{"id":19260341,"url":"https://github.com/mitre/microsoft-sql-server-2014-database-stig-baseline","last_synced_at":"2025-04-21T16:31:38.440Z","repository":{"id":52490560,"uuid":"149172597","full_name":"mitre/microsoft-sql-server-2014-database-stig-baseline","owner":"mitre","description":"Inspec Profile to validate MSSQL Database 2014","archived":false,"fork":false,"pushed_at":"2024-11-27T05:53:20.000Z","size":393,"stargazers_count":4,"open_issues_count":1,"forks_count":2,"subscribers_count":23,"default_branch":"main","last_synced_at":"2025-04-01T14:37:14.485Z","etag":null,"topics":["inspec","mitre-corporation","mssql","mssql-2014","stig"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mitre.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-09-17T18:50:20.000Z","updated_at":"2024-12-17T18:58:42.000Z","dependencies_parsed_at":"2024-08-29T20:59:07.052Z","dependency_job_id":"e9e23313-e152-4b6b-9b7b-6adc0d9904bf","html_url":"https://github.com/mitre/microsoft-sql-server-2014-database-stig-baseline","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre%2Fmicrosoft-sql-server-2014-database-stig-baseline","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre%2Fmicrosoft-sql-server-2014-database-stig-baseline/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre%2Fmicrosoft-sql-server-2014-database-stig-baseline/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre%2Fmicrosoft-sql-server-2014-database-stig-baseline/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mitre","download_url":"https://codeload.github.com/mitre/microsoft-sql-server-2014-database-stig-baseline/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250090875,"owners_count":21373267,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["inspec","mitre-corporation","mssql","mssql-2014","stig"],"created_at":"2024-11-09T19:20:04.230Z","updated_at":"2025-04-21T16:31:38.433Z","avatar_url":"https://github.com/mitre.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# MS SQL Server 2014 Database Security Technical Implementation Guide\nThis InSpec Profile was created to facilitate testing and auditing of `MS SQL Server 2014 Database`\ninfrastructure and applications when validating compliancy with [Department of Defense (DoD) STIG](https://public.cyber.mil/stigs/)\nrequirements\n\n- Profile Version: **1.7.0**\n- Benchmark Date: **24 Jul 2024**\n- Benchmark Version: **Version 1 Release 7 (V1R7)**\n\n\nThis profile was developed to reduce the time it takes to perform a security checks based upon the\nSTIG Guidance from the Defense Information Systems Agency (DISA) in partnership between the DISA Services Directorate (SD) and the DISA Risk Management Executive (RME) office.\n\nThe results of a profile run will provide information needed to support an Authority to Operate (ATO)\ndecision for the applicable technology.\n\nThe MS SQL Server 2014 Database STIG Profile uses the [InSpec](https://github.com/inspec/inspec)\nopen-source compliance validation language to support automation of the required compliance, security\nand policy testing for Assessment and Authorization (A\u0026A) and Authority to Operate (ATO) decisions\nand Continuous Authority to Operate (cATO) processes.\n\nTable of Contents\n=================\n* [STIG Benchmark  Information](#benchmark-information)\n* [Getting Started](#getting-started)\n    * [Intended Usage](#intended-usage)\n    * [Tailoring to Your Environment](#tailoring-to-your-environment)\n    * [Testing the Profile Controls](#testing-the-profile-controls)\n* [Running the Profile](#running-the-profile)\n    * [Directly from Github](#directly-from-github) \n    * [Using a local Archive copy](#using-a-local-archive-copy)\n    * [Different Run Options](#different-run-options)\n* [Using Heimdall for Viewing Test Results](#using-heimdall-for-viewing-test-results)\n\n## Benchmark Information\nThe DISA RME and DISA SD Office, along with their vendor partners, create and maintain a set of Security Technical Implementation Guides for applications, computer systems and networks\nconnected to the Department of Defense (DoD). These guidelines are the primary security standards\nused by the DoD agencies. In addition to defining security guidelines, the STIGs also stipulate\nhow security training should proceed and when security checks should occur. Organizations must\nstay compliant with these guidelines or they risk having their access to the DoD terminated.