Quantcast

[CCE-WORKING-GROUP-LIST] Need clarification regarding Platform

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[CCE-WORKING-GROUP-LIST] Need clarification regarding Platform

Gokul
As part of learning about CCE, I came across the following queries:

1. What platforms are currently covered in CCE list. I downloaded the CCE_list version 5, the xml file has several platforms like rhel4, rhel5, solaris 10 etc. How are these platform names decided ? Are there any list or dynamic page maintained to list these platforms ?

2. The schema for CCE_list XML file has the platform as required field, but the CCE submission template do not have any specifics about platform. One example is that for one CCE entry has platform as 'vista' and other CCE entry has platform as 'win2k', how do you ensure consistency or convention in naming these platforms.

It would be of great help if somebody can address these queries.

Regards
Gokul
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [CCE-WORKING-GROUP-LIST] Need clarification regarding Platform

Kinney, Michael A

Perhaps it would be helpful to look at Common Platform Enumeration (CPE) naming or IDs or Software ID (SWID), since they are standards currently in use.

Mike Kinney

 

From: Gokul [mailto:[hidden email]]
Sent: Thursday, October 11, 2012 8:14 AM
To: [hidden email]
Subject: [CCE-WORKING-GROUP-LIST] Need clarification regarding Platform

 

As part of learning about CCE, I came across the following queries:


1. What platforms are currently covered in CCE list. I downloaded the CCE_list version 5, the xml file has several platforms like rhel4, rhel5, solaris 10 etc. How are these platform names decided ? Are there any list or dynamic page maintained to list these platforms ?

2. The schema for CCE_list XML file has the platform as required field, but the CCE submission template do not have any specifics about platform. One example is that for one CCE entry has platform as 'vista' and other CCE entry has platform as 'win2k', how do you ensure consistency or convention in naming these platforms.

It would be of great help if somebody can address these queries.

Regards
Gokul

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [CCE-WORKING-GROUP-LIST] Need clarification regarding Platform

Mann, Dave
In reply to this post by Gokul
Gokul,

Several issues here...

First, CCE is not intended to provide a full suite of automated data about a particular configuration control.  The goal of CCE is much more narrow.  It is only to provide a single, sharable ID that can be associated with a control.  In the early years of CCE (2005-2008), we spent a good deal of time talking about providing more structured data but the logical end of that discussion would lead CCE to effectively recreate the more machine processing standards such as CPE, XCCDF and OVAL.   Some of what you are asking about is better answered with fully specified SCAP data, not with CCE by itself. Remember, while CCE happens to be used by SCAP, CCE != SCAP.

[An aside, the relationship between CCE and SCAP is similar to the relationship between CVE and NVD.  CVE provides identifiers with human readable descriptions. NVD provides more value add information in a more machine processable format.]

Second, with respect to how CCE identifies platforms, we use the notion of "platform group".  Platform groups roughly correspond to the "marketing names" of major software product releases.  This ensures that CCE platform groups are well aligned with the way platforms are discussed in security guides and in 3rd party configuration management/audit products.    

One important thing to note is that it is common for there to be minor (but important) differences among specific sub-versions within a family identified by a "marketing name".  When you read a security guide for a "platform group", there may be variations to the guidance, depending on the specific sub-version you are dealing with.  

A good example is Windows XP pre and post SP2.   Like most security guides and management products, CCE treats all variants of Windows XP as a single platform group.   This means, the Windows XP platform group contains CCEs that may not apply to all sub-versions of XP.  

Third, with respect to CPE and SUIDs, we are not aware of any way to use either standard to describe the fact that not all items within a platform group may apply to all sub-versions.

Lastly, and probably most importantly, please don't let the existence of XML data for CCE lull you into thinking that CCE data can or should be automatically consumed and processed.  The semantics are not crisp enough. Human analysts will need to make a judgment as to whether or not a particular CCE entry applies to a particular sub-version. In most cases, the answer is yes.  

