SQL Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-213868	SQL4-00-033000	SV-213868r399877_rule		Medium

Description
In order to ensure sufficient storage capacity for the audit logs, SQL Server must be able to allocate audit record storage capacity. Although another requirement (SRG-APP-000515-DB-000318) mandates that audit data be off-loaded to a centralized log management system, it remains necessary to provide space on the database server to serve as a buffer against outages and capacity limits of the off-loading mechanism. In determining the capacity requirements, consider such factors as: total number of users; expected number of concurrent users during busy periods; number and type of events being monitored; types and amounts of data being captured; the frequency/speed with which audit records are off-loaded to the central log management system; and any limitations that exist on the ability to reuse the space formerly occupied by off-loaded records. As noted elsewhere in this document, SQL Server's Audit and/or Trace features can be used for auditing purposes. This requirement applies to both.

Description

In order to ensure sufficient storage capacity for the audit logs, SQL Server must be able to allocate audit record storage capacity. Although another requirement (SRG-APP-000515-DB-000318) mandates that audit data be off-loaded to a centralized log management system, it remains necessary to provide space on the database server to serve as a buffer against outages and capacity limits of the off-loading mechanism. In determining the capacity requirements, consider such factors as: total number of users; expected number of concurrent users during busy periods; number and type of events being monitored; types and amounts of data being captured; the frequency/speed with which audit records are off-loaded to the central log management system; and any limitations that exist on the ability to reuse the space formerly occupied by off-loaded records. As noted elsewhere in this document, SQL Server's Audit and/or Trace features can be used for auditing purposes. This requirement applies to both.

STIG	Date
MS SQL Server 2014 Instance Security Technical Implementation Guide	2021-12-10

Details

Check Text ( C-15087r312955_chk )
Investigate whether there have been any incidents where the system ran out of audit log space (to include traces used for audit purposes) since the last time the space was allocated or other corrective measures were taken. If there have been, this is a finding.

Fix Text (F-15085r312956_fix)
Allocate sufficient audit storage space to support peak demand.