Tools and Templates for complying with DISA's SQL Server STIG
When we designed ASSET, our Automated SQL Security Evaluation Tool, we took great care to ensure that our automated observations made no changes to the target environment. A scanning tool, after all, should focus on accurately assessing and reporting on a system, without making changes of any kind to that system. Our philosophy was (and is) that remediation steps, when necessary, are best decided upon and performed manually, by an administrator who is an expert SQL Server DBA and is also very well acquainted with the environment in which that system operates.
How else can YOU make certain the correct remediation or mitigation steps have been taken and that all applicable organizational policies have been followed?
Even so, we are consistently asked for tools and guidance to increase the efficiency of the remediation and mitigation process as much as ASSET has increased the speed and accuracy of SQL vulnerability checking.
What is this Compliance Package?
The intent of this compliance package is to assist SQL Server DBA’s in crafting—or contributing to—organizational policies that must exist and comply with specific SQL Server STIG vulnerabilities, as defined by DISA. We also aim to provide a starting point for implementing SOME of the actions for which a near-universal solution can be safely scripted and to provide a framework for mapping those scripts and policies to the specific vulnerability concerns they are intended to satisfy.
- Baseline policy templates with suggested policy language addressing SQL-specific compliance issues.
- Baseline SQL/Powershell scripts to create SQL Agent jobs and alerts to implement—or monitor implementation—of specific compliance issues.
- A vulnerability matrix mapping these policies and scripts to the specific SQL Server vulnerability—or vulnerabilities—they are intended to address, simplifying the task of ensuring a given policy addresses all the relevant STIG requirements, across multiple SQL Server versions.