If you want access to that sort of information that can be processed automatically, you really should look for other repositories (like SCAP) that have done this sort of value-add analysis and made their interpretive decisions available in an automated format with much richer semantics (e.g. CPE, OVAL, XCCDF).

Hope this helps,

-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:[hidden email] | cell:781.424.6003
==================================================================

From: [hidden email] [mailto:[hidden email]] On Behalf Of Gokul
Sent: Thursday, October 11, 2012 8:14 AM
To: cce-working-group-list
Subject: Need clarification regarding Platform

As part of learning about CCE, I came across the following queries:

1. What platforms are currently covered in CCE list. I downloaded the CCE_list version 5, the xml file has several platforms like rhel4, rhel5, solaris 10 etc. How are these platform names decided ? Are there any list or dynamic page maintained to list these platforms ?

2. The schema for CCE_list XML file has the platform as required field, but the CCE submission template do not have any specifics about platform. One example is that for one CCE entry has platform as 'vista' and other CCE entry has platform as 'win2k', how do you ensure consistency or convention in naming these platforms.

It would be of great help if somebody can address these queries.

Regards
Gokul
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [CCE-WORKING-GROUP-LIST] Need clarification regarding Platform

Adam Montville
I'm late getting on this thread, but I'll do what I can inline.

On 10/11/12 10:11 AM, "Mann, Dave" <[hidden email]> wrote:

>Gokul,
>
>Several issues here...
>
>First, CCE is not intended to provide a full suite of automated data
>about a particular configuration control.  The goal of CCE is much more
>narrow.  It is only to provide a single, sharable ID that can be
>associated with a control.

To be precise, we're talking about the context of "control" in a software
platform configuration sense, yes?

I believe this whole thread started with a question about whether CCE is
needed, to which we heard a lot of affirmative responses.  I put forward
one of those responses, and I can say that Tripwire does use CCE
internally and within its products to varying degrees.  For example, our
professional services team makes use of CCE for non-SCAP-specific use
cases, our Tripwire Enterprise product uses CCE for SCAP, and our internal
content management tools make extensive use of CCE identifiers as well.

To put it bluntly, CCE, for us, is invaluable.  That said, it could stand
to be improved by either wrapping or extending with machine-readable
associations to other domain concepts, such as CPE, SWID, OVAL object or
CybOX.

Adapting a line from Tony Sager, if we're still requiring analysts to
determine CCE applicability, then we're not making forward progress to
solving 80% of our issues with 20% of our spend.

If CCE needs to be improved, then let's improve it either in the security
automation community or by taking on the work elsewhere.  If it, instead,
needs to be augmented, then let's augmented with something new in the
security automation community or take on that work elsewhere.

It seems clear that we all agree CCE is valuable and needed, but that
there are also improvements or uses that we have not yet addressed.



