The DBMS must be able to generate audit records when privileges/permissions are retrieved.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-206525	SRG-APP-000091-DB-000066	SV-206525r960885_rule		Medium

Description

Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions. This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted.

STIG	Date
Database Security Requirements Guide	2024-12-04

Details

Check Text (C-6785r291243_chk)

Review DBMS documentation to verify that audit records can be produced when privileges/permissions/role memberships are retrieved.

If the DBMS is not capable of this, this is a finding.

If the DBMS is currently required to audit the retrieval of privilege/permission/role membership information, review the DBMS/database security and audit configurations to verify that audit records are produced when privileges/permissions/role memberships are retrieved.

If they are not produced, this is a finding.

Fix Text (F-6785r291244_fix)

Deploy a DBMS capable of producing the required audit records when privileges/permissions/role memberships are retrieved.

If currently required, configure the DBMS to produce audit records when privileges/permissions/role memberships are retrieved.