DISA STIG SQL Server 2014 Instance DB Audit v2r4

Audit Details

Name: DISA STIG SQL Server 2014 Instance DB Audit v2r4

Updated: 8/21/2024

Authority: DISA STIG

Plugin: MS_SQLDB

Revision: 1.0

Estimated Item Count: 450

File Details

Filename: DISA_STIG_MSSQL_2014_Instance_Database_v2r4.audit

Size: 1.8 MB

MD5: f281da59c252f81b3ec6c69f068cbb79
SHA256: 374ce329f6b983f7bc57ea4f7e7634602653f4488c59dca65f9167da91c85884

Audit Items

DescriptionCategories
SQL4-00-000100 - The number of concurrent SQL Server sessions for each system account must be limited.

ACCESS CONTROL

SQL4-00-002010 - SQL Server must enforce approved authorizations for logical access to server-level system resources in accordance with applicable access control policies.

ACCESS CONTROL

SQL4-00-010200 - SQL Server default account [sa] must have its name changed.

CONFIGURATION MANAGEMENT

SQL4-00-011300 - Where SQL Server Trace is in use for auditing purposes, SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be traced.

AUDIT AND ACCOUNTABILITY

SQL4-00-011310 - Where SQL Server Audit is in use, SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited at the server level.

AUDIT AND ACCOUNTABILITY

SQL4-00-011410 - Where SQL Server Audit is in use, SQL Server must generate audit records when privileges/permissions are retrieved.

AUDIT AND ACCOUNTABILITY

SQL4-00-011900 - SQL Server must produce Trace or Audit records containing sufficient information to establish when the events occurred.

AUDIT AND ACCOUNTABILITY

SQL4-00-012000 - SQL Server must produce Trace or Audit records containing sufficient information to establish where the events occurred.

AUDIT AND ACCOUNTABILITY

SQL4-00-012100 - SQL Server must produce Trace or Audit records containing sufficient information to establish the sources (origins) of the events - origins of the events.

AUDIT AND ACCOUNTABILITY

SQL4-00-012200 - SQL Server must produce Trace or Audit records containing sufficient information to establish the outcome (success or failure) of the events - success/failure of the events.

AUDIT AND ACCOUNTABILITY

SQL4-00-012300 - SQL Server must produce Trace or Audit records containing sufficient information to establish the identity of any user/subject associated with the event.

AUDIT AND ACCOUNTABILITY

SQL4-00-012400 - SQL Server must include organization-defined additional, more detailed information in Trace or Audit records for events identified by type, location, or subject.

AUDIT AND ACCOUNTABILITY

SQL4-00-013000 - Unless it has been determined that availability is paramount, SQL Server must shut down upon the failure of an Audit, or a Trace used for auditing purposes, to include the unavailability of space for more audit/trace log records.

AUDIT AND ACCOUNTABILITY

SQL4-00-013600 - The audit information produced by SQL Server must be protected from unauthorized read access.

AUDIT AND ACCOUNTABILITY

SQL4-00-013700 - The audit information produced by SQL Server must be protected from unauthorized modification.

AUDIT AND ACCOUNTABILITY

SQL4-00-013800 - The audit information produced by SQL Server must be protected from unauthorized deletion.

AUDIT AND ACCOUNTABILITY

SQL4-00-013900 - Audit tools used in, or in conjunction with, SQL Server must be protected from unauthorized access.

AUDIT AND ACCOUNTABILITY

SQL4-00-015300 - SQL Server security-relevant configuration settings must be monitored to discover unauthorized changes.

CONFIGURATION MANAGEMENT

SQL4-00-016200 - SQL Server must have the publicly available Northwind sample database removed.

CONFIGURATION MANAGEMENT

SQL4-00-016300 - SQL Server must have the publicly available pubs sample database removed.

CONFIGURATION MANAGEMENT

SQL4-00-016310 - SQL Server must have the publicly available AdventureWorks sample database removed.

CONFIGURATION MANAGEMENT

SQL4-00-016835 - SQL Server must have the Data Quality Services software component removed if it is unused.

CONFIGURATION MANAGEMENT

SQL4-00-016855 - SQL Server must have the Filestream feature disabled if it is unused.

