Audit records should be restricted to authorized individuals.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-5686	DG0032-SQLServer9	SV-24077r2_rule	ECTP-1	Medium

Description
Audit data is frequently targeted by malicious users as it can provide a means to detect their activity. The protection of the audit trail data is of special concern and requires restrictions to allow only the auditor and DBMS backup, recovery, and maintenance users access to it.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-22722r2_chk )
Review the file permissions to all files located in the DBMS audit log directory. If any allow access to users not authorized as DBAs or auditors, this is a Finding. Review database object access permissions to any audit log data stored in the database. If permissions are granted to users not authorized as DBAs or auditors, this is a Finding. Review the directory and file permissions to all files in the directory listed and in the registry entries below: C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\LogFiles HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\CPE\ErrorDumpDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\CPE\ErrorDumpDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.3\CPE\ErrorDumpDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\DefaultLog HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\SQLServerAgent\ErrorLogFile Review permissions to the sysprotects and/or sys.dm_exec_sessions view in the Master database: SELECT u.name AS [User], o.name AS [Object], p.permission_name AS [Permission] FROM [master].sys.all_objects o, [master].sys.database_principals u, [master].sys.database_permissions p WHERE p.grantee_principal_id = u.principal_id AND o.object_id = p.major_id AND (o.name = 'dm_exec_sessions' OR o.name = 'sysprotects') ORDER BY u.name, o.name, p.permission_name If any allow access to users not authorized as DBAs or auditors, this is a Finding.

Check Text ( C-22722r2_chk )

Review the file permissions to all files located in the DBMS audit log directory. If any allow access to users not authorized as DBAs or auditors, this is a Finding.

Review database object access permissions to any audit log data stored in the database. If permissions are granted to users not authorized as DBAs or auditors, this is a Finding.

Review the directory and file permissions to all files in the directory listed and in the registry entries below:

C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\LogFiles

HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\CPE\ErrorDumpDir
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\CPE\ErrorDumpDir
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.3\CPE\ErrorDumpDir
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\DefaultLog
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\SQLServerAgent\ErrorLogFile

Review permissions to the sysprotects and/or sys.dm_exec_sessions view in the Master database:

SELECT u.name AS [User], o.name AS [Object], p.permission_name AS [Permission]
FROM [master].sys.all_objects o, [master].sys.database_principals u, [master].sys.database_permissions p
WHERE p.grantee_principal_id = u.principal_id
AND o.object_id = p.major_id
AND (o.name = 'dm_exec_sessions' OR o.name = 'sysprotects')
ORDER BY u.name, o.name, p.permission_name

If any allow access to users not authorized as DBAs or auditors, this is a Finding.

Fix Text (F-19535r1_fix)
Grant audit file and database audit object access to authorized DBAs and auditors. Revoke audit file and database audit object access from unauthorized database and OS accounts.