asked
Can the new SQL Server 2012 STIG checklist from IASE DISA be checked (using STIG Viewer) on SQL Server 2008 databases?
And if so, are there any SQL 2012 checks that are not applicable to SQL 2008? There are 160+ OS and DB checks for MAC IIIS, and we're on a tight schedule to do these checks on multiple servers, so we'd like to first narrow them down to something more manageable. We were previously using the SQL 2005 checklist, but my customer is requiring us to us the newest checklist for SQL 2012, since DISA has skipped the 2008 version. It would be nice to cross-reference the list with the 2005 version, but it's near impossible since it's made up of all new STIG checks and vulnerability IDs. Please see the following links... the first is the checklist itself, and the second is an online reference for the checks:
http://iase.disa.mil/stigs/app_security/database/sql.html
http://www.stigviewer.com/stig/d73fc6e5ebb131559c952128e64c63f19a841a3f/MAC3SensitiveProfile/
No, not necessarily automated... just something for each check that says if it applies to SQL 2008 R2 (it would be nice, since they completely skipped over the checklist for it), or maybe a reference from the current Vuln IDs back to the Vuln IDs used in the previous checklists. Or... if anyone's used the 2012 checklist against SQL 2008 R2, maybe they can tell me which checks resulted in finding statuses of N/A, due only being applicable to SQL 2012.
I have not come across any checks that could not apply to SQL Server 2008 R2. With regards to security I am only aware that improvements were made in SQL Server 2012, not necessarily changes.
For those, like me who need to look them up ... IASE - Information Assurance Support Environment DISA - Defense Information Systems Agency STIG - Security Technical Information Guidlines MAC - Mission Assurance Category
15 People are following this question.
