SQL2-00-012300 - SQL Server must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event - 'Event ID 110'

Information

Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.

Database software is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed a given action. If user identification information is not recorded and stored with the audit record, the record itself is of very limited use.

Solution

Create a trace that meets all auditing requirements.

The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2012_V1R20_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, CAT|II, CCI|CCI-001487, Rule-ID|SV-53403r4_rule, STIG-ID|SQL2-00-012300, Vuln-ID|V-41028

Plugin: MS_SQLDB

Control ID: 992b414ee4b6a6084a98e3dc744f80f7779e2d8864e4e84be2d69a6c90d53865