August 27th, 2006, 07:58 PM
CCE - Common Configuration Enumeration
Lately Iíve become more and more interested in policy type stuff (Yes, thatís the technical term ). Plenty of people use plenty of different policiesÖ Itís common to develop your own in house security policy based off of basics that are common knowledge, however ďcommon senseĒ may be a better term to apply. There are also several groups that make available various Policies, Standards and Guides that you can implement.
The Center for Internet Security (CIS), for example, provides many benchmarking documents as well as various scoring tools to accompany the documents. They include various operating systems (Linux, Windows, OS X) as well as applications (BIND, Oracle, etc).
There are also the Security Configuration Guides provided by the Systems and Network Attack Center (SNAC) at the NSA. While all of these are worthwhile reads, one document that everyone should read, regardless of their corporate tasks, job duties or position, is The 60 Minute Network Security Guide. Itís a great example basic policy that can be easily built upon. I feel that this should be required reading (and comprehension) for all end users (Itís a dream). (For you web designers always interested in a web developing goof, check out the page for the Router Guides page [This may be a Firefox only thing].)
Lastly, thereís the Information Assurance Support Environment (ISAE) at DISA and their Security Technical Implementation Guides (STIGs). Like the CIS and NSA, they provide documents that layout Frameworks and Guides for various system configurations and policies.
There are differences between each of these three groupsÖ CIS provides a checklist for IT Professionals but also provides details that are written fairly simply so that a home user could understand them with little effort.
The Security Configuration Guides from SNAC provides a few things that home users may be interested in, Outlook Email Security in the Midst of Malicious Code Attacks, for example. However most of these are technical walk-throughs for a specific administrator (DB, Network, Windows, Unix, etc). The documents are usually big and bulky, but very thorough. There are some smaller, lighter documents however, The Cisco Router Guides includes a 2-page Executive Summary, this serves as a great checklist for the seasoned network admin, or as a great handout to begin lectures with students in networking and network security.
The DISA STIGs are more of checklists, however the do have an interesting Biometrics STIG. The reason I say that they are more like checklists is due to the manner in which they are written. Hereís an excerpt from the UNIX STIG that may help you to better understand what I mean:
3.6 User Files
User files are files owned by a user, except for the possibility of some user local initialization files that may be owned by root, and maintained by the user in the userís home directory. User files will have an initial access permission of no more permissive than 700 and will never be more permissive than 750. All files in user home directory will be owned by the user with the possible exception of local initialization files that may be owned by root. The SA and the user, as well as application developers, will be responsible for maintaining these requirements.
ē (GEN001540: CAT III) (Previously Ė G067) The user, application developers, and the SA will ensure files and directories (excluding a limited set of local initialization files) in user home directory trees will be owned by the user who owns the home directory.
ē (GEN001560: CAT II) (Previously Ė G068) The user, application developers, and the SA will ensure user files and directories will have an initial permission no more permissive than 700, and never more permissive than 750.
As you can see, they give you specific examples of policies (or policy checks) that you can put into place.
So Iíve droned on for a bitÖ but whatís the point that Iím getting toÖ why am I mentioning all of this when the title of the post is CCE. I wanted to share some background before I went into my discussion on CCEs. What is a CCE? Letís answer that before we tie the two together.
Many of the readers of this blog will have heard of CVEs before, many of you may have also heard of CWEs. Recently The MITRE Corporation added a new section to the siteÖ CCEs. These focus on configuration issues, and what defines configuration (besides business needs [to an extent])Ö Policy. CCEs will give a centralized naming scheme and point of reference, much like CVE and CWE have done before it. A commonality that vendors and users alike can use to refer to problems. It will be a great way to avoid miscommunication in the security industry and more specifically, the policy compliance industry. Thereís a preliminary draft available that references 560+ CCEs all related to Windows 2K, XP and 2K3. Each of these have references back to where they are identified in various documents provided by, you guessed it, CIS, NSA SNAC and DISA STIGs. The CCE Draft list is in Excel format, Linux users can use OpenOffice or Gnumeric. Windows users without office can obtain the Excel Viewer free of charge.
Iím very interested to see how this proceeds and look forward to following it as it progresses towards finalization. Hopefully your head isnít mashed against the keyboard and I didnít bore you too too much.
To View a Fully linked version of this visit - http://www.computerdefense.org/?p=75
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".