We are just starting in my organization to work on running compliance policy scanning on our various systems. Recently I’ve been tasked with running scans against our Microsoft SQL server instances. In looking at the compliance policy as it is written at least the “CIS Microsoft SQL Server 2016 Level One - Database Engine v1.3.0” seems to contain a lot of checks that are written wrong.
For example 1.1. Ensure Latest SQL Server Service Packs and Hotfixes are Installed in this policy is looking for SQL 2014. It also appears that the CPE value that the policy is looking for at the begininig is incorrect.
Has anyone had any luck running these SQL compliance policies?
Can anyone from Rapid7 comment on what the testing process is like for these configuration policies?
I’ve found other policies that contain errors similar to this and it is making it very difficult to get any valid compliance results when the policies them selves are not written correctly.