Access to DBMS security should be audited.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15643	DG0140-SQLServer9	SV-25371r1_rule	ECAR-1 ECAR-2 ECAR-3	Medium

Description
DBMS security data is useful to malicious users to perpetrate activities that compromise DBMS operations or data integrity. Auditing of access to this data supports forensic and accountability investigations.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-23625r1_chk )
Note: Checks DG0029, DG0145, DM0510 and DM5267 cover auditing of data within SQL Server and should not be included in this check. Determine locations of DBMS audit, configuration, credential and other security data using the registry keys provided below: Audit Trace = HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\DefaultData Log = C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\LogFiles HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\CPE\ErrorDumpDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\CPE\ErrorDumpDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.3\CPE\ErrorDumpDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\DefaultLog HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\SQLServerAgent\ErrorLogFile Config = C:\Program Files\Microsoft SQL Server\90\Shared\ASConfig HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\{INSTANCE NAME}\Setup\SQLPath HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\BackupDirectory HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\FullTextDefaultPath HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Replication\WorkingDirectory HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SQLBinRoot HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SQLDataRoot HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SQLPath HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SQLProgramDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\SQLServerAgent\WorkingDirectory HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\Setup\DataDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\Setup\SQLBinRoot HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\Setup\SQLPath HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\Setup\SQLProgramDir Review audit settings for these directories, files or data objects. If the security data is not audited for access, consider the operational impact and appropriateness for access that is not audited. If the risk for incomplete auditing of the security files is reasonable and documented in the System Security Plan, do not include this as a Finding.

Check Text ( C-23625r1_chk )

Note: Checks DG0029, DG0145, DM0510 and DM5267 cover auditing of data within SQL Server and should not be included in this check.

Determine locations of DBMS audit, configuration, credential and other security data using the registry keys provided below:

Audit Trace = HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\DefaultData

Log = C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\LogFiles
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\CPE\ErrorDumpDir
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\CPE\ErrorDumpDir
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.3\CPE\ErrorDumpDir
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\DefaultLog
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\SQLServerAgent\ErrorLogFile

Config = C:\Program Files\Microsoft SQL Server\90\Shared\ASConfig
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\{INSTANCE NAME}\Setup\SQLPath
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\BackupDirectory
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\FullTextDefaultPath
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Replication\WorkingDirectory
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SQLBinRoot
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SQLDataRoot
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SQLPath
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SQLProgramDir
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\SQLServerAgent\WorkingDirectory
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\Setup\DataDir
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\Setup\SQLBinRoot
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\Setup\SQLPath
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\Setup\SQLProgramDir

Review audit settings for these directories, files or data objects. If the security data is not audited for access, consider the operational impact and appropriateness for access that is not audited.

If the risk for incomplete auditing of the security files is reasonable and documented in the System Security Plan, do not include this as a Finding.

Fix Text (F-14764r1_fix)
Enable auditing for access to any security data where supported by the OS. If audit for access results in an unacceptable adverse impact on application operation, scale back the audit to a reasonable and acceptable level. Document any incomplete audit with acceptance of the risk of incomplete audit in the System Security Plan. Auditing for Access via OS should include, at a minimum, the User ID, date and time of the event and the event type per Check DG0145.

Fix Text (F-14764r1_fix)

Enable auditing for access to any security data where supported by the OS.

If audit for access results in an unacceptable adverse impact on application operation, scale back the audit to a reasonable and acceptable level.

Document any incomplete audit with acceptance of the risk of incomplete audit in the System Security Plan.

Auditing for Access via OS should include, at a minimum, the User ID, date and time of the event and the event type per Check DG0145.