Detections
Analytics
SQL4-00-013000 - Unless it has been determined that availability is paramount, SQL Server must shut down upon the failure of an Audit, or a Trace used for auditing purposes, to include the unavailability of space for more audit/trace log records.
Information
It is critical that when SQL Server is at risk of failing to process audit logs as required, it take action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.When the need for system availability does not outweigh the need for a complete audit trail, SQL Server should shut down immediately, rolling back all in-flight transactions.
Systems where audit trail completeness is paramount will most likely be at a lower MAC level than MAC I; the final determination is the prerogative of the application owner, subject to Authorizing Official concurrence. In any case, sufficient auditing resources must be allocated to avoid a shutdown in all but the most extreme situations.
Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
If Trace is in use for audit purposes, redefine the trace, with @options = 6. The script provided in the supplemental file Trace.sql can be used to do this.If SQL Server Audit is in use, configure SQL Server Audit to shut SQL Server down upon audit failure, to include running out of space for audit logs. Run this T-SQL script for each identified audit:
ALTER SERVER AUDIT <server_audit_name> WITH (STATE = OFF);
GO
ALTER SERVER AUDIT <server_audit_name> WITH (ON_FAILURE = SHUTDOWN);
GO
ALTER SERVER AUDIT <server_audit_name> WITH (STATE = ON);
GO
The audit defined in the supplemental file Audit.sql includes this setting.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2014_Y22M10_STIG.zip
Item Details
Audit Name: DISA STIG SQL Server 2014 Instance DB Audit v2r3
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-5b., CAT|II, CCI|CCI-000140, Rule-ID|SV-213819r395805_rule, STIG-ID|SQL4-00-013000, STIG-Legacy|SV-82275, STIG-Legacy|V-67785, Vuln-ID|V-213819
Plugin: MS_SQLDB
Control ID: 6946033a69c8dad6ae2a1db9f115119af8b2098c7c7c341f37b8cad73f405efc