The Azure SQL Database must be able to generate audit records when privileges/permissions are retrieved.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-255326	ASQL-00-004500	SV-255326r960885_rule		Medium

Description
Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions. This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that SQL Server continually performs to determine if any and every action on the database is permitted.

Description

Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions. This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that SQL Server continually performs to determine if any and every action on the database is permitted.

STIG	Date
Microsoft Azure SQL Database Security Technical Implementation Guide	2024-06-10

Details

Check Text ( C-58999r871102_chk )
Review Azure SQL Database configuration to verify that audit records are produced when privileges/permissions/role memberships are retrieved. To determine if an audit is configured, follow the instructions below: Run this TSQL command to determine if SQL Auditing AuditActionGroups are configured: SELECT DISTINCT sd.audit_action_name FROM sys.database_audit_specification_details sd JOIN sys.database_audit_specifications s ON s.database_specification_id = sd.database_specification_id WHERE (name = 'SqlDbAuditing_ServerAuditSpec' /Server Audit/ OR name = 'SqlDbAuditing_AuditSpec') /Database Audit/ AND s.is_state_enabled = 1 ORDER BY sd.audit_action_name If no values exist for AuditActionGroup, this is a finding. Verify the following AuditActionGroup(s) are configured: SCHEMA_OBJECT_ACCESS_GROUP If any listed AuditActionGroups do not exist in the configuration, this is a finding.

Check Text ( C-58999r871102_chk )

Review Azure SQL Database configuration to verify that audit records are produced when privileges/permissions/role memberships are retrieved.

To determine if an audit is configured, follow the instructions below:
Run this TSQL command to determine if SQL Auditing AuditActionGroups are configured:
SELECT DISTINCT sd.audit_action_name
FROM sys.database_audit_specification_details sd
JOIN sys.database_audit_specifications s
ON s.database_specification_id = sd.database_specification_id
WHERE (name = 'SqlDbAuditing_ServerAuditSpec' /*Server Audit*/
OR name = 'SqlDbAuditing_AuditSpec') /*Database Audit*/
AND s.is_state_enabled = 1
ORDER BY sd.audit_action_name

If no values exist for AuditActionGroup, this is a finding.

Verify the following AuditActionGroup(s) are configured:
SCHEMA_OBJECT_ACCESS_GROUP

If any listed AuditActionGroups do not exist in the configuration, this is a finding.

Fix Text (F-58943r877250_fix)
Deploy an audit to review the retrieval of privilege/permission/role membership information. Refer to the supplemental file "AzureSQLDatabaseAudit.txt" PowerShell script.