Versions Compared

Old Version 13

changes.mady.by.user Nicolas Rios

Saved on

compared with

New Version 14

changes.mady.by.user Rodrigo Rivero

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Logins
  • Logouts
  • Failed Logins
  • Security changes
  • Privileged Users activity
  • User defined events
  • Privileged Users

Database Events:

  • None
SectionSummaryAssociated Audit Events and Features

DISA 2016 Database


DISA 2016 Instance

SQL6-D0-004300,
SQL6-D0-004500,
SQL6-D0-004700,
SQL6-D0-004800,
SQL6-D0-005500,
SQL6-D0-005900,
SQL6-D0-006000,
SQL6-D0-006100,
SQL6-D0-006200,
SQL6-D0-006300,
SQL6-D0-006400,
SQL6-D0-010700,
SQL6-D0-010800,
SQL6-D0-011100,
SQL6-D0-011200
     


SQL Server must be configured to generate audit records for DoD-defined auditable events within all DBSM/database components. 

SQL Server must generate audit records when privileged/permissions are retrieved.

SQL Server must initiate session auditing upon startup.

SQL Server must be configured to allow authorized users to capture, record, and log all content related to a user session. 

SQL Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject. 

The audit information produced by SQL Server must be protected from unauthorized read access. 

The audit information produced by SQL Server must be protected from unauthorized modification. 

The audit information produced by SQL Server must be protected from unauthorized deletion.

SQL Server must protect its audit features from unauthorized access. 

SQL Server must protect its audit configuration from unauthorized modification.

SQL Server must protect its audit features from unauthorized removal. 

SQL Server must utilize centralized management of the content captured in audit records generated by all components of SQL Server. 

SQL Server must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts. 

SQL Server must record time stamps in audit records and application data that can be mapped to Coordinate Universal Time (UTC, formerly GMT). 

Server Events:

  • Successful and Failed Logins
  • Security Changes
  • Privileged User Activity
  • User Defined Event Tracking

Database Events:

Server-level Audit Groups Supported:

  • Successful Login Group
  • Logout Group
  • Failed Login Group
  • Database Change Group
  • Server Object Change Group
  • Server State Change Group
  • Server Permission Change Group
  • Server Principal Change Group
  • User Change Password Group
  • Login Change Password Group
  • Server Role Member Change Group
  • Server Object Permission Change Group
  • Server Principal Impersonation Group
  • DBCC Group
  • Audit Change Group
  • Audit Change Group
  • Server Operation Group
  • Trace Change Group

Database Events:

  • Security changes

  • SELECT statements
  • Privileged User Activity
  • Sensitive Column Monitoring
  • Before-After Data Auditing

Database-level Audit Groups Supported:

  • Schema Object Change Group

  • Schema Object Access Group

  • Backup Restore Group

  • Database Object Access Group

  • Database Object Change Group

  • Database Operation Group

  • Database Principal Change Group

  • Database Role Member Change Group

  • Database Object Ownership Change Group

  • Database Object Permission Change Group

  • Database Ownership Change Group

  • Schema Object Permission Change Group

  • Database Permission Change Group

  • Application Role Change Password Group

  • Database Principal Impersonation Group

  • Schema Object Ownership Change Group

  • Server Object Ownership Change Group

  • Security changes

  • SELECT statements
  • Privileged User Activity
  • Sensitive Column Monitoring
  • Before-After Data Auditing

DISA 2012 Database

SQL2-00-011200

DISA 2014 Database

SQL4-00-011200

SQL Server must generate Trace or audit records for organization-defined auditable events. Audit records can be generated from various components within the information system.

