Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Declarative data

Declarative data allows you to explicitly report information related to an asset.

They can be used to create an air-gapped asset or to edit the information of an asset that is already supervised by Cyberwatch to adapt the scan results.

The information to be filled in must respect the syntax described below.

Edit the declarative data of an asset

  1. Click on Inventory.
  2. Select an asset.
  3. From the page dedicated to the asset, on “Analyses” tab, click on the edit button in front of “Declarative data”.
  4. Fill in the information about the asset, respecting the syntax.
  5. Confirm the changes by clicking on the “Update” button.

Syntax of the language

Each property is composed of a key/value pair, whose syntax is:

KEY:value

Syntax precision

  • The keys are exclusively composed of capital letters and underscores:

     bad_key: → syntax error
     BAD-KEY: → syntax error
     GOOD_KEY:
    
  • Lines that do not respect the key:value format also trigger syntax errors.

    Note that syntax errors are never fatal, the property will simply not be considered in the analysis.

  • Comments start at the beginning of the line with the # character, and extend over the whole line. Since values can contain the # character, commenting a part of the line is not possible.

  • Multi line values are accepted for some properties. They must have a larger indentation than the property that defines them:

     KEY:start
        ...
        end
    

Forbidding a value

You can forbid a value by preceding the previous syntax with a hyphen. The value will no longer be taken into account by Cyberwatch scans:

-KEY1:value1

All occurrences of KEY1:value1 that follow -KEY1:value1 will be ignored.

N.B.: The hyphen must be followed by the exact line found during the scan.

Types of properties

Two types of properties are available:

  • The simple properties that can only be set once and accept only one value. If the property is redefined, the second value is ignored:

     HOSTNAME:server-1
     HOSTNAME:server-2 → ignored
    
  • The multiple properties which can be filled in several times in the script. They allow you to build a list of elements:

     # Adds 2 packages
     PACKAGE:coreutils|8.32-1
     PACKAGE:bash|5.1.004-1
    

Note that when editing the information of an asset, the simple properties can be directly rewritten. They will then replace the information reported during scan:

   HOSTNAME:server-1 → remplaces the reported value

However, multiple properties cannot be directly rewritten. For a value to be overwritten, you must forbid it and add a property with the new value.

Use case example:

   # Replace a package version
   -PACKAGE:coreutils|8.31
   PACKAGE:coreutils|8.32

List of main properties

System information

KEY Impact Example KEY:value Simple/Multiple
HOSTNAME Defines the asset name HOSTNAME:server Simple
KERNEL_VERSION Defines the version of the OS kernel KERNEL_VERSION:5.4.0-42-generic Simple
OS_NAME Defines the name of the asset’s operating system OS_NAME:Ubuntu Simple
OS_VERSION Defines the version of the operating system OS_VERSION:20.04.1 LTS Simple
OS_PRETTYNAME Defines the operating system and its version OS_PRETTYNAME:Ubuntu 20.04.1 LTS Simple
ARCH Defines the asset’s architecture ARCH:x86_64 Simple

System state

KEY Impact Example KEY:value Simple/Multiple
REBOOT Sets the asset status to ‘Restart required’ REBOOT:false Simple
BOOT_TIME Sets the start date and time BOOT_TIME:2021-03-18T07:38:59+0000 Simple

Services

KEY Impact Example KEY:value Simple/Multiple
SERVICE Adds a line to the Services tab SERVICE:ssh|enabled Multiple

Installed packages/applications

KEY Impact Example KEY:value Simple/Multiple
PACKAGE Adds a package to the asset’s technologies PACKAGE:firefox|80.0.1+build1-0ubuntu0.20.04.1 Multiple
APPLICATION Adds an application to the asset’s technologies APPLICATION:Microsoft Office 365 ProPlus - en-us|16.0.11328.20512 Multiple
NVD_APPLICATION Adds a third-party application from its CPE code in the NVD database NVD_APPLICATION:cpe:/a:elastic:kibana:7.0.0 Multiple
FIRMWARE Specifies the CPE code of the firmware of an appliance FIRMWARE:cpe:/o:stormshield:stormshield_network_security:3.8.1 Multiple
META Adds a line to the Metadata tab META:processor-version|Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz Multiple

Network information

KEY Impact Example KEY:value Simple/Multiple
IP Defines the IP addresses of the asset IP:127.0.0.1 Multiple
TCP Adds a TCP port to the Ports tab TCP:22 or TCP:22|openssh Multiple
UDP Adds an UDP port to the Ports tab UDP:53 Multiple

Windows specific properties

KEY Impact Example KEY:value Simple/Multiple
OS_BUILD Defines the Windows build OS_BUILD:17763.1158 Simple
WUAVERSION Sets the version of the Windows Update Agent WUAVERSION:10.0.17763.1 Multiple
CAB_FILENAME Sets the name of the official Microsoft file used for this scan CAB_FILENAME:dcdb9e78484667695627acea9213897eaf.cab Simple

SAP specific properties

KEY Impact Example KEY:value Simple/Multiple
SAP_NOTE Adds a SAP note to the asset SAP_NOTE:3119365 Multiple

Security issues

KEY Impact Example KEY:value Simple/Multiple
SECURITY_ISSUE Adds a line to the Security Issues tab SECURITY_ISSUE:
   sid: WSTG-CRYP-04 (low)
   cipher: TLS_RSA_WITH_AES_128_CBC_SHA
   grade: A
   port: 443
Multiple