UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SQL Server must notify appropriate individuals when accounts are modified.


Overview

Finding ID Version Rule ID IA Controls Severity
V-41305 SQL2-00-023300 SV-53787r1_rule Medium
Description
Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to modify an existing account for later use. Notification of account creation is one method and best practice for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and/or application owners exist. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.
STIG Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide 2014-01-05

Details

Check Text ( C-47874r2_chk )
Check to see that all required events are being audited.
From the query prompt:

SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0')

All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.

For each traceid listed, replacing # with a traceid.
From the query prompt:
SELECT DISTINCT(eventid) FROM ::FN_TRACE_GETEVENTINFO('#')

The required eventids 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, and 130 should be listed. If any of the audit events or eventids required above are not listed, this is finding.
Fix Text (F-46696r2_fix)
Create and start an audit trace that audits required events.
CREATE PROCEDURE fso_audit AS
-- Create a Queue
DECLARE @rc INT
DECLARE @TraceID INT
DECLARE @maxfilesize BIGINT
DECLARE @fso_audit_log NVARCHAR(128)
SET @maxfilesize = 5
-- Define custom @fso_audit_log to path\filename
SET @fso_audit_log = 'd:\sqlserver\audit\fsoauditlog.log'
EXEC @rc = SP_TRACE_CREATE @TraceID output, 6, @fso_audit_log, @maxfilesize, NULL
IF (@rc != 0) GOTO Error
-- Client side File and Table cannot be scripted.
-- Set the events:
DECLARE @on BIT
SET @on = 1
-- Logins are audited based on SQL Server instance
-- setting Audit Level stored in registry
-- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.[#]
\MSSQLServer\AuditLevel
-- Audit Login
-- Occurs when a user successfully logs in to SQL Server.
EXEC SP_TRACE_SETEVENT @TraceID, 14, 1, @on -- TextData
EXEC SP_TRACE_SETEVENT @TraceID, 14, 6, @on -- NTUserName
EXEC SP_TRACE_SETEVENT @TraceID, 14, 7, @on -- NTDomainName
EXEC SP_TRACE_SETEVENT @TraceID, 14, 8, @on -- HostName
EXEC SP_TRACE_SETEVENT @TraceID, 14, 10, @on -- ApplicationName
EXEC SP_TRACE_SETEVENT @TraceID, 14, 11, @on -- LoginName
EXEC SP_TRACE_SETEVENT @TraceID, 14, 12, @on -- SPID
EXEC SP_TRACE_SETEVENT @TraceID, 14, 14, @on -- StartTime
EXEC SP_TRACE_SETEVENT @TraceID, 14, 23, @on -- Success
EXEC SP_TRACE_SETEVENT @TraceID, 14, 26, @on -- ServerName
EXEC SP_TRACE_SETEVENT @TraceID, 14, 35, @on -- DatabaseName
EXEC SP_TRACE_SETEVENT @TraceID, 14, 41, @on -- LoginSid
EXEC SP_TRACE_SETEVENT @TraceID, 14, 60, @on -- IsSystem
EXEC SP_TRACE_SETEVENT @TraceID, 14, 64, @on -- SessionLoginName
-- Audit Logout
-- Occurs when a user logs out of SQL Server.
EXEC SP_TRACE_SETEVENT @TraceID, 15, 6, @on -- NTUserName
EXEC SP_TRACE_SETEVENT @TraceID, 15, 7, @on -- NTDomainName
EXEC SP_TRACE_SETEVENT @TraceID, 15, 8, @on -- HostName
EXEC SP_TRACE_SETEVENT @TraceID, 15, 10, @on -- ApplicationName
EXEC SP_TRACE_SETEVENT @TraceID, 15, 11, @on -- LoginName
EXEC SP_TRACE_SETEVENT @TraceID, 15, 12, @on -- SPID
EXEC SP_TRACE_SETEVENT @TraceID, 15, 13, @on -- Duration
EXEC SP_TRACE_SETEVENT @TraceID, 15, 14, @on -- StartTime
EXEC SP_TRACE_SETEVENT @TraceID, 15, 15, @on -- EndTime
EXEC SP_TRACE_SETEVENT @TraceID, 15, 23, @on -- Success
EXEC SP_TRACE_SETEVENT @TraceID, 15, 26, @on -- ServerName
EXEC SP_TRACE_SETEVENT @TraceID, 15, 35, @on -- DatabaseName
EXEC SP_TRACE_SETEVENT @TraceID, 15, 41, @on -- LoginSid
EXEC SP_TRACE_SETEVENT @TraceID, 15, 60, @on -- IsSystem
EXEC SP_TRACE_SETEVENT @TraceID, 15, 64, @on -- SessionLoginName
-- Audit Server Starts and Stops
-- Occurs when the SQL Server service state is modified.
EXEC SP_TRACE_SETEVENT @TraceID, 18, 6, @on -- NTUserName
EXEC SP_TRACE_SETEVENT @TraceID, 18, 7, @on -- NTDomainName
EXEC SP_TRACE_SETEVENT @TraceID, 18, 8, @on -- HostName
EXEC SP_TRACE_SETEVENT @TraceID, 18, 10, @on -- ApplicationName
EXEC SP_TRACE_SETEVENT @TraceID, 18, 11, @on -- LoginName
EXEC SP_TRACE_SETEVENT @TraceID, 18, 12, @on -- SPID
EXEC SP_TRACE_SETEVENT @TraceID, 18, 14, @on -- StartTime
EXEC SP_TRACE_SETEVENT @TraceID, 18, 23, @on -- Success
EXEC SP_TRACE_SETEVENT @TraceID, 18, 26, @on -- ServerName
EXEC SP_TRACE_SETEVENT @TraceID, 18, 41, @on -- LoginSid
EXEC SP_TRACE_SETEVENT @TraceID, 18, 60, @on -- IsSystem
EXEC SP_TRACE_SETEVENT @TraceID, 18, 64, @on -- SessionLoginName
-- Audit Login Failed
-- Indicates that a login attempt to SQL Server from a client failed.
EXEC SP_TRACE_SETEVENT @TraceID, 20, 1, @on -- TextData
EXEC SP_TRACE_SETEVENT @TraceID, 20, 6, @on -- NTUserName
EXEC SP_TRACE_SETEVENT @TraceID, 20, 7, @on -- NTDomainName
EXEC SP_TRACE_SETEVENT @TraceID, 20, 8, @on -- HostName
EXEC SP_TRACE_SETEVENT @TraceID, 20, 10, @on -- ApplicationName
EXEC SP_TRACE_SETEVENT @TraceID, 20, 11, @on -- LoginName
EXEC SP_TRACE_SETEVENT @TraceID, 20, 12, @on -- SPID
EXEC SP_TRACE_SETEVENT @TraceID, 20, 14, @on -- StartTime
EXEC SP_TRACE_SET