STIGQter: STIG Summary: MS SQL Server 2014 Instance Security Technical Implementation Guide Version: 1 Release: 10 Benchmark Date: 24 Apr 2020:

SQL Server must include organization-defined additional, more detailed information in Trace or Audit records for events identified by type, location, or subject.

DISA Rule

SV-82273r1_rule

Vulnerability Number

V-67783

Group Title

SRG-APP-000101-DB-000044

Rule Version

SQL4-00-012400

Severity

CAT II

CCI(s)

• CCI-000135 - The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records.

Weight

10

Fix Recommendation

If Trace is in use for audit purposes, where SQL Server's trace facilities can provide the necessary data, define and enable a trace that captures all organization-defined auditable events and fields. The script provided in the supplemental file Trace.sql can be used for this, after appropriate editing.

Where SQL Server's trace facilities cannot provide the necessary data, designate the event code(s) that will be used (Microsoft provides codes 82 through 91 for this purpose), design and deploy triggers that will recognize the events and invoke sp_trace_generateevent to populate the trace with the necessary information. Add a block of sp_trace_setevent calls to the trace script for each event code designated for this purpose.

If SQL Server Audit is in use, design and deploy an Audit that captures all auditable events and data items. The script provided in the supplemental file Audit.sql can be used as the basis for this. Supplement the standard audit data as necessary, using database audit specifications, Extended Events and/or triggers.

Check Contents

If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.

Review system documentation to determine whether SQL Server is required to audit any events, and any fields, in addition to those in the standard audit or audit-oriented trace.

If there are none specified, this is not a finding.

If SQL Server Trace is in use for audit purposes, review the audit-oriented trace definition script(s) to identify any events and/or fields that are required but not in the script.

If any such are identified, this is a finding.

If SQL Server Audit is in use, compare the audit specification(s) with the documented requirements.

If any such requirement is not satisfied by the audit specification(s) (or by supplemental, locally-deployed mechanisms), this is a finding.

Vulnerability Number

V-67783

Documentable

False

Rule Version

SQL4-00-012400

Severity Override Guidance

If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.

Review system documentation to determine whether SQL Server is required to audit any events, and any fields, in addition to those in the standard audit or audit-oriented trace.

If there are none specified, this is not a finding.

If SQL Server Trace is in use for audit purposes, review the audit-oriented trace definition script(s) to identify any events and/or fields that are required but not in the script.

If any such are identified, this is a finding.

If SQL Server Audit is in use, compare the audit specification(s) with the documented requirements.

If any such requirement is not satisfied by the audit specification(s) (or by supplemental, locally-deployed mechanisms), this is a finding.

Check Content Reference

M

Target Key

2639

Comments