ensure cis
Overview
defined type mssql_secured::ensure_cis
Apply all Microsoft SQL Server database CIS control to the specified database
Here is an example showing how to enable the CIS bencgmark for your database.:
mssql_secured::ensure_cis { 'MSSQLSERVER':
product_version => 'mssql2019',
doc_version => 'V1.2.0',
}
When you don’t specify the doc_version, puppet automatically uses the latest version for your current product_version. If you also don’t specify a product_version, Puppet will detect the version of Microsoft SQL Server running and use this to determine the product_version. There is, however, one issue with the detection. On an initial run Puppet canot determine what the Microsoft SQL Server version is. In that case, the mssql_secured defined type will skip applying the CIS benchmark and wait until (hopefully) the next run the version of Microsoft SQL Server for specified database is available.
When you want to skip certain controls, you can use the skip_list.
mssql_secured::ensure_cis { 'MSSQLSERVER':
product_version => 'mssql2019',
doc_version => 'V1.2.0',
skip_list => [
'log_disconnections_is_enabled',
'log_destinations_are_set_correctly',
]
}
When you have multiple database on your system and want to use the same database version and CIS document version, you can do this:
mssql_secured::Ensure_cis {
product_version => 'mssql2019',
doc_version => 'V1.2.0',
skip_list => [
'log_disconnections_is_enabled',
'log_destinations_are_set_correctly',
]
}
mssql_secured::ensure_cis {'DB1':}
mssql_secured::ensure_cis {'DB2':}
Attributes
| Attribute Name | Short Description |
|---|---|
| doc_version | The version of the CIS benchmark you want to apply to your database. |
| product_version | The database version of the CIS benchmark you want to apply. |
| skip_list | This is the list of controls that you want to skip. |
| title | The database to apply the control to. |
title
The database to apply the control to.
The CIS benchmark need an database to apply the controls to. Here is a simple example:
mssql_secured {'MSSQLSERVER':}
In this example, the string DB is the database to apply the controls to.
Back to overview of ensure_cis
product_version
The database version of the CIS benchmark you want to apply. Although not very logical, you can apply an older (or newer) database version to your database.
If you also don’t specify a product_version, Puppet will detect the version of Microsoft SQL Server running and use this to determine the product_version. There is, however, one issue with the detection. On an initial run Puppet canot determine what the Microsoft SQL Server version is. In that case, the mssql_secured defined type will skip applying the CIS benchmark and wait until (hopefully) the next run the version of Microsoft SQL Server for specified database is available.
Type: Optional[String[1]]
Default:mssql_secured::default_product_version($title)
Back to overview of ensure_cis
doc_version
The version of the CIS benchmark you want to apply to your database. When you don’t specify the doc_version, puppet automatically uses the latest version for your current product_version. Type: Optional[String[1]]
Default:mssql_secured::default_doc_version($product_version, 'cis')
Back to overview of ensure_cis
skip_list
This is the list of controls that you want to skip. By default this vale is empty, meaning mssql_secured will apply ALL controls. You must specifiy the name of the control. Here is an example on how to do this:
mssql_secured { 'MYDB':
product_version => 'mssql2019',
doc_version => 'V1.2.0',
skip_list => [
'sql_server_is_configured_to_use_non_standard_ports',
'public_role_in_the_msdb_database_is_not_granted_access_to_sql_agent_proxies',
]
}
Type: Array
Default:[]
