With more and more systems directly connected to the Internet, having the correct security settings on those systems becomes an important issue. To tackle this issue; we need to answer at least two questions:

  1. What configuration settings are needed to make my systems secure?
  2. How do I make and keep my system secure

What is secure?

Let’s first dive into the question: “What configuration settings are needed to get my system secure?”. Many people have asked themselves this question. The Center for Internet Security (CIS) is one of the means to get an answer. To that question. Here is a quote from their site:

What is a CIS Securty Benchmark

The CIS Security Benchmarks program provides well-defined, unbiased, and consensus-based industry best practices to help organizations assess and improve their security. Resources include secure configuration benchmarks, automated configuration assessment tools and content, security metrics, and security software product certifications. The Security Benchmarks program is recognized as a trusted, independent authority that facilitates public and private industry experts’ collaboration to achieve consensus on practical and actionable solutions. Because of the reputation, our resources are recommended as industry-accepted system hardening standards and are used by organizations in meeting compliance requirements for FISMA, PCI, HIPAA, and other security requirements.

The CIS has many benchmarks. It has benchmarks for Operating System settings, benchmarks for several Server based software packages, including Microsoft SQL Server database

These benchmarks contain a specific, actionable set of measures for your systems.

How to enforce?

So now we know what a secure configuration looks like. How do we ensure these settings are applied to our systems? Not only now but forever? And how do we see and report when somebody or something’s changed one of the settings, maybe by accident or maybe on purpose?

What about Puppet?

The Puppet way of setting up a system and maintaining it is by describing the system’s desired state in sort of a blueprint. The Puppet agent can then look around on the system and see if there are any deviations between the desired state described in the blueprint and the real configuration of the system. Base on the request, Puppet can either report this deviation or reset the system to its requested state. Thereby ensuring security is provided.

What about the database?

Like I said before, the CIS also has security baselines for Microsoft SQL Server databases. We have taken this baseline and Puppetized it for you to use. It is called the mssql_secured and contains an implementation of all controls in the benchmark that describe a configuration setting inside of the database.

How does it work?

Very simple. To enforce all of the rules in the CIS Microsoft SQL Server benchmark you have to add the next puppet code to your Puppet manifest:

mssql_secured::ensure_cis {  'MSSQLSERVER':
  product_version => 'mssql2019',
  doc_version     => 'V1.2.0',

On a Puppet run, the module will inspect all settings described in the CIS rules and apply changes to them if they deviate from the standard. (If you have started the Puppet run with a noop, it will do nothing but report all changes that would have been made. ). All changes are reported to the Puppet master, and on the console, you get an overview of the changes. Because the Puppet agent runs every 20 minutes (or different if you set it to a different interval) every 20 minutes, your database configuration is checked against the CIS benchmark, and you can sleep well and be assured your data is safe.