STIGQter: STIG Summary: MS SQL Server 2014 Instance Security Technical Implementation Guide Version: 1 Release: 10 Benchmark Date: 24 Apr 2020: STIGQter: STIG Summary: MS SQL Server 2014 Instance Security Technical Implementation Guide Version: 1 Release: 10 Benchmark Date: 24 Apr 2020:SV-82263r1_rule
V-67773
SRG-APP-000096-DB-000040
SQL4-00-011900
CAT II
10
Design and deploy a SQL Server Audit or a Trace that captures Start Time and (where relevant) End Time for all auditable events.
The script provided in the supplemental file Trace.sql can be used to create a trace.
The script provided in the supplemental file Audit.sql can be used to create an audit..
If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
If SQL Server Audit is in use, the event time and date are always captured: this is not a finding.
If SQL Server Trace is in use for audit purposes, verify that for all events it captures the start and (where relevant) end time.
From the query prompt:
SELECT * FROM sys.traces;
All currently defined traces for the SQL server instance will be listed.
If no traces are returned, this is a finding.
Determine the trace(s) being used for the auditing requirement.
In the following, replace # with a trace ID being used for the auditing requirements.
From the query prompt:
WITH
EC AS (SELECT eventid, columnid FROM sys.fn_trace_geteventinfo(2)),
E AS (SELECT DISTINCT eventid FROM EC)
SELECT
E.eventid,
CASE WHEN EC14.columnid IS NULL THEN 'Start Time (14) missing' ELSE '14 OK' END AS field14,
CASE WHEN EC15.columnid IS NULL THEN 'End Time (15) missing' ELSE '15 OK' END AS field15
FROM E E
LEFT OUTER JOIN EC EC14
ON EC14.eventid = E.eventid
AND EC14.columnid = 14
LEFT OUTER JOIN EC EC15
ON EC15.eventid = E.eventid
AND EC15.columnid = 15
WHERE
EC14.columnid IS NULL OR EC15.columnid IS NULL;
If the resulting list indicates any field specifications are missing, this is a finding.
V-67773
False
SQL4-00-011900
If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.
If SQL Server Audit is in use, the event time and date are always captured: this is not a finding.
If SQL Server Trace is in use for audit purposes, verify that for all events it captures the start and (where relevant) end time.
From the query prompt:
SELECT * FROM sys.traces;
All currently defined traces for the SQL server instance will be listed.
If no traces are returned, this is a finding.
Determine the trace(s) being used for the auditing requirement.
In the following, replace # with a trace ID being used for the auditing requirements.
From the query prompt:
WITH
EC AS (SELECT eventid, columnid FROM sys.fn_trace_geteventinfo(2)),
E AS (SELECT DISTINCT eventid FROM EC)
SELECT
E.eventid,
CASE WHEN EC14.columnid IS NULL THEN 'Start Time (14) missing' ELSE '14 OK' END AS field14,
CASE WHEN EC15.columnid IS NULL THEN 'End Time (15) missing' ELSE '15 OK' END AS field15
FROM E E
LEFT OUTER JOIN EC EC14
ON EC14.eventid = E.eventid
AND EC14.columnid = 14
LEFT OUTER JOIN EC EC15
ON EC15.eventid = E.eventid
AND EC15.columnid = 15
WHERE
EC14.columnid IS NULL OR EC15.columnid IS NULL;
If the resulting list indicates any field specifications are missing, this is a finding.
M
2639