SV-213949r617437_rule
V-213949
SRG-APP-000123-DB-000204
SQL6-D0-006400
CAT II
10
Remove audit-related permissions from individuals and roles not authorized to have them.
USE master;
DENY [ALTER ANY SERVER AUDIT] TO [User];
GO
Check the server documentation for a list of approved users with access to SQL Server Audits.
To alter, or drop a server audit, principals require the ALTER ANY SERVER AUDIT or the CONTROL SERVER permission.
Review the SQL Server permissions granted to principals. Look for permissions ALTER ANY SERVER AUDIT, ALTER ANY DATABASE AUDIT, CONTROL SERVER:
SELECT login.name, perm.permission_name, perm.state_desc
FROM sys.server_permissions perm
JOIN sys.server_principals login
ON perm.grantee_principal_id = login.principal_id
WHERE permission_name in ('CONTROL SERVER', 'ALTER ANY DATABASE AUDIT', 'ALTER ANY SERVER AUDIT')
and login.name not like '##MS_%';
If unauthorized accounts have these privileges, this is a finding.
V-213949
False
SQL6-D0-006400
Check the server documentation for a list of approved users with access to SQL Server Audits.
To alter, or drop a server audit, principals require the ALTER ANY SERVER AUDIT or the CONTROL SERVER permission.
Review the SQL Server permissions granted to principals. Look for permissions ALTER ANY SERVER AUDIT, ALTER ANY DATABASE AUDIT, CONTROL SERVER:
SELECT login.name, perm.permission_name, perm.state_desc
FROM sys.server_permissions perm
JOIN sys.server_principals login
ON perm.grantee_principal_id = login.principal_id
WHERE permission_name in ('CONTROL SERVER', 'ALTER ANY DATABASE AUDIT', 'ALTER ANY SERVER AUDIT')
and login.name not like '##MS_%';
If unauthorized accounts have these privileges, this is a finding.
M
3993