TOC & Recently Viewed

Recently Viewed Topics

Database Configuration Keywords

The following table indicates how each keyword in the database compliance checks can be used:

Keyword

Example Use and Supported Settings

type

SQL_POLICY

description

This keyword provides the ability to add a brief description of the check that is being performed. It is strongly recommended that the description field be unique and no distinct checks have the same description field. SecurityCenter uses this field to automatically generate a unique plugin ID number based on the description field.

Example:

description: "DBMS Password Complexity"

info

This keyword is used to add a more detailed description to the check that is being performed such as a regulation, URL, corporate policy or other reason why the setting is required. Multiple info fields can be added on separate lines to format the text as a paragraph. There is no preset limit to the number of info fields that can be used.

Example:

info: "Checking that \"password complexity\" requirements are enforced for systems using SQL Server authentication."

sql_request

This keyword is used to determine the actual SQL request to be submitted to the database. Arrays of data may be requested and returned from a SQL request by using comma-delimited request/return values.

Example:

sql_request: "select name from sys.sql_logins where type = 'S' and is_policy_checked <> '1'"

Example:

sql_request: "select name, value_in_use from sys.configurations where name = 'clr enabled'"

sql_types

This keyword has two available options: POLICY_VARCHAR and POLICY_INTEGER. Use POLICY_INTEGER for numeric values from 0 to 2147483647 and POLICY_VARCHAR for any other return value type.

Example:

sql_types: POLICY_VARCHAR

Example:

sql_types: POLICY_VARCHAR,POLICY_INTEGER

For multiple return items, configure sql_types in a comma-separated list to accept the data types of each SQL return result. The example above indicates that the first return value from the SQL query is varchar and the second return value is an integer.

sql_expect

This keyword is used to determine the return value expected from the SQL request. An exact value including NULL or “0” may be required. Additionally, regular expressions may be required for POLICY_VARCHAR sql_types.

Example:

sql_expect: regex:"^.+Failure" || regex:"^.+ALL"

Example:

sql_expect: NULL

Example:

sql_expect: 0 || "0"

Double-quotes are optional for integer return values.

Example:

sql_expect: "clr enabled",0

An array of data may be returned from a SQL request and included in a comma-separated format in the sql_expect field.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.