Customizing the controls
Skipping some controls
The scope of the CIS benchmark for Microsoft SQL Server is pretty extensive. So extensive that enabling all controls, probably ensures that your application doesn’t work anymore. So you need to customize the controls you want to enable.
There are three ways the mssql_secured
module allows you to skip controls.
- Add a list of controls to skip when calling the
mssql_secured
defined type. - Add
mssql_secured::controls::name_of_the_control: skip
to your hiera data - Add an entry with the content
name_of_the_control
to the array valuemssql_secured::skip_list
in your hiera data.
Method 1 is a good way to create your own baseline based on the standard mssql_secured
code.
Method 2 is a perfect way to use when you need to override the applicability of control on an individual database or set of database. Just put this data in the hiera for this node or group of databases.
Method 3 is the perfect way to setup a base level. A level you want to be skipped on all of your databases.
You can combine all of these methods to fit your use case.
Customizing controls
Besides excluding some of the controls, you can also customize most of the controls to exclude some objects.
Using a different value
The default value for this control is 1. But we want it to be at least 3. Just like with the overall skip_list
parameter, we have two options. Setting it for all databases and setting it for just one named database. For this example, we want to set it for all database. So here is the hiera data we need to do this:
mssql_secured::controls::password_lock_time_is_greater_than_or_equal_to_1::preferred_value: 3
If we only want to set it for one particular database we can do this:
mssql_secured::controls::password_lock_time_is_greater_than_or_equal_to_1::db1::preferred_value: 3
excluding an object
TODO: Give an example
Customization pattern
Whenever there is something to exclude or there is a preferred value to set, the same pattern applies.
Writing your own class
Besides setting these values in hiera, you can also write your own security class and include just the controls you want. All the controls are regular puppet defined types and you can use them like any other puppet code.