Detections
Analytics

SQL2-00-012600 - SQL Server itself, or the logging or alerting mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.

Information

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include: software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.

If audit log capacity were to be exceeded, then events subsequently occurring will not be recorded. Organizations shall define a maximum allowable percentage of storage capacity serving as an alarming threshold (e.g., application has exceeded 80% of log storage capacity allocated) at which time the application or the logging mechanism the application utilizes will provide a warning to the appropriate personnel.

A failure of database auditing will result in either the database continuing to function without auditing, or in a complete halt to database operations. When audit processing fails, appropriate personnel must be alerted immediately to avoid further downtime or unaudited transactions. This can be an alert provided by a log repository or the OS when a designated log directory is nearing capacity.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From File Server Resource Manager: Choose the From Server Selection, Select a server from the server pool, and select the server from the lower menu. Expand the File and Storage Services Role. Then Expand the File and iSCSI Services subtree. Select File Server Resource Manager. Click Add Features. Return to Add Roles and Features Wizard. Click Next. On the Features Tab, Click Next. Click Install to install and enable the FSRM.msc Microsoft Management Console Snap-in tool.
From a Command Prompt, open fsrm.msc. Enable File and Folder Quota Management.
Create Quotas for previously identified Audit storage locations based on organizationally defined requirements.

Right click the appropriate quota or quotas, and click Edit Quota Properties. From the Notification thresholds pane, create a Notification threshold for this Quota utilizing a generate email alert, or a generated Event Log entry.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2012_V1R20_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(1), CAT|III, CCI|CCI-001855, Rule-ID|SV-53398r2_rule, STIG-ID|SQL2-00-012600, Vuln-ID|V-41023

Plugin: MS_SQLDB

Control ID: 45699ac50d428b0d553b904cba630a02a317c518ac6c0605dac106cd0a4416ef