STIGQter STIGQter: STIG Summary: MS SQL Server 2014 Instance Security Technical Implementation Guide Version: 1 Release: 10 Benchmark Date: 24 Apr 2020:

SQL Server must produce Trace or Audit records containing sufficient information to establish when the events occurred.

DISA Rule

SV-82263r1_rule

Vulnerability Number

V-67773

Group Title

SRG-APP-000096-DB-000040

Rule Version

SQL4-00-011900

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Design and deploy a SQL Server Audit or a Trace that captures Start Time and (where relevant) End Time for all auditable events.

The script provided in the supplemental file Trace.sql can be used to create a trace.

The script provided in the supplemental file Audit.sql can be used to create an audit..

Check Contents

If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.

If SQL Server Audit is in use, the event time and date are always captured: this is not a finding.

If SQL Server Trace is in use for audit purposes, verify that for all events it captures the start and (where relevant) end time.
From the query prompt:
SELECT * FROM sys.traces;

All currently defined traces for the SQL server instance will be listed.

If no traces are returned, this is a finding.

Determine the trace(s) being used for the auditing requirement.
In the following, replace # with a trace ID being used for the auditing requirements.
From the query prompt:
WITH
EC AS (SELECT eventid, columnid FROM sys.fn_trace_geteventinfo(2)),
E AS (SELECT DISTINCT eventid FROM EC)
SELECT
E.eventid,
CASE WHEN EC14.columnid IS NULL THEN 'Start Time (14) missing' ELSE '14 OK' END AS field14,
CASE WHEN EC15.columnid IS NULL THEN 'End Time (15) missing' ELSE '15 OK' END AS field15
FROM E E
LEFT OUTER JOIN EC EC14
ON EC14.eventid = E.eventid
AND EC14.columnid = 14
LEFT OUTER JOIN EC EC15
ON EC15.eventid = E.eventid
AND EC15.columnid = 15
WHERE
EC14.columnid IS NULL OR EC15.columnid IS NULL;

If the resulting list indicates any field specifications are missing, this is a finding.

Vulnerability Number

V-67773

Documentable

False

Rule Version

SQL4-00-011900

Severity Override Guidance

If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.

If SQL Server Audit is in use, the event time and date are always captured: this is not a finding.

If SQL Server Trace is in use for audit purposes, verify that for all events it captures the start and (where relevant) end time.
From the query prompt:
SELECT * FROM sys.traces;

All currently defined traces for the SQL server instance will be listed.

If no traces are returned, this is a finding.

Determine the trace(s) being used for the auditing requirement.
In the following, replace # with a trace ID being used for the auditing requirements.
From the query prompt:
WITH
EC AS (SELECT eventid, columnid FROM sys.fn_trace_geteventinfo(2)),
E AS (SELECT DISTINCT eventid FROM EC)
SELECT
E.eventid,
CASE WHEN EC14.columnid IS NULL THEN 'Start Time (14) missing' ELSE '14 OK' END AS field14,
CASE WHEN EC15.columnid IS NULL THEN 'End Time (15) missing' ELSE '15 OK' END AS field15
FROM E E
LEFT OUTER JOIN EC EC14
ON EC14.eventid = E.eventid
AND EC14.columnid = 14
LEFT OUTER JOIN EC EC15
ON EC15.eventid = E.eventid
AND EC15.columnid = 15
WHERE
EC14.columnid IS NULL OR EC15.columnid IS NULL;

If the resulting list indicates any field specifications are missing, this is a finding.

Check Content Reference

M

Target Key

2639

Comments