Server Events:

  • None

Database Events:

  • Security

  • DDL
  • DML
  • Privileged Users Events
  • Privileged Users
  • Sensitive Columns

  • Before-After Data auditing

DISA 2012 Instance

SQL2-00-012400,
SQL2-00-009700,
SQL2-00-011800,
SQL2-00-011900,
SQL2-00-011400,
SQL2-00-012000,
SQL2-00-012100,
SQL2-00-012200,
SQL2-00-012300,
SQL2-00-014700,
SQL2-00-002300

DISA 2014 Instance

SQL4-00-011900,
SQL4-00-012000,
SQL4-00-012100,
SQL4-00-012200,
SQL4-00-012300,
SQL4-00-037600,
SQL4-00-037900,
SQL4-00-037500,
SQL4-00-037600,
SQL4-00-037900,
SQL4-00-038000,
SQL4-00-011200,
SQL4-00-036200,
SQL4-00-036300,
SQL4-00-038100,
SQL4-00-034000

SQL Server must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location or subject.

Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules revoked.

All use of privileged accounts must be audited.

SQL Server must produce audit records containing sufficient information to establish what type of events occurred.

SQL Server must produce audit records containing sufficient information to establish when (date and time) the events occurred.

SQL Server must generate audit records for the DoD-selected list of auditable events.

SQL Server must produce audit records containing sufficient information to establish where the events occurred.

SQL Server must produce audit records containing sufficient information to establish the sources (origins) of events.

SQL Server must produce audit records containing sufficient information to establish the outcome (success or failure) of events.

SQL Server must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.

SQL Server must support the employment of automated mechanisms supporting the auditing of the enforcement actions.

SQL Server must enforce access control policies to restrict Alter server state permissions to only authorized roles. 

SQL Server must generate Trace or audit records when unsuccessful logins or connection attempts occur.

SQL Server must generate Trace or audit records when logoffs or disconnections occur.

SQL Server must generate Trace or audit records when successful logons or connections occur.

SQL Server must generate Trace or audit records when concurrent logins/connections by the same user from different workstations occur.

SQL Server must produce Trace or audit records containing sufficient information to establish when the events occurred.

SQL Server must produce Trace or audit records of its enforcement of access restrictions associated with changes to the configuration of the DBMS or database.  to the configuration of the DBMS or database.  

Server Events:

  • Logins
  • Logouts
  • Failed Logins
  • Security changes
  • Privileged Users activity
  • User defined events
  • Privileged Users

Database Events:

  • None
DISA 2014 0If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password lifetime.

Server Events:

DISA 2014 0If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password lifetime.

Server Events:

  • Security changes

Database Events:

  • Security

FERPA Compliance

  • Security changes

Database Events:

  • Security

Please make sure you check the following as well when you apply the STIG guideline:

  • "Administrative Actions" 
  • "Database Definitions"

Image Added

Keep in mind that adding those 2 additional options mentioned above can result in a large number of audit records created.


Info

Is SQL Compliance Manager compliant with the latest DISA STIG?

No, SQL CM only provides the audit records for each STIG. Reviewing those audit records and determining their actual compliance with DISA standards is the customer's responsibility.


FERPA Compliance

SectionSummaryAssociated Audit Events and Features
99.2

What is the purpose of these regulations?

The purpose of this part is to set out requirements for the protection of privacy of parents and students under section 444 of the General Education Provisions Act, as amended.

Server Events:

  • Successful and Failed Logins
  • Security changes

Database Events:

  • Security changes
99.31(a)(1)

School officials

Institutions that allow "school officials, including teachers, within the agency or institution" to have access to students' education records, without consent, must first make a determination that the official has "legitimate educational interests" in the information. The list of officials must be included in the annual FERPA notification.

Server Events:

  • Successful and Failed Logins
  • Security changes
  • Privileged Users activity

Database Events:

  • SELECT statements
  • Security changes
  • Sensitive Columns
99.31(a)(1)(ii)

Controlling access to education records by school

Institutions are now required to use "reasonable methods" to ensure that instructors and other school officials (including outside service providers) obtain access to only those education records (paper or electronic) in which they have legitimate educational interests. Institutions are encouraged to restrict or track access to education records to ensure that they remain in compliance with this requirement. The higher the risk, the more stringent the protections should be (e.g., SSNs should be closely guarded).

