STIGQter: STIG Summary: MS SQL Server 2016 Instance Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

SQL Server must be configured to generate audit records for DoD-defined auditable events within all DBMS/database components.

DISA Rule

SV-213936r617437_rule

Vulnerability Number

V-213936

Group Title

SRG-APP-000089-DB-000064

Rule Version

SQL6-D0-004300

Severity

CAT II

CCI(s)

• CCI-000169 - The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.

Weight

10

Fix Recommendation

Add all required audit events to the STIG Compliant audit specification server documentation.

Check Contents

Review the server documentation to determine if any additional events are required to be audited. If no additional events are required, this is not a finding.

Execute the following query to get all of the installed audits:

SELECT name AS 'Audit Name',
status_desc AS 'Audit Status',
audit_file_path AS 'Current Audit File'
FROM sys.dm_server_audit_status

All currently defined audits for the SQL server instance will be listed. If no audits are returned, this is a finding.

To view the actions being audited by the audits, execute the following query:

SELECT a.name AS 'AuditName',
s.name AS 'SpecName',
d.audit_action_name AS 'ActionName',
d.audited_result AS 'Result'
FROM sys.server_audit_specifications s
JOIN sys.server_audits a ON s.audit_guid = a.audit_guid
JOIN sys.server_audit_specification_details d ON s.server_specification_id = d.server_specification_id
WHERE a.is_state_enabled = 1

Compare the documentation to the list of generated audit events. If there are any missing events, this is a finding.

Vulnerability Number

V-213936

Documentable

False

Rule Version

SQL6-D0-004300

Severity Override Guidance

Review the server documentation to determine if any additional events are required to be audited. If no additional events are required, this is not a finding.

Execute the following query to get all of the installed audits:

SELECT name AS 'Audit Name',
status_desc AS 'Audit Status',
audit_file_path AS 'Current Audit File'
FROM sys.dm_server_audit_status

All currently defined audits for the SQL server instance will be listed. If no audits are returned, this is a finding.

To view the actions being audited by the audits, execute the following query:

SELECT a.name AS 'AuditName',
s.name AS 'SpecName',
d.audit_action_name AS 'ActionName',
d.audited_result AS 'Result'
FROM sys.server_audit_specifications s
JOIN sys.server_audits a ON s.audit_guid = a.audit_guid
JOIN sys.server_audit_specification_details d ON s.server_specification_id = d.server_specification_id
WHERE a.is_state_enabled = 1

Compare the documentation to the list of generated audit events. If there are any missing events, this is a finding.

Check Content Reference

M

Target Key

3993

Comments