STIGQter: STIG Summary: MS SQL Server 2016 Instance Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

SQL Server must generate audit records when privileges/permissions are deleted.

DISA Rule

SV-214007r617437_rule

Vulnerability Number

V-214007

Group Title

SRG-APP-000499-DB-000330

Rule Version

SQL6-D0-014100

Severity

CAT II

CCI(s)

• CCI-000172 - The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

Weight

10

Fix Recommendation

Add the following events to the SQL Server Audit that is being used for the STIG compliant audit.

DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
DATABASE_OWNERSHIP_CHANGE_GROUP
DATABASE_PERMISSION_CHANGE_GROUP
DATABASE_ROLE_MEMBER_CHANGE_GROUP
SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP
SERVER_OBJECT_PERMISSION_CHANGE_GROUP
SERVER_PERMISSION_CHANGE_GROUP
SERVER_ROLE_MEMBER_CHANGE_GROUP

See the supplemental file "SQL 2016 Audit.sql".

Reference:
https://msdn.microsoft.com/en-us/library/cc280663.aspx

Check Contents

Check the SQL Server Audit being used for the STIG compliant audit.

If the following events are not included, this is a finding.

DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
DATABASE_OWNERSHIP_CHANGE_GROUP
DATABASE_PERMISSION_CHANGE_GROUP
DATABASE_ROLE_MEMBER_CHANGE_GROUP
SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP
SERVER_OBJECT_PERMISSION_CHANGE_GROUP
SERVER_PERMISSION_CHANGE_GROUP
SERVER_ROLE_MEMBER_CHANGE_GROUP

Reference:
https://msdn.microsoft.com/en-us/library/cc280663.aspx

Vulnerability Number

V-214007

Documentable

False

Rule Version

SQL6-D0-014100

Severity Override Guidance

Check the SQL Server Audit being used for the STIG compliant audit.

If the following events are not included, this is a finding.

DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
DATABASE_OWNERSHIP_CHANGE_GROUP
DATABASE_PERMISSION_CHANGE_GROUP
DATABASE_ROLE_MEMBER_CHANGE_GROUP
SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP
SERVER_OBJECT_PERMISSION_CHANGE_GROUP
SERVER_PERMISSION_CHANGE_GROUP
SERVER_ROLE_MEMBER_CHANGE_GROUP

Reference:
https://msdn.microsoft.com/en-us/library/cc280663.aspx

Check Content Reference

M

Target Key

3993

Comments