| 1.2 Ensure Single-Function Member Servers are Used | CIS SQL Server 2017 Database L1 OS v1.3.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0' | CIS SQL Server 2008 R2 DB Engine L1 v1.7.0 | MS_SQLDB | SYSTEM AND INFORMATION INTEGRITY |
| 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0' | CIS SQL Server 2014 Database L1 AWS RDS v1.5.0 | MS_SQLDB | SYSTEM AND INFORMATION INTEGRITY |
| 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0' | CIS Microsoft SQL Server 2022 v1.2.1 L1 AWS RDS | MS_SQLDB | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0' | CIS SQL Server 2012 Database L1 AWS RDS v1.6.0 | MS_SQLDB | SYSTEM AND INFORMATION INTEGRITY |
| 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0' | CIS SQL Server 2012 Database L1 DB v1.6.0 | MS_SQLDB | SYSTEM AND INFORMATION INTEGRITY |
| 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0' | CIS SQL Server 2016 Database L1 DB v1.4.0 | MS_SQLDB | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0' | CIS SQL Server 2016 Database L1 AWS RDS v1.4.0 | MS_SQLDB | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0' | CIS SQL Server 2017 Database L1 DB v1.3.0 | MS_SQLDB | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0' | CIS Microsoft SQL Server 2022 v1.2.1 L1 Database Engine | MS_SQLDB | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0' | CIS Microsoft SQL Server 2019 v1.5.0 L1 Database Engine | MS_SQLDB | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0' | CIS SQL Server 2014 Database L1 DB v1.5.0 | MS_SQLDB | SYSTEM AND INFORMATION INTEGRITY |
| 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0' | CIS Microsoft SQL Server 2019 v1.5.0 L1 AWS RDS | MS_SQLDB | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.8 Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0' | CIS SQL Server 2017 Database L1 DB v1.3.0 | MS_SQLDB | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.9 Ensure 'SQL Mail XPs' Server Configuration Option is set to '0' | CIS SQL Server 2008 R2 DB Engine L1 v1.7.0 | MS_SQLDB | SYSTEM AND INFORMATION INTEGRITY |
| 2.10 Ensure Unnecessary SQL Server Protocols are set to 'Disabled' | CIS SQL Server 2017 Database L1 OS v1.3.0 | Windows | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.11 Ensure SQL Server is configured to use non-standard ports | CIS SQL Server 2017 Database L1 DB v1.3.0 | MS_SQLDB | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2 Ensure CONNECT permissions on the 'guest' user is Revoked within all SQL Server databases | CIS SQL Server 2017 Database L1 DB v1.3.0 | MS_SQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 3.5 Ensure the SQL Server's MSSQL Service Account is Not an Administrator | CIS SQL Server 2017 Database L1 OS v1.3.0 | Windows | ACCESS CONTROL |
| 3.6 Ensure the SQL Server's SQLAgent Service Account is Not an Administrator | CIS SQL Server 2017 Database L1 OS v1.3.0 | Windows | ACCESS CONTROL |
| 3.7 Ensure the SQL Server's Full-Text Service Account is Not an Administrator | CIS SQL Server 2017 Database L1 OS v1.3.0 | Windows | ACCESS CONTROL |
| 3.9 Ensure Windows BUILTIN groups are not SQL Logins | CIS SQL Server 2017 Database L1 DB v1.3.0 | MS_SQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.3 Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins | CIS SQL Server 2017 Database L1 DB v1.3.0 | MS_SQLDB | IDENTIFICATION AND AUTHENTICATION |
| 6.3.2 Ensure 'cross db ownership chaining' Database Flag for Cloud SQL SQL Server Instance Is Set to 'off' | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 6.3.7 Ensure 'contained database authentication' Database Flag for Cloud SQL SQL Server Instance Is Set to 'off' | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| CIS_Kubernetes_v1.3.0_Level_1.audit from CIS Kubernetes Benchmark v1.3.0 | CIS Kubernetes 1.11 Benchmark v1.3.0 L1 | Unix | |
| CIS_Kubernetes_v1.3.0_Level_2.audit from CIS Kubernetes Benchmark v1.3.0 | CIS Kubernetes 1.11 Benchmark v1.3.0 L2 | Unix | |
