Usage Guide - Operating System

Categorization

Normalized data in CyberSecurity Asset Management (CSAM) has operating systems categorized based on an internally developed classification/ categorization system.

It follows a two-level classification system – namely Level 1 Category and Level 2 Category

- Level 1 Category: Indicates the operating system family.

- Level 2 Category: Indicates whether the operating system is for client, server or virtualized environments.

Example:

a) "Apple macOS High Sierra" → Mac / Client →  Level 1: Mac, Level 2: Client

b) "VMware ESXi" → Virtualization / Hypervisor Type-1 (Bare Metal) → Level 1: Virtualization, Level 2: Hypervisor Type-1 (Bare Metal)

There are currently 13 Level 1 categories and 5 Level 2 categories for classifying operating systems.

Publisher

Developer/Publisher or current owner of the Operating System. Example: Apple, Microsoft

Name

Name of the Operating System.

Market Version

Name, number or any value assigned to the major release of the installed OS.

Examples:

a) Microsoft Windows Server 2019 Standard 10.0.19541 - Market Version: 2019

b) Apple macOS Mojave - Market Version: Mojave

c) Microsoft Windows 7 - Market Version: 7

Version

The major and minor version of the product

Update

The service pack number, update, maintenance release etc. of the product

Edition

Determines if the installed OS belongs to any particular edition that is defined by the publisher

Example:

Microsoft Windows 10 is distributed under below editions:

- Enterprise

- Pro

- Home etc.

Lifecycle information provides key milestones and dates related to the support of the operating system. CSAM currently has lifecycle information for nearly 50 publishers and over 7000 operating system releases. Qualys is continuously adding new publishers and operating systems, so these numbers are subject to change.

Exact and Estimated Lifecycle:

Key publishers such as Microsoft, Red Hat, IBM, Cisco, Oracle, VMware among others have well documented support policies and support dates published for their operating systems. CSAM team continuously tracks and curates data from these published sources to provide lifecycle information in a standardized and structured format.

However, support information may not available publicly for some operating systems and it is difficult to determine the exact date when the version will become unsupported. For such cases, CSAM provides its users with estimated support stages and dates. These estimates are derived from standard support time frames followed across the industry. In such cases, users will see the label ‘estimated’ against lifecycle information. Some of the the OS manufacturers do not publish the support dates for their products at all, such as Nokia, Dell, Dell EMC, Lantronix etc.

Lifecycle Data Points:

- Generally Available or GA: Indicates that the mentioned operating system release is actively supported by its publisher i.e. it is currently under the full support phase. The date mentioned corresponds to the day on which that OS version was made generally available.

- End-of-Life or EOL: Indicates that publisher has ceased to provide the first level of support for the operating system release. The date corresponds to the day on which the operating system version has reached or will reach EOL stage.

- End-of-Service or EOS: Indicates that the operating system release has reached the final level of support. The date corresponds to the day on which the operating system release has reached or will reach End-of-Service or EOS.

- Beta: Indicates that the operating system release is still in beta phase and a stable version has not been released. Such versions will not have a GA date.

- Not Applicable: Indicates specific operating system release is not available.

- Unknown: Indicates that lifecycle information for the operating system release is not published by the publisher nor can it be estimated.

- Support Stages: Indicates the nature of support that is being offered by the publisher for an operating system release. For instance, for Microsoft Windows, it will indicate whether the release is under Mainstream Support or Extended Support. Similarly, for Oracle it will indicate if the release is under Premier Support or Extended Support.

- Support Stage Attributes: Indicates that the EOL and EOL/EOS support stages that are captured are corresponding to the vendor defined support stages. Each vendor has their own terminologies to express these support stages and those vendor defined terminologies are reflected under support stage attributes.

Examples:

a) Amazon Web Services defines EOL support stage for their products as "End-of-life" whereas Canonical defines the EOL support stage for their products as "End of Life"

b) Cisco Systems, under their lifecycle policy for Cisco IOS, defines EOL support stage as "End of Software Maintenance" whereas Extreme Networks defines the EOL support stage as "End of Software Maintenance (EOSM)"