Skipping some controls

The scope of the CIS benchmark for Microsoft SQL Server is pretty extensive. So extensive that enabling all controls, probably ensures that your application doesn’t work anymore. So you need to customize the controls you want to enable.

There are three ways the mssql_secured module allows you to skip controls.

  1. Add a list of controls to skip when calling the mssql_secured defined type.
  2. Add mssql_secured::controls::name_of_the_control: skip to your hiera data
  3. Add an entry with the content name_of_the_control to the array value mssql_secured::skip_list in your hiera data.

Method 1 is a good way to create your own baseline based on the standard mssql_secured code.

Method 2 is a perfect way to use when you need to override the applicability of control on an individual database or set of database. Just put this data in the hiera for this node or group of databases.

Method 3 is the perfect way to setup a base level. A level you want to be skipped on all of your databases.

You can combine all of these methods to fit your use case.

Customizing controls

Besides excluding some of the controls, you can also customize most of the controls to exclude some objects.

Using a different value

The default value for this control is 1. But we want it to be at least 3. Just like with the overall skip_list parameter, we have two options. Setting it for all databases and setting it for just one named database. For this example, we want to set it for all database. So here is the hiera data we need to do this:

mssql_secured::controls::password_lock_time_is_greater_than_or_equal_to_1::preferred_value: 3

If we only want to set it for one particular database we can do this:

mssql_secured::controls::password_lock_time_is_greater_than_or_equal_to_1::db1::preferred_value: 3

excluding an object

TODO: Give an example

Customization pattern

Whenever there is something to exclude or there is a preferred value to set, the same pattern applies.

Writing your own class

Besides setting these values in hiera, you can also write your own security class and include just the controls you want. All the controls are regular puppet defined types and you can use them like any other puppet code.