How To STIG a Database System
This post is to provide a little enlightenment to folks who have never STIG'd a database system before and assume that the process is a one-time configuration. It's not. It's not even close.
STIG compliance requires:
- One or more named Database Administrators (DBA)
- A named Information Assurance Officer (IAO)
- An initial system evaluation
- A Plan of Action and Milestones (POAM) that details how and when deficiencies will be corrected
- A full set of documentation
- Periodic compliance activities by the DBA, some as often as daily
- Periodic compliance activities by the IAO
- Periodic compliance inspections by auditors
- Irregular, surprise compliance inspections by auditors
So, you can't STIG anything by yourself. It's a team effort, and it's a permanent, on-going process.
The general process for a DBA STIGing a new system is:
- Run a compliance-checking tool such as the DISA Security Readiness Review (SRR) script or a 3rd party tool such as Retina.
- Put all the findings (shortcomings) into a POAM and add dates for when you expect to have each finding remediated or justified.
- Get the POAM (including schedules) approved by the IAO.
- Begin addressing the findings based on priority, and either correct them or provide a justification for why it must remain non-compliant.
- Stick to the POAM schedule for corrections/justifications or get approval for deadline adjustments if needed.
- Perform all on-going compliance checks, such as daily inspection of all SQL Server error logs, and keep the documentation up-to-date.
Note that many findings listed by the SRR script are Manual Review (MR) findings. This means its something that T-SQL can't evaluate, such as determining whether or not a written System Security Plan exists. The SRR spits out the comprehensive list of MR findings, but in some cases multiple findings can be corrected with a single action, such as creating a written System Security Plan.