diff --git a/CHANGELOG.md b/CHANGELOG.md index 2cb1cd7eb..c96552a04 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ # Versions ## [Unreleased] +* Upgrade SqlServerDsc from 15.1.1 to 17.1.0 [#1476](https://github.com/microsoft/PowerStig/issues/1476) ## [4.27.0] - 2025-09-05 diff --git a/Tests/Unit/Module/SqlScriptQueryRule.tests.ps1 b/Tests/Unit/Module/SqlScriptQueryRule.tests.ps1 index 7fdb6e5ea..898b4244d 100644 --- a/Tests/Unit/Module/SqlScriptQueryRule.tests.ps1 +++ b/Tests/Unit/Module/SqlScriptQueryRule.tests.ps1 @@ -44,6 +44,7 @@ try Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.' FixText = 'This will not be used for this type of rule.' EventId = '(14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178)' + QueryId = '2' } Permission = @{ GetScript = "SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any endpoint' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;" @@ -121,6 +122,7 @@ try USE master REVOKE ALTER ANY ENDPOINT TO <'account name'> GO" + QueryId = '2' } SysAdminAccount = @{ GetScript = "USE [master] SELECT name, is_disabled FROM sys.sql_logins WHERE principal_id = 1 AND is_disabled <> 1;" @@ -137,6 +139,7 @@ try USE master; GO ALTER LOGIN [sa] WITH NAME = GO" + QueryId = '2' } Audit = @{ GetScript = "IF Not Exists (SELECT name AS 'Audit Name', status_desc AS 'Audit Status', audit_file_path AS 'Current Audit File' FROM sys.dm_server_audit_status WHERE status_desc = 'STARTED') Select 'Doest exist'" @@ -201,6 +204,7 @@ try SERVER_STATE_CHANGE_GROUP TRACE_CHANGE_GROUP See the supplemental file `"SQL 2016 Audit.sql`". " + QueryId = '1' } PlainSQL = @{ GetScript = "SELECT name from sysdatabases where name like 'AdventureWorks%';" @@ -211,6 +215,7 @@ try If the `"AdventureWorks`" database is present, this is a finding." FixText = "Remove the publicly available `"AdventureWorks`" database from SQL Server by running the following query: DROP DATABASE AdventureWorks" + QueryId = '2' } SaAccountRename = @{ GetScript = "SELECT name FROM sys.server_principals WHERE TYPE = 'S' and name not like '%##%'" @@ -222,6 +227,7 @@ try FixText = "Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> click 'sa' account name. Hit <F2> while the name is highlighted in order to edit the name. Rename the 'sa' account." + QueryId = '2' } TraceFileLimit = @{ GetScript = "SELECT * FROM ::fn_trace_getinfo(NULL)" @@ -233,6 +239,7 @@ try If auditing will outgrow the space reserved for logging before being overwritten, this is a finding." FixText = "Configure the maximum number of audit log files that are to be generated, staying within the number of logs the system was sized to support. Update the max_files parameter of the audits to ensure the correct number of files is defined." + QueryId = '2' } ShutdownOnError = @{ GetScript = "SELECT * FROM ::fn_trace_getinfo(NULL)" @@ -262,6 +269,7 @@ try FixText = "If a trace does not exist, create a trace specification that complies with requirements. If a trace exists, but is not set to SHUTDOWN_ON_ERROR, modify the SQL Server audit setting to immediately shutdown the database in the event of an audit failure by setting property 1 to a value of 4 or 6 for the audit. (See the SQL Server Help page for sys.sp_trace_create for implementation details.)" + QueryId = '2' } ViewAnyDatabase = @{ GetScript = "SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View any database' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name" @@ -340,6 +348,7 @@ try " FixText = "Remove the `"View any database`" permission access from the role that is not authorized by executing the following query: REVOKE View any database TO <'role name'>" + QueryId = '2' } ChangeDatabaseOwner= @{ GetScript = "select suser_sname(owner_sid) AS 'Owner' from sys.databases where name = `$(Database)" @@ -358,6 +367,7 @@ try Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Databases >> right click <'database name'> >> Properties >> Files. Select new database `"Owner`": Navigate to click on […] >> Select new Database Owner >> Browse… >> click on box to indicate account >> <'OK'> >> <'OK'> >> <'OK'>" + QueryId = '2' } AuditShutDownOnError = @{ GetScript = 'SELECT on_failure_desc FROM sys.server_audits' @@ -393,6 +403,7 @@ try