Configuration management procedures should be defined and implemented for database software modifications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3726	DG0011-SQLServer9	SV-24123r1_rule	DCPR-1	Low

Description
Uncontrolled, untested, or unmanaged changes result in an unreliable security posture. All changes to software libraries related to the database and its use need to be reviewed, considered, and the responsibility for CM assigned. CM responsibilities may appear to cross boundaries. It is important, however, for the boundaries of CM responsibility to be clearly defined and assigned to ensure no libraries or configurations are left unaddressed. Related database application libraries may include third-party DBMS management tools, DBMS stored procedures, or other end-user applications.

Description

Uncontrolled, untested, or unmanaged changes result in an unreliable security posture. All changes to software libraries related to the database and its use need to be reviewed, considered, and the responsibility for CM assigned. CM responsibilities may appear to cross boundaries. It is important, however, for the boundaries of CM responsibility to be clearly defined and assigned to ensure no libraries or configurations are left unaddressed. Related database application libraries may include third-party DBMS management tools, DBMS stored procedures, or other end-user applications.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-20366r1_chk )
Interview the IAO and review documentation to determine if a configuration management (CM) process is implemented for the DBMS system that includes requirements for: (1) Formally documented CM roles, responsibilities, and procedures to include the management of IA information and documentation; (2) A configuration control board that implements procedures to ensure a security review and approval of all proposed DoD information system changes, to include interconnections to other DoD information systems; (3) A testing process to verify proposed configuration changes prior to implementation in the operational environment; and (4) A verification process to provide additional assurance that the CM process is working effectively and that changes outside the CM process are technically or procedurally not permitted. If documented evidence for procedures or processes outlined above are not present or are incomplete, this is a Finding.

Check Text ( C-20366r1_chk )

Interview the IAO and review documentation to determine if a configuration management (CM) process is implemented for the DBMS system that includes requirements for:
(1) Formally documented CM roles, responsibilities, and procedures to include the management of IA information and documentation;
(2) A configuration control board that implements procedures to ensure a security review and approval of all proposed DoD information system changes, to include interconnections to other DoD information systems;
(3) A testing process to verify proposed configuration changes prior to implementation in the operational environment; and
(4) A verification process to provide additional assurance that the CM process is working effectively and that changes outside the CM process are technically or procedurally not permitted.

If documented evidence for procedures or processes outlined above are not present or are incomplete, this is a Finding.

Fix Text (F-24661r1_fix)
Develop, document and implement configuration management procedures or processes. Ensure the 4 major requirements listed in the check are documented at a minimum. Assign responsibilities for oversight and approval for any and all changes made to DBMS software and configuration.