常见的配置枚举(CCE)

,本文在最后两天椭圆形开发者和在最近的CVE编辑部电话会议上,常见的配置枚举行动是试图将标识符分配给配置问题。自第一天,CVE编辑部已经意识到需要解决软件缺陷(又名漏洞)和mis-configurations(即风险)。CCE项目是合乎逻辑的下一步发展的CVE最终地址CVE的“E”。作为CVE和椭圆形编辑委员会成员,你被邀请加入CCE工作组。工作小组的目的是帮助验证当前草案CCE列表窗口。上你会发现一个Excel电子表格,其中包含当前CCE汇票连同一个文本文件,描述字段的含义。你也会找到一个描述CCE工作组会议,将在周三举行,9月20日。这个会议将在Gaithersberg NIST校园举行,MD NIST的第二天的国家安全自动化会议和研讨会。(http://csrc.nist.gov/checklists/workshop.html)如果你有兴趣加入CCE工作组,请通过damann@mitre.org联系我。请注意,我将离开办公室,直到8月28日戴夫= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =大卫•曼恩博士| CVE项目领导|斜方manbetx客户端首页公司- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -电子邮件:damann@mitre.org |单元:781.424.6003 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

windows - cce - 2 - 1. - xls草案

常见的配置枚举工作组会议= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = - - - - - - - - - -概述CCE工作组将周三举行一次面对面的会议工作,9月20日。NIST还慷慨地提供主办这次会议当天“国家安全内容自动化计划会议”后,将于9月18日和19日。(http://csrc.nist.gov/checklists/workshop.html)日期和时间- - - - - - - - - - - - -周三,9月20日2006早上9点-下午1:30(可选下午1:30 - 3:00)位置- - - - - - - - - - NIST校园在盖瑟斯堡,马里兰房间稍后通知目的- - - - - - -这次会议的主要目标是为该集团来CCE标识和定义应该如何构建协议。特别是,我们将考虑的一个小子集CCE条目来的目的协议草案:+ CCE条目定义正确的抽象层次?+ CCE定义应如何措辞吗?+逻辑CCE参数应该如何定义?+ CCE技术机制应该如何定义?+ CCE技术机制应该以标准化的方式引用,如果是这样,如何?+ CCE id和之间的关系应该是椭圆的定义?+ CCE id和XCCDF之间的关系应该是什么规则?如果时间允许,我们还将考虑以下问题:+ CCE标识符的格式应该是怎样的?+的过程应该是用于创建和审查新标识符其他平台? WHO SHOULD ATTEND ----------------- Attendees should have a working knowledge of the current draft CCE list for Windows as well as a familiarity with both OVAL and XCCDF. It would be helpful if attendees to the workshop also have familiarity with one of more of the following problem areas: + Authoring configuration check list documents + Authoring checks for configuration audit tools + Integrating data from multiple configuration tools + Automated configuration management + Lower level configuration data models such as WMI + Automated configuration management Current members of the CCE Working Group are encouraged to attend as are interested members of the CVE Editorial Board and OVAL Editorial Board. It should be noted that this meeting will be a working session with little to no time devoted to background. Please note, registration will be limited to approximately 25 persons and preference will be given to current CCE Working Group members. AGENDA ------ 09:00a - 09:15a - Greetings and Introductions 09:15a - 10:30a - Working Session 1 10:30a - 10:45a - Break 10:45a - 12:00p - Working Session 2 12:00p - 01:00p - Lunch at the NIST Cafeteria 01:00p - 03:00p - Working Session 3 (If needed) REGISTRATION ------------ Please send e-mail to Nancy Kennedy (nkennedy@mitre.org) or Claire Murphy (cmurphy@mitre.org) to register. Please include the following information: + Name + Phone number + e-mail address + Company or Organization + Citizenship
目前,CCE列表中的条目包含以下属性:1。像CVE CCE标识符�,CCE分配标识符标记每个一般公认的配置问题。这些标识符是唯一的标签或键,而不是描述性的名字。一个松散的类比,CCE id为动物就像科学名称,提供一个准确的标识符一个物种所约定的技术社区,但可能很少或根本没有共同语言的意义用法。2。描述�CCE条目包含一个人类可以理解的配置问题的描述。这个描述的目的是描述的通用问题。特别是,它并不打算让断言什么特定的配置应该或不应该。例如,一个有效的CCE描述可能“最小密码长度应设置适当”。CCE没有断言是否最小密码长度应该是8,10 - 14所示。 It only describes the generic and non-qualified issue of minimum password length. 3. LOGICAL PARAMETERS � CCE entries contain a list of logical parameters that would be needed to be specified in order to implement a CCE on a system. For example, for the CCE associated with "The start up permissions on telnet should be set appropriately" (for Windows) the logical parameters would be Automatic, Manual and Disabled. CCE entries distinguish between such humanly understandable logical parameters and machine understandable parameters such as the specific registry key values that might be associated with the logical notions of "Automatic", "Manual" and "Disabled". 4. TECHNICAL MECHANISMS - For any given configuration issue, there may be more than one way to implement the desired result. For example, in Windows the issue of "The Autoplay feature should be set correctly for all drives" issue can be set either with a direct registry key edit or by way of a Group Policy Object if the system participates in an Active Directory domain. And in most forms of Unix and Linux, the issue of "The start up permissions for FTP should be set correctly" can be done in multiple ways. One way to understand the distinction between the CCE Description and its corresponding set of Technical Mechanisms is that the former describes a goal and the latter describes a set of ways to achieve that goal. It should be noted that this distinction has been and continues to be topic of lively discussion among the CCE participants and may change significantly as CCE matures. 5. REFERENCES � Each CCE entry has a set of references into published configuration guidance documents such as the NSA Security Guides, the Center for Internet Security Benchmark, and DISA Stigs. These references point to the specific sections of the documents or tools in which the configuration issue is described in more detail. These references serve 3 purposes. First, they provide a logical linkage to more detailed information. Second, the references validate the need for a CCE id for any given configuration issue. Thirdly, the reference validates that the CCE id is described at a level of abstraction that used and accepted within the community.