March 6, 2017 at 9:00 am
I am doing SQL Server 2012 STIGs - I have the STIG Viewer but I'm wondering if there is an easier way of doing the STIGs than just going through each and every one and running them every time? Is there a scanning tool that can just run a quick check?
Also, if I get one server STIG'd and want to roll it out to a new environment without redoing all the STIGs, can you image a sql server and have it brought up in another instance? We are using cloud based servers.
March 6, 2017 at 1:00 pm
There isn't really any sort of automated tool to handle the SQL STIG checks. The best I was able to come up with (having to do the STIGs myself) was to copy / paste the queries into one massive query, and appending the STIG ID for each check to the results.
The problem is, the SQL 2014 STIGs changed up the queries so that method doesn't work anymore either (DISA made them into views and functions that need to be in the DB being checked.)
As for imaging, I believe there are ways to create a system image from Microsoft (Google for sysprep) and it can be applied to a server with SQL installed (but I think you actually need to sysprep twice) but I've not done that. Additionally, you may run into restrictions on that based on your cloud provider.
March 6, 2017 at 3:08 pm
Ok thanks that's what I thought. Blah, sucks. 🙂 And Ugh about SQL 2014... I had a plan to upgrade to 2014...
We are using Amazon, so yea I have heard about them doing sysprep. Hopefully that will work for us... I just can't do these STIGS over and over. 😀 I mean some of it is easy cause once you STIG the environment you kinda already have a base to know your stuff is STIG'd but they always want STIG reports....
January 31, 2020 at 6:36 pm
I had the same problem for years, going all the way back to the 2005 STIG checklists, and for a while I used the same solution as jasona.work, but that meant a lot of copying and pasting, and it still only automated the T-Sql vulnerabilities. I was complaining to my son--who's finishing up a Cybersecurity degree--that someone should develop a more comprehensive solution when he said, "Why don't you, then?"
Long story short, we built a very comprehensive tool that completes the DISA SQL Server 2016 instance and database STIG checks, scanning not just SQL, but also Active Directory, DNS, Security Policy, WMI, ACLs, and Registry & Certificate Hives and writes the results directly to the checklist. Takes about 4-5 minutes to produce the Instance checklist, then an extra minute or so for each Database checklist.
I'm not sure about the rules here, but if a moderator gives me permission, I'll post an evaluation version.
Anthony Borelli
Borelli Security Software
Anthony Borelli
Borelli Security Software Inc.
https://www.BorelliSecuritySoftware.com
August 14, 2020 at 12:38 am
I haven't heard back about posting an evaluation version, but you can see a video of ASSET in action at https://borellisecuritysoftware.com/products/asset-automated-sql-security-evaluation-tool
It performs the STIG checks for DISA's 2014 and 2016 SQL Instance and Database checklists. Blazingly fast. Very comprehensive.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply