UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SQL Server must protect its audit features from unauthorized access, modification, or removal.


Overview

Finding ID Version Rule ID IA Controls Severity
V-67795 SQL4-00-013900 SV-82285r1_rule Medium
Description
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized access. If an attacker were to gain access to audit tools, he could analyze audit logs for system weaknesses or weaknesses in the auditing itself. An attacker could also manipulate logs to hide evidence of malicious activity. This focuses on audit/trace log tools within SQL Server. Other STIG requirements govern operating system settings to control access to external tools.
STIG Date
MS SQL Server 2014 Instance Security Technical Implementation Guide 2017-11-30

Details

Check Text ( C-68363r1_chk )
Review the SQL Server permissions granted to principals. The views and functions provided in the supplemental file Permissions.sql can help with this. Look for permissions such as ALTER ANY SERVER AUDIT, ALTER ANY DATABASE AUDIT, ALTER TRACE; or EXECUTE on the stored procedures with names beginning "SP_TRACE", or on scopes including those procedures.

If unauthorized accounts have these privileges, this is a finding.
Fix Text (F-73911r1_fix)
Use REVOKE and/or DENY statements to remove audit-related permissions from individuals and roles not authorized to have them.