| CIS_Microsoft_SQL_Server_2008_R2_v1.7.0_Level_1_OS.audit from CIS Microsoft SQL Server 2008 R2 Database | CIS SQL Server 2008 R2 DB OS L1 v1.7.0 | Windows | |
| CIS_Microsoft_SQL_Server_2017_Database_v1.3.0_Level_1_OS.audit from Microsoft SQL Server 2017 Version 1.3.0 | CIS SQL Server 2017 Database L1 OS v1.3.0 | Windows | |
| CIS_VMware_ESXi_6.7_v1.3.0_L1_Bare_Metal.audit from CIS VMware ESXi 6.7 Benchmark v1.3.0 | CIS VMware ESXi 6.7 v1.3.0 Level 1 Bare Metal | Unix | |
| CIS_VMware_ESXi_6.7_v1.3.0_L2_Bare_Metal.audit from CIS VMware ESXi 6.7 Benchmark v1.3.0 | CIS VMware ESXi 6.7 v1.3.0 Level 2 Bare Metal | Unix | |
| DG0029-ORACLE11 - Required auditing parameters for database auditing should be set - 'audit_trail != none' | DISA STIG Oracle 11 Instance v9r1 Database | OracleDB | AUDIT AND ACCOUNTABILITY |
| SQL2-00-009500 - Administrative privileges, built-in server roles and built-in database roles must be assigned to the DBMS login accounts that require them via custom roles, and not directly. | DISA STIG SQL Server 2012 Database Audit v1r20 | MS_SQLDB | ACCESS CONTROL |
| SQL2-00-009900 - OS and domain accounts utilized to run external procedures called by SQL Server must have limited privileges. | DISA STIG SQL Server 2012 Database OS Audit v1r20 | Windows | CONFIGURATION MANAGEMENT |
| SQL2-00-018600 - SQL Server must enforce password encryption for storage. | DISA STIG SQL Server 2012 DB Instance Security v1r20 | MS_SQLDB | IDENTIFICATION AND AUTHENTICATION |
| SQL4-00-036400 - SQL Server must generate Trace or Audit records when locally-defined security objects are modified - Event ID 46 | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-036400 - SQL Server must generate Trace or Audit records when locally-defined security objects are modified - Event ID 47 | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-036400 - SQL Server must generate Trace or Audit records when locally-defined security objects are modified - Event ID 162 | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-036400 - SQL Server must generate Trace or Audit records when locally-defined security objects are modified - Event ID 164 | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-036400 - SQL Server must generate Trace or Audit records when locally-defined security objects are modified - SCHEMA_OBJECT_CHANGE_GROUP | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-036400 - SQL Server must generate Trace or Audit records when locally-defined security objects are modified. | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037100 - SQL Server must generate Trace or Audit records when locally-defined security objects are dropped - Event ID 46 | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037100 - SQL Server must generate Trace or Audit records when locally-defined security objects are dropped - Event ID 47 | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037100 - SQL Server must generate Trace or Audit records when locally-defined security objects are dropped - Event ID 162 | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037100 - SQL Server must generate Trace or Audit records when locally-defined security objects are dropped - Event ID 164 | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037100 - SQL Server must generate Trace or Audit records when locally-defined security objects are dropped - SCHEMA_OBJECT_CHANGE_GROUP | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037100 - SQL Server must generate Trace or Audit records when locally-defined security objects are dropped. | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL6-D0-007200 - Access to xp_cmdshell must be disabled, unless specifically required and approved. | DISA STIG SQL Server 2016 Instance DB Audit v3r5 | MS_SQLDB | CONFIGURATION MANAGEMENT |
| SQLI-22-007200 - Access to xp_cmdshell must be disabled unless specifically required and approved. | DISA Microsoft SQL Server 2022 Instance STIG v1r1 MS_SQLDB | MS_SQLDB | CONFIGURATION MANAGEMENT |
