CCE ListCurrent Version — CCE 5The current version of the Common Configuration Enumeration (CCE™) List is posted below. In Version 5 CCE-IDs are assigned according to "platform groups." Many issues with a single CCE-ID in Version 4.2 are assigned multiple CCE-IDs in V5, one for each applicable platform group.
Comments or concerns: cce@mitre.org Previous Version — CCE 4.2This archived version of the CCE List covers security-related configuration issues for Windows Vista, Windows XP, Windows 2000, Windows Server 2003, Internet Explorer 7, and Office 2007. Format: MS Excel KeyEntries in the CCE List contain the following five attributes: CCE Identifier Number - Like CVE, CCE assigns identifier tags to each commonly recognized configuration issue. These identifiers are intended to be unique tags or keys, not descriptive names. By way of a loose analogy, CCE-IDs are like scientific names for animals, providing a precise identifier for a species that is agreed upon by the technical community but which may have little or no meaning in common language usage. Description - CCE entries contain a humanly understandable description of the configuration issue. This description is intended to describe the generic issue. In particular, it is not intended to make an assertion as to what particular configuration should or should not be made. For example, a valid CCE description might be "The minimum password length should be set appropriately". CCE makes no assertion whether the minimum password length should be 8, 10, or 14. It only describes the generic and non-qualified issue of minimum password length. Conceptual Parameters - CCE entries contain a list of conceptual parameters that would be needed to be specified in order to implement a CCE on a system. For example, for the CCE associated with "The start up permissions on telnet should be set appropriately" (for Windows) the conceptual parameters would be Automatic, Manual, and Disabled. CCE entries distinguish between such humanly understandable conceptual parameters and machine understandable parameters such as the specific registry key values that might be associated with the conceptual notions of "Automatic", "Manual", and "Disabled". Associated Technical Mechanisms - For any given configuration issue there may be more than one way to implement the desired result. For example, in Windows the issue of "The Autoplay feature should be set correctly for all drives" issue can be set either with a direct registry key edit or by way of a Group Policy Object if the system participates in an Active Directory domain. And in most forms of Unix and Linux, the issue of "The start up permissions for FTP should be set correctly" can be achieved in multiple ways. One way to understand the distinction between the Description and its corresponding set of Technical Mechanisms is that the former describes a goal and the latter describes a set of ways to achieve that goal. It should be noted that this distinction has been and continues to be topic of lively discussion among the CCE participants and may change significantly as CCE matures. Citations - Each CCE entry has a set of citations from published configuration guidance documents such as the NSA Security Guides, the Center for Internet Security Benchmark, and DISA Stigs. These citations point to the specific sections of the documents or tools in which the configuration issue is described in more detail. These citations serve three purposes: first, they provide a logical linkage to more detailed information; second, the citations validate the need for a CCE-ID for any given configuration issue; and third, the citation validates that the CCE-ID is described at a level of abstraction that is used and accepted within the community. |