\n\nRequirements associated with the MS SQL Server 2014 Database STIG are derived from the\n[Security Requirements Guides](https://csrc.nist.gov/glossary/term/security_requirements_guide)\nand align to the [National Institute of Standards and Technology](https://www.nist.gov/) (NIST)\n[Special Publication (SP) 800-53](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53)\nSecurity Controls, [DoD Control Correlation Identifier](https://public.cyber.mil/stigs/cci/) and related standards.\n\nThe MS SQL Server 2014 Database STIG profile checks were developed to provide technical implementation\nvalidation to the defined DoD requirements, the guidance can provide insight for any organizations wishing\nto enhance their security posture and can be tailored easily for use in your organization.\n\n[top](#table-of-contents)\n## Getting Started  \n### InSpec (CINC-auditor) setup\nFor maximum flexibility/accessibility `cinc-auditor`, the open-source packaged binary version of Chef InSpec should be used,\ncompiled by the CINC (CINC Is Not Chef) project in coordination with Chef using Chef's always-open-source InSpec source code.\nFor more information see [CINC Home](https://cinc.sh/)\n\nIt is intended and recommended that CINC-auditor and this profile executed from a __\"runner\"__ host\n(such as a DevOps orchestration server, an administrative management system, or a developer's workstation/laptop)\nagainst the target. This can be any Unix/Linux/MacOS or Windows runner host, with access to the Internet.\n\n\u003e [!TIP]\n\u003e **For the best security of the runner, always install on the runner the latest version of CINC-auditor and any other supporting language components.**\n\nTo install CINC-auditor on a UNIX/Linux/MacOS platform use the following command:\n```bash\ncurl -L https://omnitruck.cinc.sh/install.sh | sudo bash -s -- -P cinc-auditor\n```\n\nTo install CINC-auditor on a Windows platform (Powershell) use the following command:\n```powershell\n. { iwr -useb https://omnitruck.cinc.sh/install.ps1 } | iex; install -project cinc-auditor\n```\n\nTo confirm successful install of cinc-auditor:\n```\ncinc-auditor -v\n```\n\nLatest versions and other installation options are available at [CINC Auditor](https://cinc.sh/start/auditor/) site.\n\n[top](#table-of-contents)\n### Intended Usage\n1. The latest `released` version of the profile is intended for use in A\u0026A testing, as well as\n    providing formal results to Authorizing Officials and Identity and Access Management (IAM)s.\n    Please use the `released` versions of the profile in these types of workflows. \n\n2. The `main` branch is a development branch that will become the next release of the profile.\n    The `main` branch is intended for use in _developing and testing_ merge requests for the next\n    release of the profile, and _is not intended_ be used for formal and ongoing testing on systems.\n\n[top](#table-of-contents)\n### Tailoring to Your Environment\nThis profile uses InSpec Inputs providing flexibility during testing. Inputs allow for\ncustomize the behavior of Chef InSpec profiles.\n\nInSpec Inputs are defined in the `inspec.yml` file. The `inputs` configured in this\nfile are **profile definition and defaults for the profile** extracted from the profile\nguidances and contain metadata that describes the profile, and shouldn't be modified.\n\nInSpec provides several methods for customizing profiles behaviors at run-time that does not require\nmodifying the `inspec.yml` file itself (see [Using Customized Inputs](#using-customized-inputs)).\n\nThe following inputs are permitted to be configured in an inputs `.yml` file (often named inputs.yml)\nfor the profile to run correctly on a specific environment, while still complying with the security\nguidance document intent. This is important to prevent confusion when test results are passed downstream\nto different stakeholders under the *security guidance name used by this profile repository*\n\nFor changes beyond the inputs cited in this section, users can create an *organizationally-named overlay repository*.\nFor more information on developing overlays, reference the [MITRE SAF Training](https://mitre-saf-training.netlify.app/courses/beginner/10.html)\n\n#### Example of tailoring Inputs *While Still Complying* with the security guidance document for the profile:\n\n```yaml\n  # This file specifies the attributes for the configurable controls\n  # used by the MS SQL Server 2014 Database STIG profile.