CCE ListCurrent Version — CCE 5The current version of the Common Configuration Enumeration (CCE™) List is posted below. In Version 5 CCE-IDs are assigned according to "platform groups." Many issues with a single CCE-ID in Version 4.2 are assigned multiple CCE-IDs in V5, one for each applicable platform group. View the V4.2 to V5 mapping. Downloads are available in a single combined file and by individual platform group.
Comments or concerns: cce@mitre.org KeyEntries in the CCE List contain the following five attributes: CCE Identifier Number — Like CVE, CCE assigns identifier tags to each commonly recognized configuration issue. These identifiers are intended to be unique tags or keys, not descriptive names. By way of a loose analogy, CCE-IDs are like scientific names for animals, providing a precise identifier for a species that is agreed upon by the technical community but which may have little or no meaning in common language usage. Description — CCE entries contain a humanly understandable description of the configuration issue. This description is intended to describe the generic issue. In particular, it is not intended to make an assertion as to what particular configuration should or should not be made. For example, a valid CCE description might be "The minimum password length should be set appropriately". CCE makes no assertion whether the minimum password length should be 8, 10, or 14. It only describes the generic and non-qualified issue of minimum password length. Conceptual Parameters — CCE entries contain a list of conceptual parameters that would be needed to be specified in order to implement a CCE on a system. For example, for the CCE associated with "The start up permissions on telnet should be set appropriately" (for Windows) the conceptual parameters would be Automatic, Manual, and Disabled. CCE entries distinguish between such humanly understandable conceptual parameters and machine understandable parameters such as the specific registry key values that might be associated with the conceptual notions of "Automatic", "Manual", and "Disabled". Associated Technical Mechanisms — For any given configuration issue there may be more than one way to implement the desired result. For example, in Windows the issue of "The Autoplay feature should be set correctly for all drives" can be set either with a direct registry key edit or by way of a Group Policy Object if the system participates in an Active Directory domain. And in most forms of Unix and Linux, the issue of "The FTP service should be enabled or disabled as appropriate" can be achieved in multiple ways. One way to understand the distinction between the Description and its corresponding set of Technical Mechanisms is that the former describes a goal and the latter describes a set of ways to achieve that goal. References — Each CCE entry has a set of references from published configuration guidance documents such as the NSA Security Guides, the Center for Internet Security Benchmark, and DISA STIGS that point to the specific sections of the documents or tools in which the configuration issue is described in more detail. These references (1) provide a logical linkage to more detailed information, (2) validate the need for a CCE-ID for any given configuration issue, and (3) validate that the CCE-ID is described at a level of abstraction that is used and accepted within the community. |
