SV-213996r617437_rule
V-213996
SRG-APP-000492-DB-000333
SQL6-D0-013000
CAT II
10
Deploy an audit to audit the retrieval of privilege/permission/role membership information. See the supplemental file "SQL 2016 Audit.sql".
Review the system documentation to determine if SQL Server is required to audit the retrieval of privilege/permission/role membership information.
If this is not required, this is not a finding.
If the documentation does not exist, this is a finding.
Determine if an audit is configured and started by executing the following query.
SELECT name AS 'Audit Name',
status_desc AS 'Audit Status',
audit_file_path AS 'Current Audit File'
FROM sys.dm_server_audit_statu
If no records are returned, this is a finding.
If the auditing the retrieval of privilege/permission/role membership information is required, execute the following query to verify the "SCHEMA_OBJECT_ACCESS_GROUP" is included in the server audit specification.
SELECT a.name AS 'AuditName',
s.name AS 'SpecName',
d.audit_action_name AS 'ActionName',
d.audited_result AS 'Result'
FROM sys.server_audit_specifications s
JOIN sys.server_audits a ON s.audit_guid = a.audit_guid
JOIN sys.server_audit_specification_details d ON s.server_specification_id = d.server_specification_id
WHERE a.is_state_enabled = 1 AND d.audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP'
If the SCHEMA_OBJECT_ACCESS_GROUP is not returned in an active audit, this is a finding.
V-213996
False
SQL6-D0-013000
Review the system documentation to determine if SQL Server is required to audit the retrieval of privilege/permission/role membership information.
If this is not required, this is not a finding.
If the documentation does not exist, this is a finding.
Determine if an audit is configured and started by executing the following query.
SELECT name AS 'Audit Name',
status_desc AS 'Audit Status',
audit_file_path AS 'Current Audit File'
FROM sys.dm_server_audit_statu
If no records are returned, this is a finding.
If the auditing the retrieval of privilege/permission/role membership information is required, execute the following query to verify the "SCHEMA_OBJECT_ACCESS_GROUP" is included in the server audit specification.
SELECT a.name AS 'AuditName',
s.name AS 'SpecName',
d.audit_action_name AS 'ActionName',
d.audited_result AS 'Result'
FROM sys.server_audit_specifications s
JOIN sys.server_audits a ON s.audit_guid = a.audit_guid
JOIN sys.server_audit_specification_details d ON s.server_specification_id = d.server_specification_id
WHERE a.is_state_enabled = 1 AND d.audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP'
If the SCHEMA_OBJECT_ACCESS_GROUP is not returned in an active audit, this is a finding.
M
3993