I noticed that there are a few issues with the current inventory definitions for SQL Server. Most notably, the tests that look for instance version registry keys would report true if you had the desired version or any newer versions - so if you had SQL 2008 R2 installed, the definitions for 2005 and 2008 would also report true.
I've corrected this behavior and made a few other changes:
- Adjusted criteria and added new tests to ensure newer versions don't cause true result
- Updated platform tags to correctly reflect OS versions on which the product can be installed
- Updated comment to more accurately describe what the test does
I've also included a new inventory definition for SQL Server 2012. I slightly deviated from the pattern of the previous versions by only including the instance tests. The other tests, those looking for the DTS/Integration Services version, seem somewhat inappropriate because they're looking for one of many features that can be optionally installed. I left them in the existing definitions to be safe but didn't see a reason to have them in the new definition. Also in the interest of safety, I guessed at what the next internal major version number for SQL would be so that the original problem isn't repeated for SQL 2012. If a variant comes out that uses minor version increment, like SQL Server 2008 R2 did, then that criterion will have to be updated accordingly.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Technical Director, Security Automation
SQLInventory.xml (24K) Download Attachment
This submission has been processed ad is now available in the OVAL repository. Our static downloads will be updated to include this submission later today.
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
Email: [hidden email]
|Free forum by Nabble||Edit this page|