SQL Server must protect its audit features from unauthorized access, modification, or removal.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-67795	SQL4-00-013900	SV-82285r1_rule		Medium

Description
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized access. If an attacker were to gain access to audit tools, he could analyze audit logs for system weaknesses or weaknesses in the auditing itself. An attacker could also manipulate logs to hide evidence of malicious activity. This focuses on audit/trace log tools within SQL Server. Other STIG requirements govern operating system settings to control access to external tools.

Description

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized access. If an attacker were to gain access to audit tools, he could analyze audit logs for system weaknesses or weaknesses in the auditing itself. An attacker could also manipulate logs to hide evidence of malicious activity. This focuses on audit/trace log tools within SQL Server. Other STIG requirements govern operating system settings to control access to external tools.

STIG	Date
MS SQL Server 2014 Instance Security Technical Implementation Guide	2017-07-19

Details

Check Text ( C-68363r1_chk )
Review the SQL Server permissions granted to principals. The views and functions provided in the supplemental file Permissions.sql can help with this. Look for permissions such as ALTER ANY SERVER AUDIT, ALTER ANY DATABASE AUDIT, ALTER TRACE; or EXECUTE on the stored procedures with names beginning "SP_TRACE", or on scopes including those procedures. If unauthorized accounts have these privileges, this is a finding.

Check Text ( C-68363r1_chk )

Review the SQL Server permissions granted to principals. The views and functions provided in the supplemental file Permissions.sql can help with this. Look for permissions such as ALTER ANY SERVER AUDIT, ALTER ANY DATABASE AUDIT, ALTER TRACE; or EXECUTE on the stored procedures with names beginning "SP_TRACE", or on scopes including those procedures.

If unauthorized accounts have these privileges, this is a finding.

Fix Text (F-73911r1_fix)
Use REVOKE and/or DENY statements to remove audit-related permissions from individuals and roles not authorized to have them.