A baseline of database application software should be documented and maintained.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3806 | DG0021-SQLServer9 | SV-24142r1_rule | DCSW-1 | Medium |
| Description |
|---|
| Without maintenance of a baseline of current DBMS application software, monitoring for changes cannot be complete and unauthorized changes to the software can go undetected. Changes to the DBMS executables could be the result of intentional or unintentional actions. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-20401r1_chk ) |
|---|
| Have the DBA and/or IAO provide the DBMS software baseline procedures, implementation evidence, and a list of files and directories included in the baseline procedure for completeness. If baseline procedures do not exist, not implemented reliably or not complete, this is a Finding. Software and configuration directories are under: [drive] \Program Files\Microsoft SQL Server The exact directory is specified in the registry key: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ 90 \ VerSpecificRootDir For each instance, the directory and all contents specified under the registry key below where [#] is the assigned instance number: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ Setup \ SQLProgramDir |
| Fix Text (F-24636r1_fix) |
|---|
| Develop, document and implement baseline procedures that include all DBMS software files and directories. Update the baseline after new installations, upgrades or maintenance activities that include changes to the software baseline. |