SQL4-00-012000 - SQL Server must produce Trace or Audit records containing sufficient information to establish where the events occurred.

Information

Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.

SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly where actions were performed. This requires specific information regarding the event location an audit record is referring to. If event location information is not recorded and stored with the audit record, the record itself is of very limited use.

An event location can be a database instance, table, column, row, etc. Without sufficient information establishing where the audit events occurred, investigation into the cause of events is severely hindered. If SQL Server Audit is enabled, SQL Server does capture the event location-specific information in all audit records.

Use of SQL Server Audit is recommended. All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being. Note, however, that Microsoft intends to remove most aspects of Trace at some point after SQL Server 2016.

Solution

Design and deploy a SQL Server Audit or Trace that captures the server name, database name, object type, object name and object owner (each where relevant) for all auditable events.

The script provided in the supplemental file Trace.sql can be used to create a trace.

The script provided in the supplemental file Audit.sql can be used to create an audit..

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2014_Y24M07_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, CAT|II, CCI|CCI-000132, Rule-ID|SV-213814r960897_rule, STIG-ID|SQL4-00-012000, STIG-Legacy|SV-82265, STIG-Legacy|V-67775, Vuln-ID|V-213814

Plugin: MS_SQLDB

Control ID: edd27dcbda77282f1639a6a7a1df242e3ad761b51f7ff572c82a737348019691