Execute stored procedures at startup, if enabled, should have a custom audit trace defined.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2464 | DM1761-SQLServer9 | SV-23884r1_rule | DCSS-1 DCSS-2 | Medium |
| Description |
|---|
| The DBMS startup process may be vulnerable to introduction of malicious or unauthorized actions. Any use of automated execution of custom procedures provides an opportunity to deploy unauthorized code. For some versions of SQL Server, audit requirements may only be met by audit procedures that are set to start automatically at system startup. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-22860r1_chk ) |
|---|
| From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'scan for startup procs' If a value of 1 is returned for Config_Value and a custom audit trace is NOT in use (see Check DG0145: DBMS audit record content), this is a Finding. NOTE: Use of the sp_procoption to mark or unmark automatically run stored procedures will enable this option automatically. If operationally required, document this option as required in the System Security Plan. |
| Fix Text (F-19766r1_fix) |
|---|
| Enable the ‘scan for startup procs’ configuration option if a custom audit trace is in use (see Check DG0145: DBMS audit record content) or if operationally required and documented in the System Security Plan: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'scan for startup procs', 1 RECONFIGURE Otherwise, disable its use: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'scan for startup procs', 0 RECONFIGURE |