\n\n  # Disable controls that are known to consistently have long run times\n  disable_slow_controls: [true or false]\n\n  # A unique list of administrative users\n  admins_list: [admin1, admin2, admin3]\n\n  # List of configuration files for the specific system\n  logging_conf_files: [\n    \u003cdir-path-1\u003e/*.conf\n    \u003cdir-path-2\u003e/*.conf\n  ]\n  \n  ...\n```\n\n\u003e [!NOTE]\n\u003eInputs are variables that are referenced by control(s) in the profile that implement them.\n They are declared (defined) and given a default value in the `inspec.yml` file. \n\n#### Using Customized Inputs\nCustomized inputs may be used at the CLI by providing an input file or a flag at execution time.\n\n1. Using the `--input` flag\n  \n    Example: `[inspec or cinc-auditor] exec \u003cmy-profile.tar.gz\u003e --input disable_slow_controls=true`\n\n2. Using the `--input-file` flag.\n    \n    Example: `[inspec or cinc-auditor] exec \u003cmy-profile.tar.gz\u003e --input-file=\u003cmy_inputs_file.yml\u003e`\n\n\u003e[!TIP]\n\u003e For additional information about `input` file examples reference the [MITRE SAF Training](https://mitre.github.io/saf-training/courses/beginner/06.html#input-file-example)\n\nChef InSpec Resources:\n- [InSpec Profile Documentation](https://docs.chef.io/inspec/profiles/).\n- [InSpec Inputs](https://docs.chef.io/inspec/profiles/inputs/).\n- [inspec.yml](https://docs.chef.io/inspec/profiles/inspec_yml/).\n\n\n[top](#table-of-contents)\n### Testing the Profile Controls\nThe Gemfile provided contains all the necessary ruby dependencies for checking the profile controls.\n#### Requirements\nAll action are conducted using `ruby` (gemstone/programming language). Currently `inspec` \ncommands have been tested with ruby version 3.1.2. A higher version of ruby is not guaranteed to\nprovide the expected results. Any modern distribution of Ruby comes with Bundler preinstalled by default.\n\nInstall ruby based on the OS being used, see [Installing Ruby](https://www.ruby-lang.org/en/documentation/installation/)\n\nAfter installing `ruby` install the necessary dependencies by invoking the bundler command\n(must be in the same directory where the Gemfile is located):\n```bash\nbundle install\n```\n\n#### Testing Commands\n\nLinting and validating controls:\n```bash\n  bundle exec rake [inspec or cinc-auditor]:check # validate the inspec profile\n  bundle exec rake lint                           # Run RuboCop\n  bundle exec rake lint:autocorrect               # Autocorrect RuboCop offenses (only when it's safe)\n  bundle exec rake lint:autocorrect_all           # Autocorrect RuboCop offenses (safe and unsafe)\n  bundle exec rake pre_commit_checks              # pre-commit checks\n```\n\nEnsure the controls are ready to be committed into the repo:\n```bash\n  bundle exec rake pre_commit_checks\n```\n\n\n[top](#table-of-contents)\n## Running the Profile\n### Directly from Github\nThis options is best used when network connectivity is available and policies permit\naccess to the hosting repository.\n\n```bash\n# Using `ssh` transport\nbundle exec [inspec or cinc-auditor] exec https://github.com/mitre/ms-sql-server-2014-database-stig-baseline/archive/main.tar.gz --input-file=\u003cyour_inputs_file.yml\u003e -t ssh://\u003chostname\u003e:\u003cport\u003e --sudo --reporter=cli json:\u003cyour_results_file.json\u003e\n\n# Using `winrm` transport\nbundle exec [inspec or cinc-auditor] exec https://github.com/mitre/ms-sql-server-2014-database-stig-baseline/archive/master.tar.gz --target winrm://\u003chostip\u003e --user '\u003cadmin-account\u003e' --password=\u003cpassword\u003e --input-file=\u003cpath_to_your_inputs_file/name_of_your_inputs_file.yml\u003e --reporter=cli json:\u003cpath_to_your_output_file/name_of_your_output_file.json\u003e\n```\n\n[top](#table-of-contents)\n### Using a local Archive copy\nIf your runner is not always expected to have direct access to the profile's hosted location,\nuse the following steps to create an archive bundle of this overlay and all of its dependent tests:\n\nGit is required to clone the InSpec profile using the instructions below.