SQL Server updates/additions

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SQL Server updates/additions

Shane Shaffer
I noticed that there are a few issues with the current inventory definitions for SQL Server. Most notably, the tests that look for instance version registry keys would report true if you had the desired version or any newer versions - so if you had SQL 2008 R2 installed, the definitions for 2005 and 2008 would also report true.

I've corrected this behavior and made a few other changes:

- Adjusted criteria and added new tests to ensure newer versions don't cause true result
- Updated platform tags to correctly reflect OS versions on which the product can be installed
oval:org.mitre.oval:def:6082
oval:org.mitre.oval:def:12454
oval:org.mitre.oval:def:12596

- Updated comment to more accurately describe what the test does
oval:org.mitre.oval:tst:21160
oval:org.mitre.oval:tst:43015
oval:org.mitre.oval:tst:43039


I've also included a new inventory definition for SQL Server 2012. I slightly deviated from the pattern of the previous versions by only including the instance tests. The other tests, those looking for the DTS/Integration Services version, seem somewhat inappropriate because they're looking for one of many features that can be optionally installed. I left them in the existing definitions to be safe but didn't see a reason to have them in the new definition. Also in the interest of safety, I guessed at what the next internal major version number for SQL would be so that the original problem isn't repeated for SQL 2012. If a variant comes out that uses minor version increment, like SQL Server 2008 R2 did, then that criterion will have to be updated accordingly.

Shane Shaffer
Technical Director, Security Automation
G2, Inc.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

SQLInventory.xml (24K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SQL Server updates/additions

Jon Baker
Administrator

Shane,

 

This submission has been processed ad is now available in the OVAL repository. Our static downloads will be updated to include this submission later today.

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Shane Shaffer [mailto:[hidden email]]
Sent: Tuesday, April 03, 2012 4:14 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: [OVAL-DISCUSSION-LIST] SQL Server updates/additions

 

I noticed that there are a few issues with the current inventory definitions for SQL Server. Most notably, the tests that look for instance version registry keys would report true if you had the desired version or any newer versions - so if you had SQL 2008 R2 installed, the definitions for 2005 and 2008 would also report true.

 

I've corrected this behavior and made a few other changes:

 

- Adjusted criteria and added new tests to ensure newer versions don't cause true result

- Updated platform tags to correctly reflect OS versions on which the product can be installed

oval:org.mitre.oval:def:6082

oval:org.mitre.oval:def:12454

oval:org.mitre.oval:def:12596

 

- Updated comment to more accurately describe what the test does

oval:org.mitre.oval:tst:21160

oval:org.mitre.oval:tst:43015

oval:org.mitre.oval:tst:43039

 

 

I've also included a new inventory definition for SQL Server 2012. I slightly deviated from the pattern of the previous versions by only including the instance tests. The other tests, those looking for the DTS/Integration Services version, seem somewhat inappropriate because they're looking for one of many features that can be optionally installed. I left them in the existing definitions to be safe but didn't see a reason to have them in the new definition. Also in the interest of safety, I guessed at what the next internal major version number for SQL would be so that the original problem isn't repeated for SQL 2012. If a variant comes out that uses minor version increment, like SQL Server 2008 R2 did, then that criterion will have to be updated accordingly.

 

Shane Shaffer

Technical Director, Security Automation
G2, Inc.

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].