Common Configuration Enumeration (CCE) -- CCE List -- Archive

CCE Website is in "Archive" status — read the announcement

About CCE
Documents
FAQs

CCE List

References
Editorial Policies
CCE in Use

CCE Community

CCE Working Group
Discussion Archive
News & Events

Calendar
Search the Site

CCE List — Archive

IMPORTANT: The CCE List is now hosted at http://nvd.nist.gov/cce/index.cfm.

Version — CCE 5 (Archive)

The Common Configuration Enumeration (CCE) List is posted below. In Version 5 CCE-IDs are assigned according to "platform groups." The CCE List is available for download in two formats: the canonical Microsoft Excel spreadsheet format, and an alternative XML format. Spreadsheets are available in a single combined file and by individual platform group. XML is only available for the single combined file, containing CCE entries for all platform groups.

Please note that the spreadsheets are the canonical format. In the case of any discrepancy between the XML and the spreadsheets, the spreadsheets should be preferred. Also, the format of the XML itself is version 0.2 of that encoding, and is subject to change.

IMPORTANT: Activity on the CCE effort has been suspended, and the CCE Web site has been moved to "Archive" status. Read the complete message on the homepage.

Release Details

The current release of CCE is 5.20130214 (CCE Version 5, updated on February 14, 2013). A ChangeLog is available that details the changes since the last release, 5.20120521.

Total CCEs: 12,163

DOWNLOADS (XML format)	DATE UPDATED
CCE v5 - All Platform Groups-COMBINED FILE (11.5 MB)	February 14, 2013
DOWNLOADS (MS Excel format)	DATE UPDATED
CCE v5 - All Platform Groups-COMBINED FILE (5398 KB)	February 14, 2013
CCE v5 - AIX 5.3 (226 KB)	May 6, 2009
CCE v5 - Apache HTTP 1.3 (47 KB)	February 14, 2013
CCE v5 - Apache HTTP 2.0 (97 KB)	February 14, 2013
CCE v5 - Apache HTTP 2.2 (123 KB)	February 14, 2013
CCE v5 - Apache Tomcat 4 (71 KB)	February 14, 2013
CCE v5 - Apache Tomcat 5 (48 KB)	February 14, 2013
CCE v5 - Apache Tomcat 6 (47 KB)	February 14, 2013
CCE v5 - HP-UX 11.23 (202 KB)	May 6, 2009
CCE v5 - Internet Explorer 7 (260 KB)	March 14, 2012
CCE v5 - Internet Explorer 8 (906 KB)	September 26, 2010
CCE v5 - IIS 5 (53 KB)	February 14, 2013
CCE v5 - IIS 6 (80 KB)	February 14, 2013
CCE v5 - Microsoft Exchange 2007 (241 KB)	March 14, 2012
CCE v5 - Microsoft Exchange 2010 (245 KB)	March 14, 2012
CCE v5 - Microsoft Office 2007 (519 KB)	February 14, 2013
CCE v5 - Microsoft Office 2010 (986 KB)	February 14, 2013
CCE v5 - MS SQL 2000 (48 KB)	February 14, 2013
CCE v5 - MS SQL 2005 (82 KB)	February 14, 2013
CCE v5 - Polycom HDX 3.X (260 KB)	May 21, 2012
CCE v5 - Red Hat Enterprise Linux 4 (213 KB)	May 6, 2009
CCE v5 - Red Hat Enterprise Linux 5 (261 KB)	October 7, 2011
CCE v5 - Sun Solaris 8 (219 KB)	May 6, 2009
CCE v5 - Sun Solaris 9 (231 KB)	May 6, 2009
CCE v5 - Sun Solaris 10 (211 KB)	April 28, 2010
CCE v5 - Oracle WebLogic Server 11g (184 KB)	October 7, 2011
CCE v5 - Windows Vista (354 KB)	March 14, 2012
CCE v5 - Windows 2000 (352 KB)	April 28, 2010
CCE v5 - Windows Server 2003 (342 KB)	April 28, 2010
CCE v5 - Windows Server 2008 (269 KB)	March 14, 2012
CCE v5 - Windows Server 2008 R2 (505 KB)	March 14, 2012
CCE v5 - Windows 7 (537 KB)	May 21, 2012
CCE v5 - Windows XP (525 KB)	March 14, 2012

Comments or concerns: cce@mitre.org

Key

Entries in the CCE List contain the following five attributes:

CCE Identifier Number — Like CVE, CCE assigns identifier tags to each commonly recognized configuration issue. These identifiers are intended to be unique tags or keys, not descriptive names. By way of a loose analogy, CCE-IDs are like scientific names for animals, providing a precise identifier for a species that is agreed upon by the technical community but which may have little or no meaning in common language usage.

Description — CCE entries contain a humanly understandable description of the configuration issue. This description is intended to describe the generic issue. In particular, it is not intended to make an assertion as to what particular configuration should or should not be made. For example, a valid CCE description might be "The minimum password length should be set appropriately". CCE makes no assertion whether the minimum password length should be 8, 10, or 14. It only describes the generic and non-qualified issue of minimum password length.

Conceptual Parameters — CCE entries contain a list of conceptual parameters that would be needed to be specified in order to implement a CCE on a system. For example, for the CCE associated with "The startup type of the Telnet service should be correct" (for Windows) the conceptual parameters would be Automatic, Manual, and Disabled. CCE entries distinguish between such humanly understandable conceptual parameters and machine understandable parameters such as the specific registry key values that might be associated with the conceptual notions of "Automatic", "Manual", and "Disabled".

Associated Technical Mechanisms — For any given configuration issue there may be more than one way to implement the desired result. For example, in Windows the issue of "The Autoplay feature should be set correctly for all drives" can be set either with a direct registry key edit or by way of a Group Policy Object if the system participates in an Active Directory domain. And in most forms of Unix and Linux, the issue of "The FTP service should be enabled or disabled as appropriate" can be achieved in multiple ways.

One way to understand the distinction between the Description and its corresponding set of Technical Mechanisms is that the former describes a goal and the latter describes a set of ways to achieve that goal.

References — Each CCE entry has a set of references from published configuration guidance documents such as the NSA Security Guides, the Center for Internet Security Benchmark, and DISA STIGS that point to the specific sections of the documents or tools in which the configuration issue is described in more detail. These references (1) provide a logical linkage to more detailed information, (2) validate the need for a CCE-ID for any given configuration issue, and (3) validate that the CCE entry is described at a level of abstraction that is used and accepted within the community.

CCE List

About CCE Entries
CCE Entry Creation Process
Use Cases
References
Editorial Policies