SQL2-00-012400 - SQL Server must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject - 'Event ID 117'

Information

SQL Server auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.

SQL Server does have a means available to add organizationally defined additional, more detailed information in the audit event records. These events may be identified by type, location, or subject. An example of more detailed information the organization may require in audit records could be the name of the application where the request is coming from.

Some organizations may determine that more detailed information is required for specific database event types. If this information is not available, it could negatively impact forensic investigations into user actions or other malicious events.

Solution

Create a trace that meets all auditing requirements.

The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.

Item Details

Audit Name: DISA STIG SQL Server 2012 DB Instance Security v1r20

Category: AUDIT AND ACCOUNTABILITY

Plugin: MS_SQLDB

Control ID: 90316ba474221215c4224c054561b64f578be3a974b42d230f757d93ad03aeae

Detections

Analytics

SQL2-00-012400 - SQL Server must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject - 'Event ID 117'

Information

Solution

See Also

Item Details