C2 Audit mode should be enabled or custom audit traces defined.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2426	DM0510-SQLServer9	SV-25417r1_rule	ECAT-1 ECAT-2	Medium

Description
The C2 audit mode uses a system-defined trace to collect audit information for MS SQL Server 2000 and higher. It utilizes all security event categories defined within SQL Server, not all of which are required by the Database STIG. Without required auditing, accountability and investigative support is limited.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-20376r1_chk )
From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'c2 audit mode' If 1 is returned as the value for Config_Value, this is Not a Finding If the value 0 is returned for Config_Value, confirm that a valid audit trace is configured and implemented. See checks DG0029, DG0145 and DM5267. If there is not a valid audit trace, this is a Finding.

Check Text ( C-20376r1_chk )

From the query prompt:

SELECT CAST(value AS INT) 'Config_Value'
FROM [master].sys.configurations
WHERE name = 'c2 audit mode'

If 1 is returned as the value for Config_Value, this is Not a Finding

If the value 0 is returned for Config_Value, confirm that a valid audit trace is configured and implemented. See checks DG0029, DG0145 and DM5267. If there is not a valid audit trace, this is a Finding.

Fix Text (F-18336r1_fix)
Configure and enable C2 auditing or confirm valid audit traces are set per checks DG0029, DG0145 and DM5267. Note: Setting the C2 audit mode enables auditing of more events than required by the STIG and may generate too many records to manage effectively. From the query prompt: EXEC SP_CONFIGURE 'c2 audit mode', 1 RECONFIGURE To create a custom audit, see instructions in check DG0145.