How to Assess Multiple Database Server Instances
Product Name
CIS-CAT Pro Assessor v4
Product Version
All
Date
Nov 29, 2022
Problem
How to scan multiple servers with multiple databases with CIS-CAT Pro Assessor v4?
Solution
A configuration.xml file is needed to scan multiple server instances.
This guide offers an example to what the configuration.xml file should look like: Parsing errors when creating configuration.xml file for Database Assessments
If running multiple assessments against the same Benchmark, the same session can be used with multiple JDBC strings set in the value id’s:
<benchmark xccdf="benchmarks\CIS_Microsoft_SQL_Server_2019_Benchmark_v1.2.0-xccdf.xml" session-ref="sql">
<interactive_values>
<value id="xccdf_org.cisecurity_value_jdbc.url">jdbc:sqlserver://CIS-SERVER:1433;databaseName=TestDB;domain=WIN-DOMAIN;user=jsmith;password=qw3rty;instanceName=TestInstance;</value>
<value id="xccdf_org.cisecurity_value_jdbc.url">jdbc:sqlserver://WINTEST:1433;DatabaseName=TestDB;user=user;password=password;instanceName=TestInstance;</value>
</interactive_values>
</benchmark>
If two different Benchmarks need to be run, for example MS SQL 2019 Benchmark and a SQL 2012 Benchmark, an individual session for each different Benchmark will need to be added. For example:
<benchmark xccdf="benchmarks\CIS_Microsoft_SQL_Server_2019_Benchmark_v1.2.0-xccdf.xml" session-ref="sql">
<interactive_values>
<value id="xccdf_org.cisecurity_value_jdbc.url">jdbc:sqlserver://CIS-SERVER:1433;databaseName=TestDB;domain=WIN-DOMAIN;user=jsmith;password=qw3rty;instanceName=TestInstance;</value>
<value id="xccdf_org.cisecurity_value_jdbc.url">jdbc:sqlserver://WINTEST:1433;DatabaseName=TestDB;user=user;password=password;instanceName=TestInstance;</value>
</interactive_values>
</benchmark>
<benchmark xccdf="benchmarks\CIS_Microsoft_SQL_Server_2012_Benchmark_v1.3.0-xccdf.xml" session-ref="sql">
<interactive_values>
<value id="xccdf_org.cisecurity_value_jdbc.url">jdbc:sqlserver://CIS-SERVER:1433;databaseName=TestDB;domain=WIN-DOMAIN;user=jsmith;password=qw3rty;instanceName=TestInstance;</value>
</interactive_values>
</benchmark>
To run this configuration.xml, there is an option to import while running the Assessor GUI, or this can be done from the command line assessment using the -cfg command: https://ccpa-docs.readthedocs.io/en/latest/User%20Guide%20-%20Assessor/#command-line-options
The configuration sample document that comes in the Assessor-CLI bundle (under the Assessor\config directory) also offers some helpful tips. This is the official documentation on using a config xml file - https://ccpa-docs.readthedocs.io/en/latest/User%20Guide%20-%20Assessor/#using-a-configuration-xml-file
When scanning multiple Databases for a single instance, CIS-CAT Pro Assessor will scan all the databases, but not all recommendations will get scanned, and the title of the HTML report will only show the last database.
Keywords; multiple many database assessment
Content by Label