CONFIGURATION MANAGEMENT

SQL4-00-017000 - Unused database components that are integrated in SQL Server and cannot be uninstalled must be disabled.

CONFIGURATION MANAGEMENT

SQL4-00-017100 - The SQL Server default account [sa] must be disabled.

CONFIGURATION MANAGEMENT

SQL4-00-017200 - Access to xp_cmdshell must be disabled, unless specifically required and approved.

CONFIGURATION MANAGEMENT

SQL4-00-017400 - SQL Server must be configured to prohibit or restrict the use of unauthorized network protocols.

CONFIGURATION MANAGEMENT

SQL4-00-017410 - SQL Server must be configured to prohibit or restrict the use of unauthorized network ports.

CONFIGURATION MANAGEMENT

SQL4-00-018400 - SQL Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users) - or processes acting on behalf of organizational users.

IDENTIFICATION AND AUTHENTICATION

SQL4-00-018900 - SQL Server must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users) - or processes acting on behalf of non-org users.

IDENTIFICATION AND AUTHENTICATION

SQL4-00-020500 - SQL Server must be configured to separate user functionality (including user interface services) from database management functionality - including UI services from database management functionality.

SYSTEM AND COMMUNICATIONS PROTECTION

SQL4-00-021500 - SQL Server must isolate security functions from nonsecurity functions.

SYSTEM AND COMMUNICATIONS PROTECTION

SQL4-00-023700 - SQL Server must protect against an individual using a shared account from falsely denying having performed a particular action.

AUDIT AND ACCOUNTABILITY

SQL4-00-024500 - The Service Master Key must be backed up, stored offline and off-site.

SYSTEM AND COMMUNICATIONS PROTECTION

SQL4-00-030300 - SQL Server authentication and identity management must be integrated with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.

ACCESS CONTROL

SQL4-00-030410 - Where SQL Server Audit is in use, SQL Server must generate audit records when unsuccessful attempts to retrieve privileges/permissions occur.

AUDIT AND ACCOUNTABILITY

SQL4-00-030600 - Where availability is paramount, the SQL Server must continue processing (preferably overwriting existing records, oldest first), in the event of lack of space for more Audit/Trace log records; and must keep processing after any failure of an Audit/Trace.

AUDIT AND ACCOUNTABILITY

SQL4-00-030700 - The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be restricted to authorized users - s used to modify database structure and logic modules must be restricted to authorized users.

CONFIGURATION MANAGEMENT

SQL4-00-031400 - Access to database files must be limited to relevant processes and to authorized, administrative users.

SYSTEM AND COMMUNICATIONS PROTECTION

SQL4-00-031700 - SQL Server must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.

ACCESS CONTROL

SQL4-00-032500 - SQL Server must prevent non-privileged users from executing privileged functionality, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

ACCESS CONTROL

SQL4-00-032600 - Execution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.

ACCESS CONTROL

SQL4-00-032800 - SQL Server must utilize centralized management of the content captured in audit records generated by all components of the DBMS.

AUDIT AND ACCOUNTABILITY

SQL4-00-033000 - SQL Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.

AUDIT AND ACCOUNTABILITY

SQL4-00-033400 - SQL Server, the operating system, or the storage system must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.

AUDIT AND ACCOUNTABILITY

SQL4-00-033500 - SQL Server or software monitoring SQL Server must provide an immediate real-time alert to appropriate support staff of all audit log failures.

AUDIT AND ACCOUNTABILITY

SQL4-00-033800 - SQL Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

CONFIGURATION MANAGEMENT

SQL4-00-033900 - SQL Server and Windows must enforce access restrictions associated with changes to the configuration of the SQL Server instance or database(s) - s.

CONFIGURATION MANAGEMENT

SQL4-00-034000 - SQL Server must produce Trace or Audit records of its enforcement of access restrictions associated with changes to the configuration of the DBMS or database(s) - APPLICATION_ROLE_CHANGE_PASSWORD_GROUP

CONFIGURATION MANAGEMENT

SQL4-00-034000 - SQL Server must produce Trace or Audit records of its enforcement of access restrictions associated with changes to the configuration of the DBMS or database(s) - AUDIT_CHANGE_GROUP

CONFIGURATION MANAGEMENT