Declarative data
Declarative data allows you to explicitly report information related to an asset.
They can be used to create an air-gapped asset or to edit the information of an asset that is already supervised by Cyberwatch to adapt the scan results.
The information to be filled in must respect the syntax described below.
Edit the declarative data of an asset
- Click on Inventory.
- Select an asset.
- From the page dedicated to the asset, on “Analyses” tab, click on the edit button in front of “Declarative data”.
- Fill in the information about the asset, respecting the syntax.
- Confirm the changes by clicking on the “Update” button.
Syntax of the language
Each property is composed of a key/value pair, whose syntax is:
KEY:value
Syntax precision
-
The keys are exclusively composed of capital letters and underscores:
bad_key: → syntax error BAD-KEY: → syntax error GOOD_KEY: -
Lines that do not respect the key:value format also trigger syntax errors.
Note that syntax errors are never fatal, the property will simply not be considered in the analysis.
-
Comments start at the beginning of the line with the # character, and extend over the whole line. Since values can contain the # character, commenting a part of the line is not possible.
-
Multi line values are accepted for some properties. They must have a larger indentation than the property that defines them:
KEY:start ... end
Forbidding a value
You can forbid a value by preceding the previous syntax with a hyphen. The value will no longer be taken into account by Cyberwatch scans:
-KEY1:value1
All occurrences of KEY1:value1 that follow -KEY1:value1 will be ignored.
N.B.: The hyphen must be followed by the exact line found during the scan.
Types of properties
Two types of properties are available:
-
The simple properties that can only be set once and accept only one value. If the property is redefined, the second value is ignored:
HOSTNAME:server-1 HOSTNAME:server-2 → ignored -
The multiple properties which can be filled in several times in the script. They allow you to build a list of elements:
# Adds 2 packages PACKAGE:coreutils|8.32-1 PACKAGE:bash|5.1.004-1
Note that when editing the information of an asset, the simple properties can be directly rewritten. They will then replace the information reported during scan:
HOSTNAME:server-1 → remplaces the reported value
However, multiple properties cannot be directly rewritten. For a value to be overwritten, you must forbid it and add a property with the new value.
Use case example:
# Replace a package version
-PACKAGE:coreutils|8.31
PACKAGE:coreutils|8.32
List of main properties
System information
| KEY | Impact | Example KEY:value | Simple/Multiple |
|---|---|---|---|
| HOSTNAME | Defines the asset name | HOSTNAME:server | Simple |
| KERNEL_VERSION | Defines the version of the OS kernel | KERNEL_VERSION:5.4.0-42-generic | Simple |
| OS_NAME | Defines the name of the asset’s operating system | OS_NAME:Ubuntu | Simple |
| OS_VERSION | Defines the version of the operating system | OS_VERSION:20.04.1 LTS | Simple |
| OS_PRETTYNAME | Defines the operating system and its version | OS_PRETTYNAME:Ubuntu 20.04.1 LTS | Simple |
| ARCH | Defines the asset’s architecture | ARCH:x86_64 | Simple |
System state
| KEY | Impact | Example KEY:value | Simple/Multiple |
|---|---|---|---|
| REBOOT | Sets the asset status to ‘Restart required’ | REBOOT:false | Simple |
| BOOT_TIME | Sets the start date and time | BOOT_TIME:2021-03-18T07:38:59+0000 | Simple |
Services
| KEY | Impact | Example KEY:value | Simple/Multiple |
|---|---|---|---|
| SERVICE | Adds a line to the Services tab | SERVICE:ssh|enabled | Multiple |
Installed packages/applications
| KEY | Impact | Example KEY:value | Simple/Multiple |
|---|---|---|---|
| PACKAGE | Adds a package to the asset’s technologies | PACKAGE:firefox|80.0.1+build1-0ubuntu0.20.04.1 | Multiple |
| APPLICATION | Adds an application to the asset’s technologies | APPLICATION:Microsoft Office 365 ProPlus - en-us|16.0.11328.20512 | Multiple |
| NVD_APPLICATION | Adds a third-party application from its CPE code in the NVD database | NVD_APPLICATION:cpe:/a:elastic:kibana:7.0.0 | Multiple |
| FIRMWARE | Specifies the CPE code of the firmware of an appliance | FIRMWARE:cpe:/o:stormshield:stormshield_network_security:3.8.1 | Multiple |
| META | Adds a line to the Metadata tab | META:processor-version|Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz | Multiple |
Network information
| KEY | Impact | Example KEY:value | Simple/Multiple |
|---|---|---|---|
| IP | Defines the IP addresses of the asset | IP:127.0.0.1 | Multiple |
| TCP | Adds a TCP port to the Ports tab | TCP:22 or TCP:22|openssh | Multiple |
| UDP | Adds an UDP port to the Ports tab | UDP:53 | Multiple |
Windows specific properties
| KEY | Impact | Example KEY:value | Simple/Multiple |
|---|---|---|---|
| OS_BUILD | Defines the Windows build | OS_BUILD:17763.1158 | Simple |
| WUAVERSION | Sets the version of the Windows Update Agent | WUAVERSION:10.0.17763.1 | Multiple |
| CAB_FILENAME | Sets the name of the official Microsoft file used for this scan | CAB_FILENAME:dcdb9e78484667695627acea9213897eaf.cab | Simple |
SAP specific properties
| KEY | Impact | Example KEY:value | Simple/Multiple |
|---|---|---|---|
| SAP_NOTE | Adds a SAP note to the asset | SAP_NOTE:3119365 | Multiple |
Security issues
| KEY | Impact | Example KEY:value | Simple/Multiple |
|---|---|---|---|
| SECURITY_ISSUE | Adds a line to the Security Issues tab | SECURITY_ISSUE: sid: WSTG-CRYP-04 (low) cipher: TLS_RSA_WITH_AES_128_CBC_SHA grade: A port: 443 | Multiple |