[CCE-WORKING-GROUP-LIST] CCEs for Bundled Sub-Components

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

[CCE-WORKING-GROUP-LIST] CCEs for Bundled Sub-Components

Mann, Dave

At the BOF held at RSA earlier this year, we discussed the possibility of assigning CCE ids to issues regarding the installation status of bundled sub-components.  As noted in the meeting minutes, the community discussion roughly split evenly.

Among the objections raised was the possibility of large volumes of CCEs being issued for all possible installable sub-components.

We note that CCE has traditionally appealed to publicly available security guides and checklists as a "guardrail" to help limit the scope of CCE and we will appeal to this principle once again in hopes of crafting guidance on this issue that will enjoy the consensus of the group.

Below please find an update proposal for the bundled sub-component issue.  The primary addition to this version is the addition of the condition that the installation status of the sub-component has to have documented security relevance, as evidenced by it's inclusion in a publicly accessible and referanceable security guide or checklist.

We intend on discussing this this week at the SCAP Developer Days and concurrently ask for your comments here on the CCE mail list.

As always, thank you for comments and willingness to think through these issues with us.

David Mann | Principal Infosec Scientist | The MITRE Corporation
e-mail:[hidden email] | cell:781.424.6003

CD.14 DRAFT - UNDER DISCUSSION Bundled Application Installation (Include)
RULE: Installation of a software package or components can only be associated with a CCE Entry if the following conditions are met:

a) The package or component is commonly recognized as a distinct sub-component of an existing CCE platform group.  Patches are specifically excluded from this.

b) The sub-component is bundled with the majority of the normal installation distributions of the larger platform group.

c) The management of the installation status of the sub-component is clearly supported by the security model of the larger platform group.

d) The installation status of the sub-component has been identified as having security relevance, as demonstrated by it's inclusion in a publicly available security guidance document.

DISCUSSION: The operating systems or applications associated with CCE Platform Groups are typically composed from many different smaller components that interact with each other in complex ways.  It is generally not desirable nor reasonable for CCE to consider the installation or removal of each of these sub-components individually. For this reason, as a rule CCE Entries are not associated with the installation status of such sub-components.  However, CCE Entries can be issued if four conditions are met.  

First, the component must be widely recognized among platform group subject matter experts as being a distinct software package or platform component.  As is the case with the recognition of CCE Platform Groups, the recognition of distinct components and applications is best confirmed with the input of the CCE Working Group and relevant subject matter experts on the platform group in question. NOTE: system patches are specifically excluded from this. CCEs will not be issued for patches or update levels.

Second, the package or component must be widely recognized as being "part of" or "contained in" the larger platform group.  It is very much outside of the scope of CCE to enumerate all possible software packages that can be installed in or with a CCE platform group.  For this reason, CCE entries will only be assigned for those applications or components that are included with the standard installation packages that are associated with the larger platform group.  

Third, it is recognized that crafty system administrators have in the past and will likely continue in the future to find ways of disabling (and enabling) various system components using ill-advised or unauthorized methods.  It is beyond the scope of CCE to enumerate all such possible system modifications.  For this reason, CCE Entries will only be associated with the installation status of applications or components in those cases where managing the installation status is clearly a part of the security model for the larger platform group.  

Fourth, the installation status of the sub-component must have security relevance as documented by it's mention in a publicly available and referencable security guidance document or checklist.