jasona.work (5/6/2015)

---

SqlSanctum (5/6/2015)

---

jasona.work (5/5/2015)

---

Bloody heck I hate dealing with DISA STIGs!

I'm also surprised that (in my quick Googleing) there aren't more discussions / blog post / articles around the web on applying and interprepting them. And frankly, that's what it comes down to, the intrerpretation of the wording of the STIG.

Some are fairly straight-forward to understand (no login should have the "CONNECT SQL" privilege directly granted," or "no privileges with GRANT WITH GRANT") others, well, not so clear.

Making it worse, of course, is you have multiple, competing interpretations:

1. The DBA trying to apply the STIG

2. The security teams interpretation

3. DISAs interpretation

Quite often with #2 and #3 being done by non-technical people.

Anyone want to see if we can get Steve to spin up a sub-forum just for discussing SQL STIGs?

😉

I'm glad someone else is dealing with the exact same problems I am. I suspect few people are discussing it because they aren't sure if its allowed.

I find it interesting that we aren't supplied with jobs or policies that can be loaded per instance so that every DECC has the same method/settings. That's assuming someone is creating the STIGs who actually knows how SQL functions though. Based on the Fix Text syntax supplied, it's someone who hasn't written TSQL since SQL2000.

I've figured that the STIG writers are probably someone whose idea of high technology is their Motorola StarTac flip phone from the 90s', who has been provided a copy of the best practices guide, a whip, and a team of 100 trained monkeys with typewriters...

It's interesting that people would wonder if they can or can't discuss the STIGs, seeing as they are freely and publicly available...

Kind of indicates to me, go ahead and discuss them, as long as you don't give out details of your workplace / environment.