| 1.1 Ensure Latest SQL Server Service Packs and Hotfixes are Installed | CIS SQL Server 2008 R2 DB Engine L1 v1.7.0 | MS_SQLDB | CONFIGURATION MANAGEMENT |
| 2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1 Prevent Database Users from Logging into the Operating System | CIS IBM DB2 11 v1.2.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2 Ensure 'CLR Enabled' Server Configuration Option is set to '0' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | CONFIGURATION MANAGEMENT |
| 2.3 Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.8 Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.13 Ensure the 'sa' Login Account is set to 'Disabled' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL |
| 2.16 Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.17 Ensure no login exists with the name 'sa' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.2 Ensure CONNECT permissions on the 'guest' user is Revoked within all SQL Server databases | CIS SQL Server 2016 Database L1 AWS RDS v1.4.0 | MS_SQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 3.3 Ensure 'Orphaned Users' are Dropped From SQL Server Databases | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL |
| 3.5 Ensure the SQL Server's MSSQL Service Account is Not an Administrator | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL |
| 3.8 Ensure only the default permissions specified by Microsoft are granted to the public server role | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 3.10 Ensure Windows local groups are not SQL Logins | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 3.12 Ensure the 'SYSADMIN' Role is Limited to Administrative or Built-in Accounts | CIS Microsoft SQL Server 2022 v1.2.1 L1 Database Engine | MS_SQLDB | ACCESS CONTROL |
| 4.3 Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | IDENTIFICATION AND AUTHENTICATION |
| 5.1 Ensure 'Maximum number of error log files' is set to greater than or equal to '12' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| 5.1.1.4 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Java' Packages | CIS Oracle Server 12c DB Unified Auditing v3.0.0 | OracleDB | ACCESS CONTROL |
| 5.1.1.4 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Java' Packages | CIS Oracle Server 12c DB Traditional Auditing v3.0.0 | OracleDB | ACCESS CONTROL |
| 5.1.1.4 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Java' Packages - Java Packages | CIS Oracle Server 18c DB Unified Auditing v1.1.0 | OracleDB | ACCESS CONTROL |
| 5.1.1.4 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Java' Packages - Java Packages | CIS Oracle Server 18c DB Traditional Auditing v1.1.0 | OracleDB | ACCESS CONTROL |
| 5.1.2.1 Ensure 'EXECUTE' is not granted to 'PUBLIC' on 'Non-default' Packages | CIS Oracle Server 12c DB Unified Auditing v3.0.0 | OracleDB | ACCESS CONTROL |
| 5.1.2.1 Ensure 'EXECUTE' is not granted to 'PUBLIC' on 'Non-default' Packages | CIS Oracle Server 12c DB Traditional Auditing v3.0.0 | OracleDB | ACCESS CONTROL |
| 5.2 Ensure 'Default Trace Enabled' Server Configuration Option is set to '1' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| 5.4 Ensure 'SQL Server Audit' is set to capture both 'failed' and 'successful logins' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| 6.2 Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 7.1 Ensure 'Symmetric Key encryption algorithm' is set to 'AES_128' or higher in non-system databases | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.2 Ensure Asymmetric Key Size is set to 'greater than or equal to 2048' in non-system databases | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| SQL2-00-008900 - SQL Server processes or services must run under custom, dedicated OS or domain accounts - 'SQL Full-text Filter Daemon Launcher' | DISA STIG SQL Server 2012 Database OS Audit v1r20 | Windows | ACCESS CONTROL |
| SQL2-00-008900 - SQL Server processes or services must run under custom, dedicated OS or domain accounts - 'SQL Server Agent' | DISA STIG SQL Server 2012 Database OS Audit v1r20 | Windows | ACCESS CONTROL |
| SQL2-00-008900 - SQL Server processes or services must run under custom, dedicated OS or domain accounts - 'SQL Server Browser' | DISA STIG SQL Server 2012 Database OS Audit v1r20 | Windows | ACCESS CONTROL |
| SQL2-00-008900 - SQL Server processes or services must run under custom, dedicated OS or domain accounts - 'SQL Server Distributed Replay Client' | DISA STIG SQL Server 2012 Database OS Audit v1r20 | Windows | ACCESS CONTROL |
| SQL2-00-008900 - SQL Server processes or services must run under custom, dedicated OS or domain accounts - 'SQL Server Distributed Replay Controller' | DISA STIG SQL Server 2012 Database OS Audit v1r20 | Windows | ACCESS CONTROL |
| SQL2-00-008900 - SQL Server processes or services must run under custom, dedicated OS or domain accounts - 'SQL Server Integration Services 11.0' | DISA STIG SQL Server 2012 Database OS Audit v1r20 | Windows | ACCESS CONTROL |
| SQL2-00-008900 - SQL Server processes or services must run under custom, dedicated OS or domain accounts - 'SQL Server Reporting Services' | DISA STIG SQL Server 2012 Database OS Audit v1r20 | Windows | ACCESS CONTROL |
| SQL2-00-008900 - SQL Server processes or services must run under custom, dedicated OS or domain accounts - 'SQL Server VSS Writer' | DISA STIG SQL Server 2012 Database OS Audit v1r20 | Windows | ACCESS CONTROL |
| SQL2-00-008900 - SQL Server processes or services must run under custom, dedicated OS or domain accounts - 'SQL Server' | DISA STIG SQL Server 2012 Database OS Audit v1r20 | Windows | ACCESS CONTROL |
| SQL2-00-015620 - In a database owned by a login not having administrative privileges at the instance level, the database property TRUSTWORTHY must be OFF unless required and authorized. | DISA STIG SQL Server 2012 Database Audit v1r20 | MS_SQLDB | CONFIGURATION MANAGEMENT |
| SQL2-00-016200 - SQL Server must have the publicly available NorthWind sample database removed. | DISA STIG SQL Server 2012 DB Instance Security v1r20 | MS_SQLDB | CONFIGURATION MANAGEMENT |
| SQL2-00-020200 - SQL Server must protect the integrity of publicly available information and SQL Servers configuration from unauthorized User Mapping access. | DISA STIG SQL Server 2012 DB Instance Security v1r20 | MS_SQLDB | CONFIGURATION MANAGEMENT |
| SQL4-00-036500 - SQL Server must generate Trace or Audit records when unsuccessful attempts to modify locally-defined security objects occur - Event ID 162 | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-036500 - SQL Server must generate Trace or Audit records when unsuccessful attempts to modify locally-defined security objects occur - Event ID 164 | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-036500 - SQL Server must generate Trace or Audit records when unsuccessful attempts to modify locally-defined security objects occur - SCHEMA_OBJECT_CHANGE... | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-036500 - SQL Server must generate Trace or Audit records when unsuccessful attempts to modify locally-defined security objects occur. | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037200 - SQL Server must generate Trace or Audit records when unsuccessful attempts to drop locally-defined security objects occur - Event ID 46 | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037200 - SQL Server must generate Trace or Audit records when unsuccessful attempts to drop locally-defined security objects occur - Event ID 47 | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037200 - SQL Server must generate Trace or Audit records when unsuccessful attempts to drop locally-defined security objects occur - Event ID 162 | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037200 - SQL Server must generate Trace or Audit records when unsuccessful attempts to drop locally-defined security objects occur - Event ID 164 | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037200 - SQL Server must generate Trace or Audit records when unsuccessful attempts to drop locally-defined security objects occur. | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
