[CCE-WORKING-GROUP-LIST] Apache Platform Group Content Decision

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[CCE-WORKING-GROUP-LIST] Apache Platform Group Content Decision

Sain, Joe

Greetings, CCE Working Group Members!

The MITRE CCE Team has been working a number of CCE submissions for the Apache platform, which is covered by security guides from three sources, DISA, the Center for Internet Security, and IRS. We would like to solicit your insights and recommendations as we prepare the submissions. You, the CCE community, understand your products and the marketplace better than do we, and your input will help us to ensure that CCE is meeting your needs and the needs of the community.

The matrix below details the software version and operating system coverage. Apache Version 1.3 is covered by CIS and IRS, and there is no OS distinction between Windows and UNIX/LINUX. For Apache Versions 2.0 and 2.2, separate DISA security guides are published for each version and each OS; the CIS and IRS security guides do not make an OS distinction but are UNIX/LINUX-focused.

Based on our analysis, there are several options for Platform group separation.

The Apache software underwent a major change in the move from 1.3 to 2.0, and it is our strong recommendation that Apache HTTP Server 1.3 be a separate Platform Group.

The Version 2.0 and 2.2 versions are less clear-cut, and these platform decisions should be subject to debate within the CCE community. The options are as follows:

1.       Approximately 90% of the Apache deployments are UNIX/LINUX, and the majority of security controls are UNIX/LINUX. This argues for two new platform groups, Apache 2.0 and Apache 2.2, which would include Windows-specific CCEs. The MITRE CCE Team recommends this approach, but we would like to hear other opinions from the group.

2.       There are separate security guides for Apache 2.0 Windows, Apache 2.0 UNIX/LINUX, Apache 2.2 Windows, and Apache 2.2 UNIX/LINUX. Therefore, the case could be made for four platform groups.

3.       As Apache 2.2 is a minor release, two new platform groups, Apache 2.x Windows and Apache 2.x UNIX/LINUX should be created.

4.       One new platform group, Apache 2.x, which would include UNIX/LINUX and Windows-specific CCEs should be created.

If any vendors have implemented Apache management or audit capabilities, we would like to hear which of the 4 options most closely matches the way that they are breaking things up for your customers.

This is your opportunity to guide the development of CCE on a widely used software platform! Please let us know your thoughts on these options. We want to ensure that CCE is useful to the vendor and the user community, and your feedback is essential to that goal.

Thanks in advance for your feedback.




Joe Sain

MITRE CCE Project lead

apache_sec_guide_coverage.pptx (70K) Download Attachment