-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathinspec.yml
More file actions
314 lines (266 loc) · 10.8 KB
/
inspec.yml
File metadata and controls
314 lines (266 loc) · 10.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
name: ms-sql-server-2014-instance-stig-baseline
title: "MS SQL Server 2014 Instance Security Technical Implementation Guide :: Version 2, Release 4 :: Benchmark Date: 24 Jul 2024"
maintainer: MITRE SAF Team
copyright: MITRE
copyright_email: saf@groups.mitre.org
license: Apache-2.0
summary: InSpec profile aligned to STIG Guidance for MS SQL Server 2014 Instance Security Technical Implementation Guide
description: null
version: 2.4.0
supports: []
depends: []
inspec_version: "~>6.0"
### INPUTS ###
# Inputs are variables that can be referenced by any control in the profile,
# and are defined and given a default value in this file.
# By default, each parameter is set to exactly comply with the profile baseline
# wherever possible. Some profile controls will require a unique value reflecting
# the necessary context for the supporting system.
# Values provided here can be overridden using an input file or a CLI flag at
# execution time. See InSpec's Inputs docs at https://docs.chef.io/inspec/profiles/inputs/
# for details.
# NOTE: DO NOT directly change the default values by editing this file. Use
# overrides instead.
###
inputs:
# SV-213807, SV-213809, SV-213810, SV-213811, SV-213812, SV-213813, SV-213814
# SV-213815, SV-213816, SV-213817, SV-213819, SV-213820, SV-213821, SV-213822
# SV-213823, SV-213830, SV-213831, SV-213832, SV-213843, SV-213846, SV-213848
# SV-213849, SV-213850, SV-213851, SV-213852, SV-213858, SV-213859, SV-213860
# SV-213861, SV-213865, SV-213872, SV-213873, SV-213874, SV-213875, SV-213876
# SV-213881, SV-213882, SV-213883, SV-213884, SV-213885, SV-213886, SV-213887
# SV-213888, SV-213889, SV-213890, SV-213891, SV-213892, SV-213894, SV-213895
# SV-213897
- name: user
description: 'username MSSQL DB Server'
value: null
sensitive: true
# SV-213807, SV-213809, SV-213810, SV-213811, SV-213812, SV-213813, SV-213814
# SV-213815, SV-213816, SV-213817, SV-213819, SV-213820, SV-213821, SV-213822
# SV-213823, SV-213830, SV-213831, SV-213832, SV-213843, SV-213846, SV-213848
# SV-213849, SV-213850, SV-213851, SV-213852, SV-213858, SV-213859, SV-213860
# SV-213861, SV-213865, SV-213872, SV-213873, SV-213874, SV-213875, SV-213876
# SV-213881, SV-213882, SV-213883, SV-213884, SV-213885, SV-213886, SV-213887
# SV-213888, SV-213889, SV-213890, SV-213891, SV-213892, SV-213894, SV-213895
# SV-213897
- name: password
description: 'password MSSQL DB Server'
value: null
sensitive: true
# SV-213807, SV-213809, SV-213810, SV-213811, SV-213812, SV-213813, SV-213814
# SV-213815, SV-213816, SV-213817, SV-213819, SV-213820, SV-213821, SV-213822
# SV-213823, SV-213830, SV-213831, SV-213832, SV-213843, SV-213846, SV-213848
# SV-213849, SV-213850, SV-213851, SV-213852, SV-213858, SV-213859, SV-213860
# SV-213861, SV-213865, SV-213872, SV-213873, SV-213874, SV-213875, SV-213876
# SV-213881, SV-213882, SV-213883, SV-213884, SV-213885, SV-213886, SV-213887
# SV-213888, SV-213889, SV-213890, SV-213891, SV-213892, SV-213894, SV-213895
# SV-213897
- name: host
description: 'hostname MSSQL DB Server'
value: null
sensitive: true
# SV-213807, SV-213809, SV-213810, SV-213811, SV-213812, SV-213813, SV-213814
# SV-213815, SV-213816, SV-213817, SV-213819, SV-213820, SV-213821, SV-213822
# SV-213823, SV-213830, SV-213831, SV-213832, SV-213843, SV-213846, SV-213848
# SV-213849, SV-213850, SV-213851, SV-213852, SV-213858, SV-213859, SV-213860
# SV-213861, SV-213865, SV-213872, SV-213873, SV-213874, SV-213875, SV-213876
# SV-213881, SV-213882, SV-213883, SV-213884, SV-213885, SV-213886, SV-213887
# SV-213888, SV-213889, SV-213890, SV-213891, SV-213892, SV-213894, SV-213895
# SV-213897
- name: instance
description: 'instance name MSSQL DB Server'
value: null
sensitive: true
# SV-213807, SV-213809, SV-213810, SV-213811, SV-213812, SV-213813, SV-213814
# SV-213815, SV-213816, SV-213817, SV-213819, SV-213820, SV-213821, SV-213822
# SV-213823, SV-213830, SV-213831, SV-213832, SV-213843, SV-213846, SV-213848
# SV-213849, SV-213850, SV-213851, SV-213852, SV-213858, SV-213859, SV-213860
# SV-213861, SV-213865, SV-213872, SV-213873, SV-213874, SV-213875, SV-213876
# SV-213881, SV-213882, SV-213883, SV-213884, SV-213885, SV-213886, SV-213887
# SV-213888, SV-213889, SV-213890, SV-213891, SV-213892, SV-213894, SV-213895
# SV-213897
- name: port
description: 'port MSSQL DB Server'
type: numeric
value: 1433
# SV-213807, SV-213843, SV-213846, SV-213860, SV-213874, SV-213876, SV-213881
# SV-213882, SV-213883, SV-213884, SV-213885, SV-213886, SV-213887, SV-213888
# SV-213889, SV-213890, SV-213891, SV-213892
- name: db_name
description: 'name of the specific DB being evaluated within the MSSQL server'
type: string
value: 'master'
# SV-213812, SV-213813, SV-213814, SV-213815, SV-213816, SV-213817, SV-213819
# SV-213859, SV-213874, SV-213881, SV-213882, SV-213883, SV-213884, SV-213885
# SV-213886, SV-213887, SV-213888, SV-213889, SV-213890, SV-213891, SV-213892
- name: server_trace_implemented
description: 'Set to true If SQL Server Trace is in use for audit purposes'
