How to Assess Multiple Database Server Instances

 

Product Name

CIS-CAT Pro Assessor v4

Product Version

All

Date

Nov 29, 2022



 

Problem

How to scan multiple servers with multiple databases with CIS-CAT Pro Assessor v4?

 

Solution

A configuration.xml file is needed to scan multiple server instances.

This guide offers an example to what the configuration.xml file should look like: Parsing errors when creating configuration.xml file for Database Assessments

If running multiple assessments against the same Benchmark, the same session can be used with multiple JDBC strings set in the value id’s:

<benchmark xccdf="benchmarks\CIS_Microsoft_SQL_Server_2019_Benchmark_v1.2.0-xccdf.xml" session-ref="sql"> <interactive_values> <value id="xccdf_org.cisecurity_value_jdbc.url">jdbc:sqlserver://CIS-SERVER:1433;databaseName=TestDB;domain=WIN-DOMAIN;user=jsmith;password=qw3rty;instanceName=TestInstance;</value> <value id="xccdf_org.cisecurity_value_jdbc.url">jdbc:sqlserver://WINTEST:1433;DatabaseName=TestDB;user=user;password=password;instanceName=TestInstance;</value> </interactive_values> </benchmark>

 

If two different Benchmarks need to be run, for example MS SQL 2019 Benchmark and a SQL 2012 Benchmark, an individual session for each different Benchmark will need to be added. For example:

<benchmark xccdf="benchmarks\CIS_Microsoft_SQL_Server_2019_Benchmark_v1.2.0-xccdf.xml" session-ref="sql"> <interactive_values> <value id="xccdf_org.cisecurity_value_jdbc.url">jdbc:sqlserver://CIS-SERVER:1433;databaseName=TestDB;domain=WIN-DOMAIN;user=jsmith;password=qw3rty;instanceName=TestInstance;</value> <value id="xccdf_org.cisecurity_value_jdbc.url">jdbc:sqlserver://WINTEST:1433;DatabaseName=TestDB;user=user;password=password;instanceName=TestInstance;</value> </interactive_values> </benchmark> <benchmark xccdf="benchmarks\CIS_Microsoft_SQL_Server_2012_Benchmark_v1.3.0-xccdf.xml" session-ref="sql"> <interactive_values> <value id="xccdf_org.cisecurity_value_jdbc.url">jdbc:sqlserver://CIS-SERVER:1433;databaseName=TestDB;domain=WIN-DOMAIN;user=jsmith;password=qw3rty;instanceName=TestInstance;</value> </interactive_values> </benchmark>

 

To run this configuration.xml, there is an option to import while running the Assessor GUI, or this can be done from the command line assessment using the -cfg command: https://ccpa-docs.readthedocs.io/en/latest/User%20Guide%20-%20Assessor/#command-line-options

The configuration sample document that comes in the Assessor-CLI bundle (under the Assessor\config directory) also offers some helpful tips. This is the official documentation on using a config xml file - https://ccpa-docs.readthedocs.io/en/latest/User%20Guide%20-%20Assessor/#using-a-configuration-xml-file

 

When scanning multiple Databases for a single instance, CIS-CAT Pro Assessor will scan all the databases, but not all recommendations will get scanned, and the title of the HTML report will only show the last database.

See also: Minimum login permissions for SQL assessment

Keywords; multiple many database assessment

Content by Label


Copyright © 2022

Center for Internet Security®