SQL Server must protect its audit features from unauthorized access, modification, or removal.

From MS SQL Server 2014 Instance Security Technical Implementation Guide

Part of SRG-APP-000121-DB-000202

Associated with: CCI-001493

SV-82285r1_rule SQL Server must protect its audit features from unauthorized access, modification, or removal.

Vulnerability discussion

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized access. If an attacker were to gain access to audit tools, he could analyze audit logs for system weaknesses or weaknesses in the auditing itself. An attacker could also manipulate logs to hide evidence of malicious activity.This focuses on audit/trace log tools within SQL Server. Other STIG requirements govern operating system settings to control access to external tools.

Check content

Review the SQL Server permissions granted to principals. The views and functions provided in the supplemental file Permissions.sql can help with this. Look for permissions such as ALTER ANY SERVER AUDIT, ALTER ANY DATABASE AUDIT, ALTER TRACE; or EXECUTE on the stored procedures with names beginning "SP_TRACE", or on scopes including those procedures. If unauthorized accounts have these privileges, this is a finding.

Fix text

Use REVOKE and/or DENY statements to remove audit-related permissions from individuals and roles not authorized to have them.

Pro Tips

Powered by sagemincer