type: boolean
value: true
# SV-213812, SV-213819, SV-213859, SV-213860, SV-213874, SV-213881, SV-213882
# SV-213883, SV-213884, SV-213885, SV-213886, SV-213887, SV-213888, SV-213889
# SV-213890, SV-213891, SV-213892
- name: server_audit_implemented
description: 'Set to true If SQL Server Audit is in use for audit purposes'
type: boolean
value: true
- name: sql_server_reporting_services_used
description: 'Set to true if SQL Server Reporting Services is in use'
type: boolean
value: false
- name: sql_server_data_tools_required
description: 'Set to true if SQL Server data tools is required'
type: boolean
value: false
- name: sql_server_integration_services_used
description: 'Set to true if SQL Server Integration Services is in use'
type: boolean
value: false
- name: sql_server_analysis_services_used
description: 'Set to true if SQL Server analysis Services is in use'
type: boolean
value: false
- name: sql_server_distributed_replay_client_used
description: 'Set to true if SQL Server Distributed Replay Client is in use'
type: boolean
value: false
- name: sql_server_distributed_replay_controller_used
description: 'Set to true if SQL Server Distributed Replay Controller is in use'
type: boolean
value: false
- name: sql_server_full_text_search_used
description: 'Set to true if SQL Server full-text search is in use'
type: boolean
value: false
- name: master_data_services_used
description: 'Set to true if master data services is in use'
type: boolean
value: false
- name: data_quality_client_used
description: 'Set to true if data quality client is in use'
type: boolean
value: false
- name: data_quality_services_used
description: 'Set to true if data quality services is in use'
type: boolean
value: false
- name: client_tools_sdk_used
description: 'Set to true if client tools sdk is in use'
type: boolean
value: false
- name: sql_mgmt_tools_used
description: 'Set to true if sql server management tools is in use'
type: boolean
value: false
- name: server_instance
description: 'instance name MSSQL DB Server'
value: 'WIN-FC4ANINFUFP'
# SV-213810
- name: approved_audit_maintainers
description: 'List of users with permissions - ALTER TRACE, CREATE TRACE EVENT NOTIFICATION'
type: array
value: []
# SV-213811
- name: allowed_audit_permissions
description: 'List of users with audit permissions - ALTER ANY SERVER AUDIT, CONTROL SERVER, ALTER ANY DATABASE, CREATE ANY DATABASE'
type: array
value: []
- name: allowed_sql_alter_permissions
description: 'List of user with permissions - ALTER ANY SERVER AUDIT, ALTER ANYDATABASE AUDIT, ALTER TRACE; or EXECUTE'
type: array
value: []
# SV-213823
- name: approved_users_sql_audits
description: 'List of approved users with access to SQL Server Audits'
type: array
value: []
# SV-213861
- name: approved_users_server
description: 'List of sql server users with permissions - alter, create, control'
type: array
value: []
# SV-213861
- name: approved_users_database
description: 'List of sql database users with permissions - alter, create, control'
type: array
value: []
# SV-213847
- name: sql_components
description: 'List of sql components installed'
type: array
value: []
# SV-213850, SV-213875
- name: authorized_protocols
description: 'List of authorized network protocols for the SQL server'
type: array
value: ["Shared Memory", "TCP/IP"]
# SV-213851
- name: authorized_ports
description: 'List of authorized network ports for the SQL server'
type: array
value: ["1433"]
# SV-213851
- name: authorized_ports_name
description: 'List of authorized network port names for the SQL server'
type: array
value: ["TcpPort", "TcpDynamicPorts"]
# SV-213852
- name: authorized_sql_users
description: 'List of authorized users for the SQL server'
type: array
value: []
# SV-213872
- name: allowed_users_priv_functions
description: 'List of users allowed to execute privileged functions - create, alter, delete'
type: array
value: []
# SV-213873
- name: allowed_server_permissions
description: 'List of allowed server permissions'
type: array
value: []
# SV-213873
- name: allowed_database_permissions
description: 'List of allowed database permissions'
type: array
value: []
# SV-213876
- name: encrypted_databases
description: 'List of Databases that require encryption'
type: array
value: ['EmpData']
# SV-213876
- name: data_at_rest_encryption_required
description: 'Set to true if data at rest encryption is required'
type: boolean
value: false
# SV-213876
- name: full_disk_encryption_inplace
description: 'Set to true if full disk encryption is in place'
type: boolean
value: false
# SV-213865, SV-213872
- name: allowed_users
description: 'List of user allowed to execute privileged functions'
type: array
value: []
# SV-213849
- name: is_xp_cmdshell_required
description: 'Set to true xp cmdshell is required'
type: boolean
value: false
# SV-213858
- name: sql_managed_accounts
description: 'List of accounts managed by the sql server'
type: array
value: []
# SV-213846
- name: filestream_required
description: 'Set to true if filestream is required'
type: boolean
value: false
# SV-213846
- name: filestream_transact_access_only_required
description: 'Set to true if filestream transact access is required'
type: boolean
value: false