microsoft-sql-server-2014-instance-stig-baseline/inspec.yml at master · USStateDept/microsoft-sql-server-2014-instance-stig-baseline · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
name: microsoft-sql-server-2014-instance-stig-baseline
title: microsoft-sql-server-2014-instance-stig-baseline
maintainer: The MITRE Corporation
copyright: (c) 2018 The MITRE Corporation
copyright_email: inspec@mitre.org
license: Apache-2.0
summary: "Inspec Validation Profile for Microsoft SQL Server 2014 Instance STIG"
version: 1.9.0
inspec_version: ">= 4.0"

inputs:
  - name: user
    description: 'username MSSQL DB Server'
    value: null
    sensitive: true

  - name: password
    description: 'password MSSQL DB Server'
    value: null
    sensitive: true

  - name: host
    description: 'hostname MSSQL DB Server'
    value: null
    sensitive: true

  - name: instance
    description: 'instance name MSSQL DB Server'
    value: null
    sensitive: true

  - name: port
    description: 'port MSSQL DB Server'
    type: numeric
    value: 1433
    sensitive: true

  - name: db_name
    description: 'name of the specific DB being evaluated within the MSSQL server'
    type: string
    value: 'master'
    sensitive: true

  - name: server_trace_implemented
    description: 'Set to true If SQL Server Trace is in use for audit purposes'
    type: boolean
    value: true

  - name: server_audit_implemented
    description: 'Set to true If SQL Server Audit is in use for audit purposes'
    type: boolean
    value: true

  - name: sql_server_reporting_services_used
    description: 'Set to true if SQL Server Reporting Services is in use'
    type: boolean
    value: false

  - name: sql_server_data_tools_required
    description: 'Set to true if SQL Server data tools is required'
    type: boolean
    value: false

  - name: sql_server_integration_services_used
    description: 'Set to true if SQL Server Integration Services is in use'
    type: boolean
    value: false

  - name: sql_server_analysis_services_used
    description: 'Set to true if SQL Server analysis Services is in use'
    type: boolean
    value: false

  - name: sql_server_distributed_replay_client_used
    description: 'Set to true if SQL Server Distributed Replay Client is in use'
    type: boolean
    value: false

  - name: sql_server_distributed_replay_controller_used
    description: 'Set to true if SQL Server Distributed Replay Controller is in use'
    type: boolean
    value: false

  - name: sql_server_full_text_search_used
    description: 'Set to true if SQL Server full-text search is in use'
    type: boolean
    value: false

  - name: master_data_services_used
    description: 'Set to true if master data services is in use'
    type: boolean
    value: false

  - name: data_quality_client_used
    description: 'Set to true if data quality client is in use'
    type: boolean
    value: false

  - name: data_quality_services_used
    description: 'Set to true if data quality services is in use'
    type: boolean
    value: false

  - name: data_quality_services_used
    description: 'Set to true if data quality services is in use'
    type: boolean
    value: false

  - name: client_tools_sdk_used
    description: 'Set to true if client tools sdk is in use'
    type: boolean
    value: false

  - name: sql_mgmt_tools_used
    description: 'Set to true if sql server management tools is in use'
    type: boolean
    value: false

  - name: sql_mgmt_tools_used
    description: 'Set to true if xp_cmdhsell is required'
    type: boolean
    value: false

  - name: server_instance
    description: 'instance name MSSQL DB Server'
    value: 'WIN-FC4ANINFUFP'

  - name: approved_audit_maintainers
    description: 'List of users with permissions - ALTER TRACE, CREATE TRACE EVENT NOTIFICATION'
    type: array
    value: []

  - name: allowed_audit_permissions
    description: 'List of users with audit permissions - ALTER ANY SERVER AUDIT, CONTROL SERVER, ALTER ANY DATABASE, CREATE ANY DATABASE'
    type: array
    value: []

  - name: allowed_sql_alter_permissions
    description: 'List of user with permissions -  ALTER ANY SERVER AUDIT, ALTER ANYDATABASE AUDIT, ALTER TRACE; or EXECUTE'
    type: array
    value: []

  - name: approved_users_sql_audits
    description: 'List of approved users with access to SQL Server Audits'
    type: array
    value: []

  - name: approved_users_server
    description: 'List of sql server users with permissions - alter, create, control'
    type: array
    value: []

  - name: approved_users_database
    description: 'List of sql database users with permissions - alter, create, control'
    type: array
    value: []

  - name: sql_components
    description: 'List of sql components installed'
    type: array
    value: []

  - name: authorized_protocols
    description: 'List of authorized network protocols for the SQL server'
    type: array
    value: ["Shared Memory",
            "TCP/IP"]

  - name: authorized_ports
    description: 'LList of authorized network ports for the SQL server'
    type: array
    value: ["1433"]

  - name: authorized_ports_name
    description: 'List of authorized network port names for the SQL server'
    type: array
    value: ["TcpPort",
            "TcpDynamicPorts"]

  - name: authorized_sql_users
    description: 'List of authorized users for the SQL server'
    type: array
    value: []

  - name: allowed_users_priv_functions
    description: 'List of users allowed to execute privileged functions - create, alter, delete'
    type: array
    value: []

  - name: allowed_server_permissions
    description: 'List of allowed server permissions'
    type: array
    value: []

  - name: allowed_database_permissions
    description: 'List of allowed database permissions'
    type: array
    value: []

  - name: encrypted_databases
    description: 'List of Databases that require encryption'
    type: array
    value: ['EmpData']

  - name: data_at_rest_encryption_required
    description: 'Set to true if data at rest encryption is required'
    type: boolean
    value: false

  - name: full_disk_encryption_inplace
    description: 'Set to true if full disk encryption is in place'
    type: boolean
    value: false

  - name: allowed_users
    description: 'List of user allowed to execute privileged functions'
    type: array
    value: []

  - name: is_xp_cmdshell_required
    description: 'Set to true xp cmdshell is required'
    type: boolean
    value: false

  - name: sql_managed_accounts
    description: 'List of accounts managed by the sql server'
    type: array
    value: []

  - name: filestream_required
    description: 'Set to true if filestream is required'
    type: boolean
    value: false

  - name: filestream_transact_access_only_required
    description: 'Set to true if filestream transact access is required'
    type: boolean
    value: false