SQL2-00-012400 - SQL Server must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject - 'Event ID 172'

Information

SQL Server auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.

SQL Server does have a means available to add organizationally defined additional, more detailed information in the audit event records. These events may be identified by type, location, or subject. An example of more detailed information the organization may require in audit records could be the name of the application where the request is coming from.

Some organizations may determine that more detailed information is required for specific database event types. If this information is not available, it could negatively impact forensic investigations into user actions or other malicious events.

Solution

Create a trace that meets all auditing requirements.

The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2012_V1R20_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3(1), CAT|II, CCI|CCI-000135, Rule-ID|SV-53402r4_rule, STIG-ID|SQL2-00-012400, Vuln-ID|V-41027

Plugin: MS_SQLDB

Control ID: 90316ba474221215c4224c054561b64f578be3a974b42d230f757d93ad03aeae