>In the early years of CCE (2005-2008), we spent a good deal of time
>talking about providing more structured data but the logical end of that
>discussion would lead CCE to effectively recreate the more machine
>processing standards such as CPE, XCCDF and OVAL.   Some of what you are
>asking about is better answered with fully specified SCAP data, not with
>CCE by itself. Remember, while CCE happens to be used by SCAP, CCE !=
>SCAP.
>
>[An aside, the relationship between CCE and SCAP is similar to the
>relationship between CVE and NVD.  CVE provides identifiers with human
>readable descriptions. NVD provides more value add information in a more
>machine processable format.]
>
>Second, with respect to how CCE identifies platforms, we use the notion
>of "platform group".  Platform groups roughly correspond to the
>"marketing names" of major software product releases.  This ensures that
>CCE platform groups are well aligned with the way platforms are discussed
>in security guides and in 3rd party configuration management/audit
>products.    
>
>One important thing to note is that it is common for there to be minor
>(but important) differences among specific sub-versions within a family
>identified by a "marketing name".  When you read a security guide for a
>"platform group", there may be variations to the guidance, depending on
>the specific sub-version you are dealing with.
>
>A good example is Windows XP pre and post SP2.   Like most security
>guides and management products, CCE treats all variants of Windows XP as
>a single platform group.   This means, the Windows XP platform group
>contains CCEs that may not apply to all sub-versions of XP.
>
>Third, with respect to CPE and SUIDs, we are not aware of any way to use
>either standard to describe the fact that not all items within a platform
>group may apply to all sub-versions.
>
>Lastly, and probably most importantly, please don't let the existence of
>XML data for CCE lull you into thinking that CCE data can or should be
>automatically consumed and processed.  The semantics are not crisp
>enough. Human analysts will need to make a judgment as to whether or not
>a particular CCE entry applies to a particular sub-version. In most
>cases, the answer is yes.
>
>If you want access to that sort of information that can be processed
>automatically, you really should look for other repositories (like SCAP)
>that have done this sort of value-add analysis and made their
>interpretive decisions available in an automated format with much richer
>semantics (e.g. CPE, OVAL, XCCDF).
>
>Hope this helps,
>
>-Dave
>==================================================================
>David Mann | Principal Infosec Scientist | The MITRE Corporation
>------------------------------------------------------------------
>e-mail:[hidden email] | cell:781.424.6003
>==================================================================
>
>From: [hidden email]
>[mailto:[hidden email]] On Behalf Of Gokul
>Sent: Thursday, October 11, 2012 8:14 AM
>To: cce-working-group-list
>Subject: Need clarification regarding Platform
>
>As part of learning about CCE, I came across the following queries:
>
>1. What platforms are currently covered in CCE list. I downloaded the
>CCE_list version 5, the xml file has several platforms like rhel4, rhel5,
>solaris 10 etc. How are these platform names decided ? Are there any list
>or dynamic page maintained to list these platforms ?
>
>2. The schema for CCE_list XML file has the platform as required field,
>but the CCE submission template do not have any specifics about platform.
>One example is that for one CCE entry has platform as 'vista' and other
>CCE entry has platform as 'win2k', how do you ensure consistency or
>convention in naming these platforms.
>
>It would be of great help if somebody can address these queries.
>
>Regards
>Gokul
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [CCE-WORKING-GROUP-LIST] Need clarification regarding Platform

Kent Landfield
+1, agree completely.

Kent Landfield

McAfee | An Intel Company
Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

From: Adam Montville <[hidden email]>
Date: Thursday, October 11, 2012 5:33 PM
To: David Mann <[hidden email]>, "[hidden email]" <[hidden email]>
Subject: Re: [CCE-WORKING-GROUP-LIST] Need clarification regarding Platform

I'm late getting on this thread, but I'll do what I can inline.

On 10/11/12 10:11 AM, "Mann, Dave" <[hidden email]> wrote:

Gokul,

Several issues here...

First, CCE is not intended to provide a full suite of automated data
about a particular configuration control.  The goal of CCE is much more
narrow.  It is only to provide a single, sharable ID that can be
associated with a control.

To be precise, we're talking about the context of "control" in a software
platform configuration sense, yes?

I believe this whole thread started with a question about whether CCE is
needed, to which we heard a lot of affirmative responses.  I put forward
one of those responses, and I can say that Tripwire does use CCE
internally and within its products to varying degrees.  For example, our
professional services team makes use of CCE for non-SCAP-specific use
cases, our Tripwire Enterprise product uses CCE for SCAP, and our internal
content management tools make extensive use of CCE identifiers as well.

To put it bluntly, CCE, for us, is invaluable.  That said, it could stand
to be improved by either wrapping or extending with machine-readable
associations to other domain concepts, such as CPE, SWID, OVAL object or
CybOX.

Adapting a line from Tony Sager, if we're still requiring analysts to
determine CCE applicability, then we're not making forward progress to
solving 80% of our issues with 20% of our spend.

If CCE needs to be improved, then let's improve it either in the security
automation community or by taking on the work elsewhere.  If it, instead,
needs to be augmented, then let's augmented with something new in the
security automation community or take on that work elsewhere.

It seems clear that we all agree CCE is valuable and needed, but that
there are also improvements or uses that we have not yet addressed.



