The SACM specific definition is composed of two statements:

• Attributes are "atomic" information elements and an equivalent to attribute-value-pairs.
• Attributes can be components of Subjects.

What improvements would you propose?

[henkbirkholz]

Merged #43 into this issue.

Please make "Endpoint Characteristic" singular.

[adammontville]

I suppose I just don't like the NEA definition, either because it conflates entities of reality into one term or because I'm discomforted by viewing an attribute as a set of information elements (which is what the NEA definition permits).

I'm thinking of attribute like, for example, minimum password length. There is a configuration item (an attribute) that inheres in many software applications called minimum password length. Its purpose is to specify the minimum length of users' passwords, and may take on a range of values depending on the policy and the technology. The range of values assignable to minimum password length is not the attribute itself, nor is the actual value presently assigned to minimum password length.

Another way to look at it is that the terminology is saying "attribute" is the same as "attribute-value pair". An attribute is an attribute-value pair doesn't make sense to me. An attribute is part of an attribute-value pair, yes, but not an attribute-value pair in its own right.

[adammontville]

After reading Henk's comment on #42, I see why attribute-value pair was talked about as being synonymous with "attribute". With minimum password length the value of 14 existing on an endpoint in a well-defined/expected location would be the instance of that attribute for that endpoint. ??

[henkbirkholz]

Based on the "password length" example above:
There would have to be, for example, a min-password-length IE (which would be an Attribute) that has be be associated with a Subject IE (e.g. named "password-requirements") in order to be usable.

In this example, an instance of the min-password-length IE included in the password-requirements IE (and please mind these IE names are also exemplary names) would be collected and published by a SACM collector wrt the Target Endpoint that is the data source that in a well-defined/expected location contains this "value of 14".

Does this illustration clarify the concept?

Do we need to add expositional text anywhere to improve comprehensibility?