\nGit can be downloaded from the [Git Web Site](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git).\n\nWhen the **\"runner\"** host uses this profile overlay for the first time, follow these steps:\n\n```bash\nmkdir profiles\ncd profiles\ngit clone https://github.com/mitre/ms-sql-server-2014-database-stig-baseline.git\nbundle exec [inspec or cinc-auditor] archive ms-sql-server-2014-database-stig-baseline\n\n# Using `ssh` transport\nbundle exec [inspec or cinc-auditor] exec \u003cname of generated archive\u003e --input-file=\u003cyour_inputs_file.yml\u003e -t ssh://\u003chostname\u003e:\u003cport\u003e --sudo --reporter=cli json:\u003cyour_results_file.json\u003e\n\n# Using `winrm` transport\nbundle exec [inspec or cinc-auditor] exec \u003cname of generated archive\u003e --target winrm://\u003chostip\u003e --user '\u003cadmin-account\u003e' --password=\u003cpassword\u003e --input-file=\u003cpath_to_your_inputs_file/name_of_your_inputs_file.yml\u003e --reporter=cli json:\u003cpath_to_your_output_file/name_of_your_output_file.json\u003e    \n```\n\nFor every successive run, follow these steps to always have the latest version of this profile baseline:\n\n```bash\ncd ms-sql-server-2014-database-stig-baseline\ngit pull\ncd ..\nbundle exec [inspec or cinc-auditor] archive ms-sql-server-2014-database-stig-baseline --overwrite\n\n# Using `ssh` transport\nbundle exec [inspec or cinc-auditor] exec \u003cname of generated archive\u003e --input-file=\u003cyour_inputs_file.yml\u003e -t ssh://\u003chostname\u003e:\u003cport\u003e --sudo --reporter=cli json:\u003cyour_results_file.json\u003e\n\n# Using `winrm` transport\nbundle exec [inspec or cinc-auditor] exec \u003cname of generated archive\u003e --target winrm://\u003chostip\u003e --user '\u003cadmin-account\u003e' --password=\u003cpassword\u003e --input-file=\u003cpath_to_your_inputs_file/name_of_your_inputs_file.yml\u003e --reporter=cli json:\u003cpath_to_your_output_file/name_of_your_output_file.json\u003e    \n```\n\n[top](#table-of-contents)\n## Different Run Options\n\n[Full exec options](https://docs.chef.io/inspec/cli/#options-3)\n\n[top](#table-of-contents)\n## Using Heimdall for Viewing Test Results\nThe JSON results output file can be loaded into **[Heimdall-Lite](https://heimdall-lite.mitre.org/)**\nor **[Heimdall-Server](https://github.com/mitre/heimdall2)** for a user-interactive, graphical view of the profile scan results.\n\nHeimdall-Lite is a `browser only` viewer that allows you to easily view your results directly and locally rendered in your browser.\nHeimdall-Server is configured with a `data-services backend` allowing for data persistency to a database (PostgreSQL).\nFor more detail on feature capabilities see [Heimdall Features](https://github.com/mitre/heimdall2?tab=readme-ov-file#features)\n\nHeimdall can **_export your results into a DISA Checklist (CKL) file_** for easily uploading into eMass using the `Heimdall Export` function.\n\nDepending on your environment restrictions, the [SAF CLI](https://saf-cli.mitre.org) can be used to run a local docker instance\nof Heimdall-Lite via the `saf view:heimdall` command.\n\nAdditionally both Heimdall applications can be deployed via docker, kubernetes, or the installation packages.\n\n[top](#table-of-contents)\n## Authors\n[Defense Information Systems Agency (DISA)](https://www.disa.mil/)\n\n[STIG support by DISA Risk Management Team and Cyber Exchange](https://public.cyber.mil/)\n\n[MITRE Security Automation Framework Team](https://saf.mitre.org)\n\n## NOTICE\n\n© 2018-2025 The MITRE Corporation.\n\nApproved for Public Release; Distribution Unlimited. Case Number 18-3678.\n\n## NOTICE \n\nMITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project.\n\n## NOTICE  \n\nThis software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General.  \n\nNo other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation.\n\nFor further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA  22102-7539, (703) 983-6000.\n\n## NOTICE\n[DISA STIGs are published by DISA IASE](https://public.cyber.mil/stigs/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmitre%2Fmicrosoft-sql-server-2014-database-stig-baseline","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmitre%2Fmicrosoft-sql-server-2014-database-stig-baseline","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmitre%2Fmicrosoft-sql-server-2014-database-stig-baseline/lists"}