[CCE-WORKING-GROUP-LIST] Version 5.20100926 of CCE released

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[CCE-WORKING-GROUP-LIST] Version 5.20100926 of CCE released

Matthew N. Wojcik
CCE Working Group members,

I'm pleased to announce the release of version 5.20100926 of the CCE list.  This release primarily consists of new entries, with only a few modifications to existing CCEs.  There are 4,592 new CCEs in this release, bringing the total to 10,300.  New platform group CCE lists include Internet Explorer 8, Microsoft Office 2010, Oracle WebLogic Server 11g, and Windows Server 2008 R2.  There are also updates to the Red Hat Enterprise Linux 5 and Windows 7 lists.

The CCE list is available in Excel spreadsheet form (the canonical format), both as individual platform group downloads and as a COMBINED spreadsheet file.  An XML representation is also provided.  The CCE list download page is at

http://cce.mitre.org/lists/cce_list.html

A reminder: while the XML format includes a "modified" date attribute at the CCE entry, we currently only have last update data at the platform group level.  The utilities we use to convert from the canonical spreadsheets to XML simply populate the modified attribute for every <cce> element with the date the platform group as a whole was changed.  So, for example, many entries in the win7 and rhel5 lists have a recent "modified" date even though they have not been changed.  We have been working on a new infrastructure for CCE content which will track changes at (at least) the entry level, but it will still be some time before we can complete that transition.

The CCE team would like to acknowledge the assistance of several parties who contributed significantly to this release:

 - The Microsoft Solution Accelerators Security Team, who have worked closely with the CCE team to assign CCE IDs to all settings included in baselines and setting packs published by Microsoft and available for the Microsoft Security Compliance Manager, and to provide us with well-formatted data for review and publication.

 - Contributors from NSA, NIST, and Red Hat, who provided candidate entries and technical advice for the update of the CCE list for Red Hat Enterprise Linux 5.

 - A MITRE team for submitting candidate entries for Oracle WebLogic Server 11g.

The ChangeLog section for version 5.20100926 follows.  As always, comments and questions are welcomed, either on the CCE Working Group or to [hidden email].

--Woj                  Matthew N. Wojcik                 [hidden email]
781 271-8056 office                        Remediation Standardization
617 872-6247 mobile                                   CCE Project Lead

=================================
Changes in CCE version 5.20100926
=================================

Total CCE Entries: 10300
Number of new entries: 4592
Total Number of Platform Groups: 19
Number of new platform groups: 4
Number of platform groups with updates: 2

NOTE: The count of CCEs in version 5.20100428 as reported in the
  ChangeLog was incorrect.  As released, version 5.20100428 actually
  included 5708 entries, and 5710 <cce> elements, rather than 5703 and
  5705 as stated.  (See the ChangeLog for version 5.20100428 for the
  reason for the discrepancy between the number of unique CCE IDs and
  the number of <cce> elements in the XML.  That discrepancy still
  remains; there are 10302 <cce> elements in
  cce-COMBINED-5.20100926.xml.)

Platform groups with no changes
-------------------------------
aix5.3
hpux11.23
ie7
office2k7
rhel4
solaris10
solaris8
solaris9
vista
win2k
win2k3
win2k8
winxp

Platform groups with changes
----------------------------
rhel5 - Added 83 new entries, bringing the total to 413, up from 330
        in version 5.20100428.  New entries begin at row 334 in the
        spreadsheet.

      - The CCE team wishes to acknowledge the assistance of
        contributors from NSA, NIST, Red Hat in this update.

      - Added references to Revision 4 of the NSA "Guide to the Secure
        Configuration of Red Hat Enterprise Linux 5".

      - DEPRECATED CCE-3762-2 in favor of CCE-14113-5, CCE-14672-0,
        CCE-14712-4, CCE-14122-6.  CCE-3762-2 was created at too high
        a level of abstraction.  Description was: The password
        strength should meet minimum requirements.

win7  - Added 148 new entries, bringing the total to 600, up from 452
        in version 5.20100428.  NOTE: 18 of these new entries are
        DEPRECATED, resolving inadvertent duplicate CCEs created while
        processing win7 submissions from multiple parties.

      - Added references to USGCB Beta release of 2010-08-31 (XCCDF
        and OVAL).  NOTE: Additional references to USGCB version
        1.0.x.0 will be added in a future CCE update.


New platform groups
-------------------
ie8 - Initial release of the CCE list for Internet Explorer 8.  There
      are 1437 entries, including full coverage of all settings
      included in the Microsoft Security Compliance Manager (SCM) IE8
      baselines as well as the new setting pack beta released on
      2010-09-24.

    - The CCE team wishes to acknowledge the assistance of the
      Microsoft Solution Accelerators Security Team in creating this
      list.

    - NOTE: Additional references to USGCB version 1.0.x.0 will be
      added in a future CCE update.

office2010 - Initial release of the CCE list for Microsoft Office
      2010.  There are 2013 entries, including full coverage of all
      settings included in the Microsoft Security Compliance Manager
      (SCM) Office 2010 baselines and setting pack beta.

    - The CCE team wishes to acknowledge the assistance of the
      Microsoft Solution Accelerators Security Team in creating this
      list.

weblogicserver11g - Initial release of the CCE list for Oracle
      WebLogic Server 11g.  There are 99 entries, submitted by a MITRE
      team developing a configuration guide and benchmark for WebLogic
      Server 11g.

win2k8r2 - Initial release of the CCE list for Windows Server 2008 R2.
      There are 812 entries, including full coverage of all settings
      included in the Microsoft Security Compliance Manager (SCM)
      Windows Server 2008 R2 baselines and setting pack beta.

    - The CCE team wishes to acknowledge the assistance of the
      Microsoft Solution Accelerators Security Team in creating this
      list.

    - NOTE: Windows Server 2008 R2 (win2k8r2) is a new platform group
      for CCE, distinct from Windows Server 2008 (win2k8).  The
      decision to create a new platform group, rather than expand the
      number of CCEs related to the Windows Server 2008, was made
      after discussion with the Microsoft Solution Accelerators
      Security Team.  Technically, Server 2008 R2 bears a similar
      relationship to Server 2008, as Windows 7 bears to Vista.
Loading...