In the early years of CCE (2005-2008), we spent a good deal of time
talking about providing more structured data but the logical end of that
discussion would lead CCE to effectively recreate the more machine
processing standards such as CPE, XCCDF and OVAL.   Some of what you are
asking about is better answered with fully specified SCAP data, not with
CCE by itself. Remember, while CCE happens to be used by SCAP, CCE !=
SCAP.

[An aside, the relationship between CCE and SCAP is similar to the
relationship between CVE and NVD.  CVE provides identifiers with human
readable descriptions. NVD provides more value add information in a more
machine processable format.]

Second, with respect to how CCE identifies platforms, we use the notion
of "platform group".  Platform groups roughly correspond to the
"marketing names" of major software product releases.  This ensures that
CCE platform groups are well aligned with the way platforms are discussed
in security guides and in 3rd party configuration management/audit
products.    

One important thing to note is that it is common for there to be minor
(but important) differences among specific sub-versions within a family
identified by a "marketing name".  When you read a security guide for a
"platform group", there may be variations to the guidance, depending on
the specific sub-version you are dealing with.

A good example is Windows XP pre and post SP2.   Like most security
guides and management products, CCE treats all variants of Windows XP as
a single platform group.   This means, the Windows XP platform group
contains CCEs that may not apply to all sub-versions of XP.

Third, with respect to CPE and SUIDs, we are not aware of any way to use
either standard to describe the fact that not all items within a platform
group may apply to all sub-versions.

Lastly, and probably most importantly, please don't let the existence of
XML data for CCE lull you into thinking that CCE data can or should be
automatically consumed and processed.  The semantics are not crisp
enough. Human analysts will need to make a judgment as to whether or not
a particular CCE entry applies to a particular sub-version. In most
cases, the answer is yes.

If you want access to that sort of information that can be processed
automatically, you really should look for other repositories (like SCAP)
that have done this sort of value-add analysis and made their
interpretive decisions available in an automated format with much richer
semantics (e.g. CPE, OVAL, XCCDF).

Hope this helps,

-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:[hidden email] | cell:781.424.6003
==================================================================

[[hidden email]] On Behalf Of Gokul
Sent: Thursday, October 11, 2012 8:14 AM
To: cce-working-group-list
Subject: Need clarification regarding Platform

As part of learning about CCE, I came across the following queries:

1. What platforms are currently covered in CCE list. I downloaded the
CCE_list version 5, the xml file has several platforms like rhel4, rhel5,
solaris 10 etc. How are these platform names decided ? Are there any list
or dynamic page maintained to list these platforms ?

2. The schema for CCE_list XML file has the platform as required field,
but the CCE submission template do not have any specifics about platform.
One example is that for one CCE entry has platform as 'vista' and other
CCE entry has platform as 'win2k', how do you ensure consistency or
convention in naming these platforms.

It would be of great help if somebody can address these queries.

Regards
Gokul


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [CCE-WORKING-GROUP-LIST] Need clarification regarding Platform

Gokul
In reply to this post by Mann, Dave
Dave,

Thanks for your detailed explanation. My intention was to map a CCE id to an operating system or an application when a scanner reports it. In scenarios, where I cannot determine application name or operating system name directly, I was in an assumption to use the platform name (probably it looks like roundabout approach). By your email response and doing more study about SCAP, CCE, CPE etc. I understand that I need to look forward to NVD.
On the same lines, I saw CCE list provided by NVD (currently in Beta) and it does not have the CPE information. So as of now the information is not an actionable one (in my opinion). Being said that I understand that NVD is a government regulatory body, are there any means by which MITRE can influence NVD to accommodate CPE information or are there any other means I can get the CPE's affected by a CCE.

Thanks
Gokul  


From: "Mann, Dave" <[hidden email]>
To: Gokul <[hidden email]>; cce-working-group-list <[hidden email]>
Sent: Thursday, 11 October 2012 10:41 PM
Subject: RE: Need clarification regarding Platform

Gokul,

Several issues here...

