SQL2-00-012300 - SQL Server must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event - 'Event ID 104'

Information

Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.

Database software is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed a given action. If user identification information is not recorded and stored with the audit record, the record itself is of very limited use.

Solution

Create a trace that meets all auditing requirements.

The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.

Item Details

Audit Name: DISA STIG SQL Server 2012 DB Instance Security v1r20

Category: AUDIT AND ACCOUNTABILITY

Plugin: MS_SQLDB

Control ID: 992b414ee4b6a6084a98e3dc744f80f7779e2d8864e4e84be2d69a6c90d53865

Detections

Analytics

SQL2-00-012300 - SQL Server must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event - 'Event ID 104'

Information

Solution

See Also

Item Details