Server Events:

  • Successful and Failed Logins
  • Security changes
  • Privileged Users activity

Database Events:

  • DDL
  • DML
  • SELECT statements
  • Sensitive  Columns
  • Before-After Data auditing
99.31(a)(2)

Student's new school

An institution retains the authority to disclose and transfer education records to a student's new school even after the student has enrolled and such authority continues into the future so long as the disclosure is for purposes related to the student's enrollment/transfer. After admission, the American Disabilities Act (ADA) does not prohibit institutions from obtaining information concerning a current student with disabilities from any school previously attended by the student in connection with an emergency and if necessary to protect the health or safety of a student or other persons under FERPA. A student's previous school may supplement, update, or correct any records it sent during the student's application or transfer period and may identify any falsified or fraudulent records and/or explain the meaning of any records disclosed previously to the new school.

Server Events:

  • Successful and Failed Logins
  • Security changes
  • Privileged Users activity

Database Events:

  • Security changes
  • DML
  • SELECT statements
  • Sensitive  Columns
  • Before-After Data auditing
99.32(a)(1)

What record keeping requirements exist concerning requests and disclosures?

An educational agency or institution must maintain a record of each request for access to and each disclosure of personally identifiable information from the education records of each student, as well as the names of State and local educational authorities and Federal officials and agencies listed in § 99.31(a)(3) that may make further disclosures of personally identifiable information from the student's education records without consent under § 99.33(b)(2). The agency or institution shall maintain the record with the education records of the student as long as the records are maintained.

Server Events:

  • Successful and Failed Logins
  • Security changes
  • Privileged Users activity

Database Events:

  • Security changes
  • DML
  • SELECT statements
  • Sensitive Columns
  • SELECT statements
99.35 (a)(1)(2), (b)(1)

What conditions apply to disclosure of information for Federal or State program purposes?

Authorized representatives of the officials or agencies headed by officials listed in 99.31(a)(3) may have access to education records in connection with an audit or evaluation of Federal or State supported education programs, or for the enforcement of or compliance with Federal legal requirements that relate to those programs.

Authority for an agency or officially listed in § 99.31(a)(3) to conduct an audit, evaluation, or compliance or enforcement activity is not conferred by the Act or this part and must be established under other Federal, State, or local authority.

Information that is collected under paragraph (a) of this section must:

  • Be protected in a manner that does not permit personal identification of individuals by anyone other than the officials or agencies headed by officials referred to in paragraph (a) of this section, except that those officials and agencies may make further disclosures of personally identifiable information from education records on behalf of the educational agency or institution in accordance with the requirements of 99.33(b).

Server Events:

  • Successful and Failed Logins
  • Security changes
  • Privileged Users activity

Database Events:

  • Security changes
  • DML
  • DDL
  • Sensitive Columns
  • SELECT statements

...

SectionSummaryAssociated Audit events Events and Features
CIP-007-6 4.1Log events at the BES Cyber System level (per BES Cyber System capability) or at the Cyber Asset level (per Cyber Asset capability) for identification of, and after-the-fact investigations of, Cyber Security Incidents that includes, as a minimum, each of the following types of events: detected successful login attempts, detected failed access attempts and failed login attempts; and detected malicious code.

Server Events:

  • Logins
  • Logouts
  • Failed Logins
  • Security changes
  • User Defined Events
  • Privileged Users
  • Privileged Users events

Database Events:

  • Security changes
  • DDL
  • DML
  • Sensitive Columns
  • Before-After Data change
  • Privileged Users

...

