The audit logs should be periodically monitored to discover DBMS access using unauthorized applications.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15611 | DG0054-SQLServer9 | SV-24183r1_rule | ECAT-1 ECAT-2 | Low |
| Description |
|---|
| Regular and timely reviews of audit records increases the likelihood of early discovery of suspicious activity. Discovery of suspicious behavior can in turn trigger protection responses to minimize or eliminate a negative impact from malicious activity. Use of unauthorized application to access the DBMS may indicate an attempt to bypass security controls including authentication and data access or manipulation implemented by authorized applications. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-22655r1_chk ) |
|---|
| Review procedures for and evidence of monitoring the audit log to detect access by unauthorized applications in the System Security Plan. If procedures or implementation evidence do not exist, this is a Finding. If alerts are not generated automatically, manual reviews should occur weekly or more frequently. If manual reviews are required and implementation evidence does not exist, this is a Finding. |
| Fix Text (F-18444r1_fix) |
|---|
| Develop, document and implement procedures for monitoring application access to the database to detect access meant to bypass security controls. Where alerts are not implemented or available, establish weekly or more frequent review of queue activity. |