STIGQter: STIG Summary: MS SQL Server 2016 Instance Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

SQL Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.

DISA Rule

SV-213943r617437_rule

Vulnerability Number

V-213943

Group Title

SRG-APP-000109-DB-000321

Rule Version

SQL6-D0-005700

Severity

CAT II

CCI(s)

• CCI-000140 - The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).

Weight

10

Fix Recommendation

If SQL Server Audit is in use, configure SQL Server Audit to continue to generate audit records, overwriting the oldest existing records, in the case of an auditing failure.

Run this T-SQL script for each identified audit:

ALTER SERVER AUDIT [AuditName] WITH (STATE = OFF);
GO
ALTER SERVER AUDIT [AuditName] to file (max_rollover_files = IntegerValue);
GO
ALTER SERVER AUDIT [AuditName] WITH (STATE = ON);
GO

Check Contents

If the system documentation indicates that availability does not take precedence over audit trail completeness, this is not applicable (NA).

Execute the following query:

SELECT a.name 'audit_name',
a.type_desc 'storage_type',
f.max_rollover_files
FROM sys.server_audits a
LEFT JOIN sys.server_file_audits f ON a.audit_id = f.audit_id
WHERE a.is_state_enabled = 1

If no records are returned, this is a finding.

If the "storage_type" is "APPLICATION LOG" or "SECURITY LOG", this is not a finding.

If the "storage_type" is "FILE" and "max_rollover_files" is greater than zero, this is not a finding. Otherwise, this is a finding.

Vulnerability Number

V-213943

Documentable

False

Rule Version

SQL6-D0-005700

Severity Override Guidance

If the system documentation indicates that availability does not take precedence over audit trail completeness, this is not applicable (NA).

Execute the following query:

SELECT a.name 'audit_name',
a.type_desc 'storage_type',
f.max_rollover_files
FROM sys.server_audits a
LEFT JOIN sys.server_file_audits f ON a.audit_id = f.audit_id
WHERE a.is_state_enabled = 1

If no records are returned, this is a finding.

If the "storage_type" is "APPLICATION LOG" or "SECURITY LOG", this is not a finding.

If the "storage_type" is "FILE" and "max_rollover_files" is greater than zero, this is not a finding. Otherwise, this is a finding.

Check Content Reference

M

Target Key

3993

Comments