Home
%3CLINGO-SUB%20id%3D%22lingo-sub-383732%22%20slang%3D%22en-US%22%3EHow%20To%20STIG%20a%20Database%20System%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-383732%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3E%20First%20published%20on%20TECHNET%20on%20Jan%2018%2C%202011%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%3CP%3EThis%20post%20is%20to%20provide%20a%20little%20enlightenment%20to%20folks%20who%20have%20never%20STIG'd%20a%20database%20system%20before%20and%20assume%20that%20the%20process%20is%20a%20one-time%20configuration.%20It's%20not.%20It's%20not%20even%20close.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3ESTIG%20compliance%20requires%3A%3C%2FP%3E%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3EOne%20or%20more%20named%20Database%20Administrators%20(DBA)%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EA%20named%20Information%20Assurance%20Officer%20(IAO)%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EAn%20initial%20system%20evaluation%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EA%20Plan%20of%20Action%20and%20Milestones%20(POAM)%20that%20details%20how%20and%20when%20deficiencies%20will%20be%20corrected%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EA%20full%20set%20of%20documentation%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EPeriodic%20compliance%20activities%20by%20the%20DBA%2C%20some%20as%20often%20as%20daily%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EPeriodic%20compliance%20activities%20by%20the%20IAO%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EPeriodic%20compliance%20inspections%20by%20auditors%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EIrregular%2C%20surprise%20compliance%20inspections%20by%20auditors%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%3CP%3ESo%2C%20you%20can't%20STIG%20anything%20by%20yourself.%20%3CSTRONG%3E%20It's%20a%20team%20effort%2C%20and%20it's%20a%20permanent%2C%20on-going%20process.%20%3C%2FSTRONG%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EThe%20general%20process%20for%20a%20DBA%20STIGing%20a%20new%20system%20is%3A%3C%2FP%3E%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3ERun%20a%20compliance-checking%20tool%20such%20as%20the%20DISA%20Security%20Readiness%20Review%20(SRR)%20script%20or%20a%203rd%20party%20tool%20such%20as%20Retina.%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EPut%20all%20the%20findings%20(shortcomings)%20into%20a%20POAM%20and%20add%20dates%20for%20when%20you%20expect%20to%20have%20each%20finding%20remediated%20or%20justified.%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EGet%20the%20POAM%20(including%20schedules)%20approved%20by%20the%20IAO.%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EBegin%20addressing%20the%20findings%20based%20on%20priority%2C%20and%20either%20correct%20them%20or%20provide%20a%20justification%20for%20why%20it%20must%20remain%20non-compliant.%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EStick%20to%20the%20POAM%20schedule%20for%20corrections%2Fjustifications%20or%20get%20approval%20for%20deadline%20adjustments%20if%20needed.%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EPerform%20all%20on-going%20compliance%20checks%2C%20such%20as%20daily%20inspection%20of%20all%20SQL%20Server%20error%20logs%2C%20and%20keep%20the%20documentation%20up-to-date.%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%3CP%3ENote%20that%20many%20findings%20listed%20by%20the%20SRR%20script%20are%20Manual%20Review%20(MR)%20findings.%20This%20means%20its%20something%20that%20T-SQL%20can't%20evaluate%2C%20such%20as%20determining%20whether%20or%20not%20a%20written%20System%20Security%20Plan%20exists.%20The%20SRR%20spits%20out%20the%20comprehensive%20list%20of%20MR%20findings%2C%20but%20in%20some%20cases%20multiple%20findings%20can%20be%20corrected%20with%20a%20single%20action%2C%20such%20as%20creating%20a%20written%20System%20Security%20Plan.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-383732%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20TECHNET%20on%20Jan%2018%2C%202011%20This%20post%20is%20to%20provide%20a%20little%20enlightenment%20to%20folks%20who%20have%20never%20STIG'd%20a%20database%20system%20before%20and%20assume%20that%20the%20process%20is%20a%20one-time%20configuration.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-383732%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESQLServerSecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1143824%22%20slang%3D%22en-US%22%3ERe%3A%20How%20To%20STIG%20a%20Database%20System%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1143824%22%20slang%3D%22en-US%22%3E%3CP%3EWhy%20do%20most%20of%20these%20SQL%20scan%20tools%20stop%20at%20T-SQL%3F%26nbsp%3B%20A%20good%20tool%20would%20minimize%20MRs%20(Manual%20Reviews)%20as%20much%20as%20possible.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnthony%20Borelli%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.borellisecuritysoftware.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.borellisecuritysoftware.com%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft
First published on TECHNET on Jan 18, 2011

This post is to provide a little enlightenment to folks who have never STIG'd a database system before and assume that the process is a one-time configuration. It's not. It's not even close.


STIG compliance requires:



  • One or more named Database Administrators (DBA)

  • A named Information Assurance Officer (IAO)

  • An initial system evaluation

  • A Plan of Action and Milestones (POAM) that details how and when deficiencies will be corrected

  • A full set of documentation

  • Periodic compliance activities by the DBA, some as often as daily

  • Periodic compliance activities by the IAO

  • Periodic compliance inspections by auditors

  • Irregular, surprise compliance inspections by auditors


So, you can't STIG anything by yourself. It's a team effort, and it's a permanent, on-going process.


The general process for a DBA STIGing a new system is:



  • Run a compliance-checking tool such as the DISA Security Readiness Review (SRR) script or a 3rd party tool such as Retina.

  • Put all the findings (shortcomings) into a POAM and add dates for when you expect to have each finding remediated or justified.

  • Get the POAM (including schedules) approved by the IAO.

  • Begin addressing the findings based on priority, and either correct them or provide a justification for why it must remain non-compliant.

  • Stick to the POAM schedule for corrections/justifications or get approval for deadline adjustments if needed.

  • Perform all on-going compliance checks, such as daily inspection of all SQL Server error logs, and keep the documentation up-to-date.


Note that many findings listed by the SRR script are Manual Review (MR) findings. This means its something that T-SQL can't evaluate, such as determining whether or not a written System Security Plan exists. The SRR spits out the comprehensive list of MR findings, but in some cases multiple findings can be corrected with a single action, such as creating a written System Security Plan.


1 Comment
Occasional Visitor

Why do most of these SQL scan tools stop at T-SQL?  A good tool would minimize MRs (Manual Reviews) as much as possible.

 

Anthony Borelli

https://www.borellisecuritysoftware.com