The DBMS audit logs should be included in backup operations.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15117 | DG0176-SQLServer9 | SV-25402r1_rule | ECTB-1 | Medium |
| Description |
|---|
| DBMS audit logs are essential to the investigation and prosecution of unauthorized access to the DBMS data. Unless audit logs are available for review, the extent of data compromise may not be determined and the vulnerability exploited may not be discovered. Undiscovered vulnerabilities could lead to additional or prolonged compromise of the data. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-20487r1_chk ) |
|---|
| Audit events are logged by SQL Server to error logs, Windows event logs, and to SQL Profiler trace files. Review evidence of backups that include the default directory for SQL Server error logs and trace files. The default directory for SQL Server error logs and trace files is stored in the Windows registry under: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ DefaultLog Where [#] is the sequential number assigned to each instance. This directory is referred to below as [instance logpath]: SQL Server error logs: [instance logpath]ERRORLOG.[#] Audit trace (*.trc) files: Default is [instance logpath], but may be directed to any accessible directory. Log files of other components, e.g. SQLAGENT.[#]: [instance logpath] Audit trace results may also be directed to SQL Server tables. SQL Server data backups are addressed in a separate check; therefore, do not include audit results stored in database tables. If evidence of inclusion of audit log files in regular DBMS or host backups does not exist, this is a Finding. |
| Fix Text (F-23486r1_fix) |
|---|
| Configure and ensure SQL Server audit trace files, instance and other error log files are included in regular backups. |