Detections
Analytics

SQLI-22-011800 - SQL Server must produce audit records when attempts to modify SQL Server configuration and privileges occur within the database(s).

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Without auditing the enforcement of access restrictions against changes to configuration, it would be difficult to identify attempted attacks, and an audit trail would not be available for forensic investigation for after-the-fact actions.

Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.

Changes in the permissions, privileges, and roles granted to users and roles, as well as privileged activity, must be tracked. Without an audit trail, unauthorized elevation or restriction of privileges could go undetected. Elevated privileges give users access to information and functionality that they should not have; restricted privileges wrongly deny access to authorized users.

A privileged function in this context is any operation that modifies the structure of the database, its built-in logic, or its security settings. This would include all Data Definition Language (DDL) statements and all security-related statements. In a SQL environment, it encompasses, but is not necessarily limited to, CREATE, ALTER, DROP, GRANT, REVOKE, and DENY.

There may also be Data Manipulation Language (DML) statements that, subject to context, should be regarded as privileged. Possible examples in SQL include TRUNCATE TABLE, SELECT, INSERT, UPDATE, or DELETE (to a security table executed by a user other than a security principal).

Depending on the capabilities of SQL Server and the design of the database and associated applications, audit logging may be achieved by means of DBMS auditing features, database triggers, other mechanisms, or a combination of these.

Note that it is particularly important to audit, and tightly control, any action that weakens the implementation of this requirement, since the objective is to have a complete audit trail of all administrative activity.

To aid in diagnosis, it is necessary to track failed attempts in addition to the successful ones.

Satisfies: SRG-APP-000381-DB-000361, SRG-APP-000495-DB-000326, SRG-APP-000495-DB-000327, SRG-APP-000495-DB-000328, SRG-APP-000495-DB-000329, SRG-APP-000499-DB-000330, SRG-APP-000499-DB-000331, SRG-APP-000504-DB-000354, SRG-APP-000504-DB-000355

Solution

Add the required events to the server audit specification to audit denied actions.

Refer to the supplemental file "SQL2022Audit.sql" script.

Reference: https://learn.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-database-engine?

See Also

https://dl.dod.cyber.mil/wp-content/uploads/U_MS_SQL_Server_2022_Y25M06_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000172, CCI|CCI-003938, Rule-ID|SV-271351r1111086_rule, STIG-ID|SQLI-22-011800, Vuln-ID|V-271351

Plugin: MS_SQLDB

Control ID: ada99324ec07d9791f3ff1a20b4052faad4eb7dcf04d02cbcb76d812a3dfc047