August 27th, 2006 06:58 PM
CCE - Common Configuration Enumeration
Lately I’ve become more and more interested in policy type stuff (Yes, that’s the technical term ). Plenty of people use plenty of different policies… It’s common to develop your own in house security policy based off of basics that are common knowledge, however “common sense” may be a better term to apply. There are also several groups that make available various Policies, Standards and Guides that you can implement.
The Center for Internet Security (CIS), for example, provides many benchmarking documents as well as various scoring tools to accompany the documents. They include various operating systems (Linux, Windows, OS X) as well as applications (BIND, Oracle, etc).
There are also the Security Configuration Guides provided by the Systems and Network Attack Center (SNAC) at the NSA. While all of these are worthwhile reads, one document that everyone should read, regardless of their corporate tasks, job duties or position, is The 60 Minute Network Security Guide. It’s a great example basic policy that can be easily built upon. I feel that this should be required reading (and comprehension) for all end users (It’s a dream). (For you web designers always interested in a web developing goof, check out the page for the Router Guides page [This may be a Firefox only thing].)
Lastly, there’s the Information Assurance Support Environment (ISAE) at DISA and their Security Technical Implementation Guides (STIGs). Like the CIS and NSA, they provide documents that layout Frameworks and Guides for various system configurations and policies.
There are differences between each of these three groups… CIS provides a checklist for IT Professionals but also provides details that are written fairly simply so that a home user could understand them with little effort.
The Security Configuration Guides from SNAC provides a few things that home users may be interested in, Outlook Email Security in the Midst of Malicious Code Attacks, for example. However most of these are technical walk-throughs for a specific administrator (DB, Network, Windows, Unix, etc). The documents are usually big and bulky, but very thorough. There are some smaller, lighter documents however, The Cisco Router Guides includes a 2-page Executive Summary, this serves as a great checklist for the seasoned network admin, or as a great handout to begin lectures with students in networking and network security.
The DISA STIGs are more of checklists, however the do have an interesting Biometrics STIG. The reason I say that they are more like checklists is due to the manner in which they are written. Here’s an excerpt from the UNIX STIG that may help you to better understand what I mean:
3.6 User Files
User files are files owned by a user, except for the possibility of some user local initialization files that may be owned by root, and maintained by the user in the user’s home directory. User files will have an initial access permission of no more permissive than 700 and will never be more permissive than 750. All files in user home directory will be owned by the user with the possible exception of local initialization files that may be owned by root. The SA and the user, as well as application developers, will be responsible for maintaining these requirements.
• (GEN001540: CAT III) (Previously – G067) The user, application developers, and the SA will ensure files and directories (excluding a limited set of local initialization files) in user home directory trees will be owned by the user who owns the home directory.
• (GEN001560: CAT II) (Previously – G068) The user, application developers, and the SA will ensure user files and directories will have an initial permission no more permissive than 700, and never more permissive than 750.
As you can see, they give you specific examples of policies (or policy checks) that you can put into place.
So I’ve droned on for a bit… but what’s the point that I’m getting to… why am I mentioning all of this when the title of the post is CCE. I wanted to share some background before I went into my discussion on CCEs. What is a CCE? Let’s answer that before we tie the two together.
Many of the readers of this blog will have heard of CVEs before, many of you may have also heard of CWEs. Recently The MITRE Corporation added a new section to the site… CCEs. These focus on configuration issues, and what defines configuration (besides business needs [to an extent])… Policy. CCEs will give a centralized naming scheme and point of reference, much like CVE and CWE have done before it. A commonality that vendors and users alike can use to refer to problems. It will be a great way to avoid miscommunication in the security industry and more specifically, the policy compliance industry. There’s a preliminary draft available that references 560+ CCEs all related to Windows 2K, XP and 2K3. Each of these have references back to where they are identified in various documents provided by, you guessed it, CIS, NSA SNAC and DISA STIGs. The CCE Draft list is in Excel format, Linux users can use OpenOffice or Gnumeric. Windows users without office can obtain the Excel Viewer free of charge.
I’m very interested to see how this proceeds and look forward to following it as it progresses towards finalization. Hopefully your head isn’t mashed against the keyboard and I didn’t bore you too too much.
To View a Fully linked version of this visit - http://www.computerdefense.org/?p=75
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".