Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SectionSummaryAssociated Audit Events and Features

DISA 2016 Database


DISA 2016 Instance

SQL6-D0-004300,
SQL6-D0-004500,
SQL6-D0-004700,
SQL6-D0-004800,
SQL6-D0-005500,
SQL6-D0-005900,
SQL6-D0-006000,
SQL6-D0-006100,
SQL6-D0-006200,
SQL6-D0-006300,             
SQL6-D0-006400,
SQL6-D0-010700,
SQL6-D0-010800,
SQL6-D0-011100,
SQL6-D0-011200
     


SQL Server must be configured to generate audit records for DoD-defined auditable events within all DBSM/database components. 

SQL Server must generate audit records when privileged/permissions are retrieved.

SQL Server must initiate session auditing upon startup.

SQL Server must be configured to allow authorized users to capture, record, and log all content related to a user session. 

SQL Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject. 

The audit information produced by SQL Server must be protected from unauthorized read access. 

The audit information produced by SQL Server must be protected from unauthorized modification. 

The audit information produced by SQL Server must be protected from unauthorized deletion.

SQL Server must protect its audit features from unauthorized access. 

SQL Server must protect its audit configuration from unauthorized modification.

SQL Server must protect its audit features from unauthorized removal. 

SQL Server must utilize centralized management of the content captured in audit records generated by all components of SQL Server. 

SQL Server must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts. 

SQL Server must record time stamps in audit records and application data that can be mapped to Coordinate Universal Time (UTC, formerly GMT). 

Server Events:

  • Successful and Failed Logins
  • Security Changes
  • Privileged User Activity
  • User Defined Event Tracking

Database Events:

  • Security changes

  • SELECT statements
  • Privileged User Activity
  • Sensitive Column Monitoring
  • Before-After Data Auditing

DISA 2012 Database

SQL2-00-011200

DISA 2014 Database

SQL4-00-011200

SQL Server must generate Trace or audit records for organization-defined auditable events. Audit records can be generated from various components within the information system.

Server Events:

  • None

Database Events:

  • Security

  • DDL
  • DML
  • Privileged Users Events
  • Privileged Users
  • Sensitive Columns
  • Before-After Data auditing

DISA 2012 Instance

SQL2-00-012400,
SQL2-00-009700,
SQL2-00-011800,
SQL2-00-011900,
SQL2-00-011400,
SQL2-00-012000,
SQL2-00-012100,
SQL2-00-012200,
SQL2-00-012300,
SQL2-00-014700,
SQL2-00-002300

DISA 2014 Instance

SQL4-00-011900,
SQL4-00-012000,
SQL4-00-012100,
SQL4-00-012200,
SQL4-00-012300,
SQL4-00-037600,
SQL4-00-037900,
SQL4-00-037500,
SQL4-00-037600,
SQL4-00-037900,
SQL4-00-038000,
SQL4-00-011200,
SQL4-00-036200,
SQL4-00-036300,
SQL4-00-038100,
SQL4-00-034000

SQL Server must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location or subject.

Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules revoked.

All use of privileged accounts must be audited.

SQL Server must produce audit records containing sufficient information to establish what type of events occurred.

SQL Server must produce audit records containing sufficient information to establish when (date and time) the events occurred.

SQL Server must generate audit records for the DoD-selected list of auditable events.

SQL Server must produce audit records containing sufficient information to establish where the events occurred.

SQL Server must produce audit records containing sufficient information to establish the sources (origins) of events.

SQL Server must produce audit records containing sufficient information to establish the outcome (success or failure) of events.

SQL Server must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.

SQL Server must support the employment of automated mechanisms supporting the auditing of the enforcement actions.

SQL Server must enforce access control policies to restrict Alter server state permissions to only authorized roles. 

SQL Server must generate Trace or audit records when unsuccessful logins or connection attempts occur.

SQL Server must generate Trace or audit records when logoffs or disconnections occur.

SQL Server must generate Trace or audit records when successful logons or connections occur.

SQL Server must generate Trace or audit records when concurrent logins/connections by the same user from different workstations occur.

SQL Server must produce Trace or audit records containing sufficient information to establish when the events occurred.

SQL Server must produce Trace or audit records of its enforcement of access restrictions associated with changes to the configuration of the DBMS or database.  

Server Events:

  • Logins
  • Logouts
  • Failed Logins
  • Security changes
  • Privileged Users activity
  • User defined events
  • Privileged Users

Database Events:

  • None
DISA 2014 0If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password lifetime.

Server Events:

  • Security changes

Database Events:

  • Security

...