SectionSummaryAssociated Audit Events and Features
2.1Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.Server Events:
  • Failed Logins
  • Security Changes
  • DDL
  • Administrative activities
  • Privileged Users
  • User defined events

Database Events:

  • Security
  • DDL
  • Administrative activities
  • DML
  • SQL statements
  • Sensitive columns
  • Before-After data change
  • Privileged users
2.2Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
3.4

Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:

  • One-way hashes based on strong cryptography, (hash must be of the entire PAN)
  • Truncation (hashing cannot be used to replace the truncated segment of PAN)
  • Index tokens and pads (pads must be securely stored)
  • Strong cryptography with associated key-management processes and procedures.
6.2Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
8Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.Server Events:
  • Failed Logins
  • Security Changes
  • DDL
  • Administrative activities
  • Privileged Users

Database Events:

  • Security
  • DDL
  • Administrative activities
  • DML
  • SQL statements
  • Sensitive Columns
8.5.4Immediately revoke access for any terminated users.Server Events:
  • Security Changes
  • Administrative activities

Database Events:

  • Security
10Track and monitor all access to network resources and cardholder data-logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.See subsections
10.1Implement audit trails to link all access to system components to each individual user.Server Events:
  • Failed Logins
  • Administrative activities
  • Privileged Users activityActivity

Database Events:

  • None
10.2

Implement automated audit trails for all system components to reconstruct the following events:

  • 10.2.1 All individual user accesses to cardholder data
  • 10.2.2 All actions taken by any individual with root or administrative privileges
  • 10.2.3 Access to all audit trails
  • 10.2.4 Invalid logical access attempts
  • 10.2.5 Use of identification and authentication mechanisms
  • 10.2.6 Initialization, stopping, or pausing of the audit logs
  • 10.2.7 Creation and deletions of system-level objects
Server Events:
  • Failed Logins
  • DDL

Database Events:

  • DDL
  • DML
  • Sensitive Columns
10.3

Record at least the following audit trail entries for all system components for each event:

  • 10.3.1 User identification
  • 10.3.2 Type of event
  • 10.3.3 Date and time
  • 10.3.4 Success or failure indication
  • 10.3.5 Origination of event
  • 10.3.6 Identify or name of affected data, system component, or resource
Server Events:
  • Failed Logins
  • Privileged Users activityActivity

Database Events:

  • Security
  • DDL
  • DML
  • Sensitive Columns
10.5Secure audit trails so they cannot be altered.SQL Compliance Manager Repository
10.7Retain audit trail history for at least one year, with a minimum of three months online availability.Enable archive and groom to retain Repository data for a minimum of one year

...

SectionSummaryAssociated Audit Events and Features
404

A statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and management's assessment, as of the end of the company's most recent fiscal year of the effectiveness of the company's internal control structure and procedures for financial reporting, Section 404 requires the company's auditor to attest to, and report on management's assessment of the effectiveness of the company's internal controls and procedures for financial reporting in accordance with standards established by the Public Company Accounting Oversight Board. (Source: Securities and Exchange Commission.)

What does this mean from an Information Technology standpoint?

The key is the reliability of financial reporting.
Financial information resides in the database and it is the responsibility of IT to ensure the right personnel have access to that data at the right time. Any changes to the permissions must be tracked. Additionally, all access to that data (select, insert, update, and delete operations, plus before and after changes) must be audited down to the actual user and stored. If the need arises to determine where an individual has violated the accuracy of the financial data, an audit trail of activity will help to prove that the user:

  • Accessed the data
  • Changed permissions
  • Changed the data
Server Events:
  • Logins
  • Logouts
  • Failed Logins
  • Security Changes
  • DDL
  • Privileged User activityActivity

Database Events:

  • Security changes
  • Administrative activities
  • DML
  • SQL statements
  • SELECT statements on all DB objects
  • SELECT statements on specific tables
  • Before-After Data auditing
  • Sensitive Columns
  • Alerting

404

CDC

Implement change data capture.Server Events:
  • None

Database Events:

  • Sensitive columns
  • Before-After data change

...