STIGQter: STIG Summary: MS SQL Server 2014 Instance Security Technical Implementation Guide Version: 1 Release: 10 Benchmark Date: 24 Apr 2020:

Unless it has been determined that availability is paramount, SQL Server must shut down upon the failure of an Audit, or a Trace used for auditing purposes, to include the unavailability of space for more audit/trace log records.

DISA Rule

SV-82275r1_rule

Vulnerability Number

V-67785

Group Title

SRG-APP-000109-DB-000049

Rule Version

SQL4-00-013000

Severity

CAT II

CCI(s)

• CCI-000140 - The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).

Weight

10

Fix Recommendation

If Trace is in use for audit purposes, redefine the trace, with @options = 6. The script provided in the supplemental file Trace.sql can be used to do this.

If SQL Server Audit is in use, configure SQL Server Audit to shut SQL Server down upon audit failure, to include running out of space for audit logs. Run this T-SQL script for each identified audit:
ALTER SERVER AUDIT <server_audit_name> WITH (STATE = OFF);
GO
ALTER SERVER AUDIT <server_audit_name> WITH (ON_FAILURE = SHUTDOWN);
GO
ALTER SERVER AUDIT <server_audit_name> WITH (STATE = ON);
GO
The audit defined in the supplemental file Audit.sql includes this setting.

Check Contents

If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.

If the system documentation indicates that availability takes precedence over audit trail completeness, this is not applicable (NA).

If SQL Server Trace is in use for audit purposes, run the statement:
SELECT * FROM sys.traces;

In the results of the SELECT, identify the row representing the trace used for audit purposes. Examine the values in that row.

If is_shutdown = 0, this is a finding.

If SQL Server Audit is in use, review the defined server audits by running the statement:
SELECT * FROM sys.server_audits;
By observing the [name] and [is_state_enabled] columns, identify the row or rows in use.

If the [on_failure_desc] is "SHUTDOWN SERVER INSTANCE" on this/these row(s), this is not a finding. Otherwise, this is a finding.

Vulnerability Number

V-67785

Documentable

False

Rule Version

SQL4-00-013000

Severity Override Guidance

If neither SQL Server Audit nor SQL Server Trace is in use for audit purposes, this is a finding.

If the system documentation indicates that availability takes precedence over audit trail completeness, this is not applicable (NA).

If SQL Server Trace is in use for audit purposes, run the statement:
SELECT * FROM sys.traces;

In the results of the SELECT, identify the row representing the trace used for audit purposes. Examine the values in that row.

If is_shutdown = 0, this is a finding.

If SQL Server Audit is in use, review the defined server audits by running the statement:
SELECT * FROM sys.server_audits;
By observing the [name] and [is_state_enabled] columns, identify the row or rows in use.

If the [on_failure_desc] is "SHUTDOWN SERVER INSTANCE" on this/these row(s), this is not a finding. Otherwise, this is a finding.

Check Content Reference

M

Target Key

2639

Comments