First, CCE is not intended to provide a full suite of automated data about a particular configuration control.  The goal of CCE is much more narrow.  It is only to provide a single, sharable ID that can be associated with a control.  In the early years of CCE (2005-2008), we spent a good deal of time talking about providing more structured data but the logical end of that discussion would lead CCE to effectively recreate the more machine processing standards such as CPE, XCCDF and OVAL.  Some of what you are asking about is better answered with fully specified SCAP data, not with CCE by itself. Remember, while CCE happens to be used by SCAP, CCE != SCAP.

[An aside, the relationship between CCE and SCAP is similar to the relationship between CVE and NVD.  CVE provides identifiers with human readable descriptions. NVD provides more value add information in a more machine processable format.]

Second, with respect to how CCE identifies platforms, we use the notion of "platform group".  Platform groups roughly correspond to the "marketing names" of major software product releases.  This ensures that CCE platform groups are well aligned with the way platforms are discussed in security guides and in 3rd party configuration management/audit products.   

One important thing to note is that it is common for there to be minor (but important) differences among specific sub-versions within a family identified by a "marketing name".  When you read a security guide for a "platform group", there may be variations to the guidance, depending on the specific sub-version you are dealing with. 

A good example is Windows XP pre and post SP2.  Like most security guides and management products, CCE treats all variants of Windows XP as a single platform group.  This means, the Windows XP platform group contains CCEs that may not apply to all sub-versions of XP. 

Third, with respect to CPE and SUIDs, we are not aware of any way to use either standard to describe the fact that not all items within a platform group may apply to all sub-versions.

Lastly, and probably most importantly, please don't let the existence of XML data for CCE lull you into thinking that CCE data can or should be automatically consumed and processed.  The semantics are not crisp enough. Human analysts will need to make a judgment as to whether or not a particular CCE entry applies to a particular sub-version. In most cases, the answer is yes. 

If you want access to that sort of information that can be processed automatically, you really should look for other repositories (like SCAP) that have done this sort of value-add analysis and made their interpretive decisions available in an automated format with much richer semantics (e.g. CPE, OVAL, XCCDF).

Hope this helps,

-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:[hidden email] | cell:781.424.6003
==================================================================

From: [hidden email] [mailto:[hidden email]] On Behalf Of Gokul
Sent: Thursday, October 11, 2012 8:14 AM
To: cce-working-group-list
Subject: Need clarification regarding Platform

As part of learning about CCE, I came across the following queries:

1. What platforms are currently covered in CCE list. I downloaded the CCE_list version 5, the xml file has several platforms like rhel4, rhel5, solaris 10 etc. How are these platform names decided ? Are there any list or dynamic page maintained to list these platforms ?

2. The schema for CCE_list XML file has the platform as required field, but the CCE submission template do not have any specifics about platform. One example is that for one CCE entry has platform as 'vista' and other CCE entry has platform as 'win2k', how do you ensure consistency or convention in naming these platforms.

It would be of great help if somebody can address these queries.

Regards
Gokul


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [CCE-WORKING-GROUP-LIST] Need clarification regarding Platform

Chandrashekhar B

Gokul,

 

CCEs do not refer to CPEs. We realized this shortcoming when we tried to map everything to an asset, something like how many CVEs or CCEs or OVAL for a particular CPE.

 

We have done some kind of an external mapping in our repo. You can search any of these,

 

cce for cpe:/a:microsoft:internet_explorer:8

cpe for cce-10002-4

cpe having cce

 

in http://www.scaprepo.com

 

But, yes I agree, it would be good if there is a way to report CCEs against a CPE or set of CPE.

 

Thanks,

Chandra.

 

 

From: Gokul [via Making Security Measurable] [mailto:[hidden email]]
Sent: Monday, October 15, 2012 2:39 PM
To: Chandrashekhar B
Subject: Re: [CCE-WORKING-GROUP-LIST] Need clarification regarding Platform

 

Dave,

 

Thanks for your detailed explanation. My intention was to map a CCE id to an operating system or an application when a scanner reports it. In scenarios, where I cannot determine application name or operating system name directly, I was in an assumption to use the platform name (probably it looks like roundabout approach). By your email response and doing more study about SCAP, CCE, CPE etc. I understand that I need to look forward to NVD.

