UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

C2 Audit mode should be enabled or custom audit traces defined.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2426 DM0510-SQLServer9 SV-25417r1_rule ECAT-1 ECAT-2 Medium
Description
The C2 audit mode uses a system-defined trace to collect audit information for MS SQL Server 2000 and higher. It utilizes all security event categories defined within SQL Server, not all of which are required by the Database STIG. Without required auditing, accountability and investigative support is limited.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-20376r1_chk )
From the query prompt:

SELECT CAST(value AS INT) 'Config_Value'
FROM [master].sys.configurations
WHERE name = 'c2 audit mode'

If 1 is returned as the value for Config_Value, this is Not a Finding

If the value 0 is returned for Config_Value, confirm that a valid audit trace is configured and implemented. See checks DG0029, DG0145 and DM5267. If there is not a valid audit trace, this is a Finding.
Fix Text (F-18336r1_fix)
Configure and enable C2 auditing or confirm valid audit traces are set per checks DG0029, DG0145 and DM5267.

Note: Setting the C2 audit mode enables auditing of more events than required by the STIG and may generate too many records to manage effectively.

From the query prompt:

EXEC SP_CONFIGURE 'c2 audit mode', 1
RECONFIGURE

To create a custom audit, see instructions in check DG0145.