UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DBMS audit logs should be included in backup operations.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15117 DG0176-SQLServer9 SV-25402r1_rule ECTB-1 Medium
Description
DBMS audit logs are essential to the investigation and prosecution of unauthorized access to the DBMS data. Unless audit logs are available for review, the extent of data compromise may not be determined and the vulnerability exploited may not be discovered. Undiscovered vulnerabilities could lead to additional or prolonged compromise of the data.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-04-03

Details

Check Text ( C-20487r1_chk )
Audit events are logged by SQL Server to error logs, Windows event logs, and to SQL Profiler trace files.

Review evidence of backups that include the default directory for SQL Server error logs and trace files.

The default directory for SQL Server error logs and trace files is stored in the Windows registry under:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ DefaultLog

Where [#] is the sequential number assigned to each instance.

This directory is referred to below as [instance logpath]:

SQL Server error logs:

[instance logpath]ERRORLOG.[#]

Audit trace (*.trc) files:

Default is [instance logpath], but may be directed to any accessible directory.

Log files of other components, e.g. SQLAGENT.[#]:

[instance logpath]

Audit trace results may also be directed to SQL Server tables. SQL Server data backups are addressed in a separate check; therefore, do not include audit results stored in database tables.

If evidence of inclusion of audit log files in regular DBMS or host backups does not exist, this is a Finding.
Fix Text (F-23486r1_fix)
Configure and ensure SQL Server audit trace files, instance and other error log files are included in regular backups.