CMSI - Homepage

During the past two years, German CERTs have worked on establishing closer contacts and finding possibilities for co-operation. One consequence of this work was the formation of the "Deutscher CERT-Verbund", an association of German CERTs. Under the auspices of the Deutscher CERT-Verbund, several projects are being conducted with the aim of establishing a basis for close co-operation between German CERTs.

Cornerstone of an infrastructure that supports co-operation on security advisories is the "Deutsche Advisory Format" (German Advisory Format), DAF, an actively maintained successor of the EISPP advisory format that was developed as part of a European research project from June 2002 to Janury 2004. Further information regarding DAF can be found on the DAF Homepage.

Working on DAF, it soon became quite clear that an effective and efficient co-operation between CERTs regarding advisories requires a common model for specifying machine-readable system information: without such a model, useful mechanisms such as automated filtering of advisories with respect to affecte systems cannot be realized.

As a consequence, the subproject CMSI (Common Model of System Information) was established as part of the DAF working group. CMSI is not being developed as a part of DAF, because the applications of a common model of system information are much broader: CMSI could be used as well in other standards regarding the exchange of security information such as IODEF and XCCDF or in the field of configuration management.

On this CMSI-homepage, you find the following resources:

• Description of CMSI: An article presented at the FIRST 2005 conference provides a detailed description of CMSI. The article focuses on the basic data model of CMSI and its realization as an XML-standard.
• XML-Resources for CMSI: We provide an XML-DTD for CMSI and a generic stylesheet for rendering CMSI-XML-documents. Attention: some browsers have difficulties displaying DTDs: if that is the case for your browser, download the DTD by right-clicking on the link and view the DTD in an editor.
• Here you can view an example of what the beginnings of a model of system information based on CMSI could look like. To get a feeling of how the model could be used, please take a look at the following two XML files: these demonstrate how machine-readable system information can be included in an XML-based exchange format for advisories such as DAF.
  • The first example shows, how the fact can be expressed that certain versions of Apache are vulnerable on Windows and Unix platforms.
  • The second example shows, how the fact that Windows 2000 running SP2 is vulnerable can be expressed in several levels of granularity.

CMSI has been integrated as central component of the incident-handling tool SIRIOS, another CERT-Verbund project.