Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-67795 | SQL4-00-013900 | SV-82285r1_rule | Medium |
Description |
---|
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized access. If an attacker were to gain access to audit tools, he could analyze audit logs for system weaknesses or weaknesses in the auditing itself. An attacker could also manipulate logs to hide evidence of malicious activity. This focuses on audit/trace log tools within SQL Server. Other STIG requirements govern operating system settings to control access to external tools. |
STIG | Date |
---|---|
MS SQL Server 2014 Instance Security Technical Implementation Guide | 2017-11-30 |
Check Text ( C-68363r1_chk ) |
---|
Review the SQL Server permissions granted to principals. The views and functions provided in the supplemental file Permissions.sql can help with this. Look for permissions such as ALTER ANY SERVER AUDIT, ALTER ANY DATABASE AUDIT, ALTER TRACE; or EXECUTE on the stored procedures with names beginning "SP_TRACE", or on scopes including those procedures. If unauthorized accounts have these privileges, this is a finding. |
Fix Text (F-73911r1_fix) |
---|
Use REVOKE and/or DENY statements to remove audit-related permissions from individuals and roles not authorized to have them. |