Detections
Analytics

DISA STIG SQL Server 2016 Instance DB Audit v2r11

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG SQL Server 2016 Instance DB Audit v2r11

Updated: 6/17/2024

Authority: DISA STIG

Plugin: MS_SQLDB

Revision: 1.1

Estimated Item Count: 84

Audit Items

DescriptionCategories
SQL6-D0-003600 - SQL Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
SQL6-D0-003700 - SQL Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
SQL6-D0-003900 - SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
SQL6-D0-004100 - SQL Server must protect against a user falsely repudiating by ensuring the NT AUTHORITY SYSTEM account is not used for administration - clustering and availability
SQL6-D0-004100 - SQL Server must protect against a user falsely repudiating by ensuring the NT AUTHORITY SYSTEM account is not used for administration - permissions
SQL6-D0-004200 - SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the instance.
SQL6-D0-004300 - SQL Server must be configured to generate audit records for DoD-defined auditable events within all DBMS/database components.
SQL6-D0-004400 - SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
SQL6-D0-004600 - SQL Server must generate audit records when successful/unsuccessful attempts to retrieve privileges/permissions occur.
SQL6-D0-004700 - SQL Server must initiate session auditing upon startup.
SQL6-D0-005500 - SQL Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.
SQL6-D0-005600 - SQL Server must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.
SQL6-D0-005700 - SQL Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.
SQL6-D0-005900 - The audit information produced by SQL Server must be protected from unauthorized access, modification, and deletion.
SQL6-D0-006300 - SQL Server must protect its audit configuration from authorized and unauthorized access and modification.
SQL6-D0-006500 - SQL Server must limit privileges to change software modules and links to software external to SQL Server.
SQL6-D0-006600 - SQL Server must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to SQL Server.
SQL6-D0-006900 - Default demonstration and sample databases, database objects, and applications must be removed.
SQL6-D0-007000 - Unused database components, DBMS software, and database objects must be removed.
SQL6-D0-007100 - Unused database components that are integrated in SQL Server and cannot be uninstalled must be disabled.
SQL6-D0-007200 - Access to xp_cmdshell must be disabled, unless specifically required and approved.
SQL6-D0-007300 - Access to CLR code must be disabled or restricted, unless specifically required and approved.
SQL6-D0-007400 - Access to Non-Standard extended stored procedures must be disabled or restricted, unless specifically required and approved.
SQL6-D0-007500 - Access to linked servers must be disabled or restricted, unless specifically required and approved.
SQL6-D0-007800 - SQL Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
SQL6-D0-007900 - If DBMS authentication using passwords is employed, SQL Server must enforce the DoD standards for password complexity and lifetime.
SQL6-D0-008000 - Contained databases must use Windows principals.
SQL6-D0-008200 - If passwords are used for authentication, SQL Server must transmit only encrypted representations of passwords.
SQL6-D0-008800 - SQL Server must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
SQL6-D0-009500 - SQL Server must protect the confidentiality and integrity of all information at rest.
SQL6-D0-009600 - The Service Master Key must be backed up, stored offline and off-site.
SQL6-D0-009700 - The Master Key must be backed up, stored offline and off-site.
SQL6-D0-009800 - SQL Server must prevent unauthorized and unintended information transfer via shared system resources.
SQL6-D0-010100 - SQL Server must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA.
SQL6-D0-010400 - SQL Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
SQL6-D0-010500 - Use of credentials and proxies must be restricted to necessary cases only.
SQL6-D0-010700 - SQL Server must utilize centralized management of the content captured in audit records generated by all components of SQL Server.
SQL6-D0-010800 - SQL Server must provide centralized configuration of the content to be captured in audit records generated by all components of SQL Server.
SQL6-D0-010900 - SQL Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
SQL6-D0-011000 - SQL Server must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.
SQL6-D0-011100 - SQL Server must provide an immediate real-time alert to appropriate support staff of all audit log failures.
SQL6-D0-011400 - SQL Server must enforce access restrictions associated with changes to the configuration of the instance.
SQL6-D0-011800 - SQL Server must produce audit records of its enforcement of access restrictions associated with changes to the configuration of SQL Server or database(s).
SQL6-D0-011900 - SQL Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.
SQL6-D0-012300 - SQL Server must maintain a separate execution domain for each executing process.
SQL6-D0-012400 - SQL Server services must be configured to run under unique dedicated user accounts.
SQL6-D0-012700 - When updates are applied to SQL Server software, any software components that have been replaced or made unnecessary must be removed.
SQL6-D0-012800 - Security-relevant software updates to SQL Server must be installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).
SQL6-D0-012900 - SQL Server must be able to generate audit records when successful and unsuccessful attempts to access security objects occur.
SQL6-D0-013200 - SQL Server must generate audit records when successful and unsuccessful attempts to access categorized information (e.g., classification levels/security levels) occur.