On the same lines, I saw CCE list provided by NVD (currently in Beta) and it does not have the CPE information. So as of now the information is not an actionable one (in my opinion). Being said that I understand that NVD is a government regulatory body, are there any means by which MITRE can influence NVD to accommodate CPE information or are there any other means I can get the CPE's affected by a CCE.

Thanks
Gokul  

 


From: "Mann, Dave" <[hidden email]>
To: Gokul <[hidden email]>; cce-working-group-list <[hidden email]>
Sent: Thursday, 11 October 2012 10:41 PM
Subject: RE: Need clarification regarding Platform


Gokul,

Several issues here...

First, CCE is not intended to provide a full suite of automated data about a particular configuration control.  The goal of CCE is much more narrow.  It is only to provide a single, sharable ID that can be associated with a control.  In the early years of CCE (2005-2008), we spent a good deal of time talking about providing more structured data but the logical end of that discussion would lead CCE to effectively recreate the more machine processing standards such as CPE, XCCDF and OVAL.  Some of what you are asking about is better answered with fully specified SCAP data, not with CCE by itself. Remember, while CCE happens to be used by SCAP, CCE != SCAP.

[An aside, the relationship between CCE and SCAP is similar to the relationship between CVE and NVD.  CVE provides identifiers with human readable descriptions. NVD provides more value add information in a more machine processable format.]

Second, with respect to how CCE identifies platforms, we use the notion of "platform group".  Platform groups roughly correspond to the "marketing names" of major software product releases.  This ensures that CCE platform groups are well aligned with the way platforms are discussed in security guides and in 3rd party configuration management/audit products.   

One important thing to note is that it is common for there to be minor (but important) differences among specific sub-versions within a family identified by a "marketing name".  When you read a security guide for a "platform group", there may be variations to the guidance, depending on the specific sub-version you are dealing with. 

A good example is Windows XP pre and post SP2.  Like most security guides and management products, CCE treats all variants of Windows XP as a single platform group.  This means, the Windows XP platform group contains CCEs that may not apply to all sub-versions of XP. 

Third, with respect to CPE and SUIDs, we are not aware of any way to use either standard to describe the fact that not all items within a platform group may apply to all sub-versions.

Lastly, and probably most importantly, please don't let the existence of XML data for CCE lull you into thinking that CCE data can or should be automatically consumed and processed.  The semantics are not crisp enough. Human analysts will need to make a judgment as to whether or not a particular CCE entry applies to a particular sub-version. In most cases, the answer is yes. 

If you want access to that sort of information that can be processed automatically, you really should look for other repositories (like SCAP) that have done this sort of value-add analysis and made their interpretive decisions available in an automated format with much richer semantics (e.g. CPE, OVAL, XCCDF).

Hope this helps,

-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:[hidden email] | cell:781.424.6003
==================================================================

From: [hidden email] [mailto:[hidden email]] On Behalf Of Gokul
Sent: Thursday, October 11, 2012 8:14 AM
To: cce-working-group-list
Subject: Need clarification regarding Platform

As part of learning about CCE, I came across the following queries:

1. What platforms are currently covered in CCE list. I downloaded the CCE_list version 5, the xml file has several platforms like rhel4, rhel5, solaris 10 etc. How are these platform names decided ? Are there any list or dynamic page maintained to list these platforms ?

2. The schema for CCE_list XML file has the platform as required field, but the CCE submission template do not have any specifics about platform. One example is that for one CCE entry has platform as 'vista' and other CCE entry has platform as 'win2k', how do you ensure consistency or convention in naming these platforms.

It would be of great help if somebody can address these queries.

Regards
Gokul

 


To unsubscribe from CCE Working Group, click here.
NAML


No virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.2740 / Virus Database: 2601/5829 - Release Date: 10/13/12

Loading...