GO ALTER SERVER AUDIT [AuditNameHere] WITH (STATE = ON); GO ' + QueryId = '2' } AuditFileSize = @{ GetScript = 'CREATE TABLE #AuditFileSize (Name nvarchar (30),Type_Desc nvarchar (30),Max_RollOver_Files int) INSERT INTO #AuditFileSize (Name, Type_Desc) SELECT Name, type_desc FROM sys.server_audits WHERE is_state_enabled = 1 IF (SELECT Type_Desc FROM #AuditFileSize) = ''FILE'' BEGIN UPDATE #AuditFileSize SET Max_RollOver_Files = (SELECT max_rollover_files FROM sys.server_file_audits) WHERE Name IS NOT NULL END SELECT * FROM #AuditFileSize DROP TABLE #AuditFileSize' @@ -424,6 +435,7 @@ try GO ALTER SERVER AUDIT [AuditName] WITH (STATE = ON); GO ' + QueryId = '2' } } #endregion @@ -468,6 +480,19 @@ try $result | Should be $setScript } } + + Context 'Sql Query Id' { + It 'Should return a query id'{ + $result = Get-SqlScriptQueryId -CheckContent $sqlScriptQueryRule.$($ruleType).CheckContent + if ($rule -eq 'Audit') { + $queryId = '1' + $queryId | Should be '1' + } + else { + $result | Should not be '1' + } + } + } } Context 'Get-Query' { diff --git a/source/DSCResources/Resources/SqlServer.ScriptQuery.ps1 b/source/DSCResources/Resources/SqlServer.ScriptQuery.ps1 index 80c8d3a98..63d652c66 100644 --- a/source/DSCResources/Resources/SqlServer.ScriptQuery.ps1 +++ b/source/DSCResources/Resources/SqlServer.ScriptQuery.ps1 @@ -33,6 +33,8 @@ foreach ($instance in $ServerInstance) TestQuery = $rule.TestScript SetQuery = $rule.SetScript Variable = Format-SqlScriptVariable -Database $db -Variable $($rule.Variable) -VariableValue $($rule.VariableValue) + Encrypt = $encrypt + Id = $rule.QueryId } } } @@ -51,6 +53,8 @@ foreach ($instance in $ServerInstance) TestQuery = $rule.TestScript SetQuery = $rule.SetScript Variable = Format-SqlScriptVariable -Variable $($rule.Variable) -VariableValue $($rule.VariableValue) + Encrypt = $encrypt + Id = $rule.QueryId } continue } @@ -62,6 +66,8 @@ foreach ($instance in $ServerInstance) GetQuery = $rule.GetScript TestQuery = $rule.TestScript SetQuery = $rule.SetScript + Encrypt = $encrypt + Id = $rule.QueryId } } } diff --git a/source/DSCResources/SqlServer/SqlServer.schema.psm1 b/source/DSCResources/SqlServer/SqlServer.schema.psm1 index 4d855bfab..0205668c9 100644 --- a/source/DSCResources/SqlServer/SqlServer.schema.psm1 +++ b/source/DSCResources/SqlServer/SqlServer.schema.psm1 @@ -21,6 +21,8 @@ using module ..\..\PowerStig.psm1 .PARAMETER Database The Name of the database that you would like to be applied to. This parameter is only used for the SQL Database STIG. + .PARAMETER Encrypt + The Encrypt parameter is used to specify if the connection to the SQL instance should be encrypted. .PARAMETER Exception A hashtable of StigId=Value key pairs that are injected into the STIG data and applied to the target node. The title of STIG settings are tagged with the text 'Exception' to identify @@ -37,6 +39,9 @@ using module ..\..\PowerStig.psm1 .PARAMETER SkipRuleType All STIG rule IDs of the specified type are collected in an array and passed to the Skip-Rule function. Each rule follows the same process as the SkipRule parameter. + .NOTES + Encrypt parameter does not fully support strict mode yet. This is due to a limitation in the SqlServerDsc module + as of version 17.1.0. #> configuration SqlServer { @@ -66,6 +71,11 @@ configuration SqlServer [string[]] $Database, + [Parameter()] + [ValidateSet('Strict', 'Optional', 'Mandatory')] + [string] + $Encrypt = 'Optional', + [Parameter()] [ValidateNotNullOrEmpty()] [hashtable] @@ -97,7 +107,7 @@ configuration SqlServer $stig.LoadRules($OrgSettings, $Exception, $SkipRule, $SkipRuleType, $SkipRuleSeverity) ##### END DO NOT MODIFY ##### - Import-DscResource -ModuleName SqlServerDsc -ModuleVersion 15.1.1 + Import-DscResource -ModuleName SqlServerDsc -ModuleVersion 17.1.0 . "$resourcePath\SqlServer.ScriptQuery.ps1" . "$resourcePath\SqlServer.SqlLogin.ps1" . "$resourcePath\SqlServer.SqlProtocol.ps1" diff --git a/source/Module/Rule.SqlScriptQuery/Convert/Methods.ps1 b/source/Module/Rule.SqlScriptQuery/Convert/Methods.ps1 index 4d709ce2c..67ece639b 100644 --- a/source/Module/Rule.SqlScriptQuery/Convert/Methods.ps1 +++ b/source/Module/Rule.SqlScriptQuery/Convert/Methods.ps1 @@ -2225,4 +2225,35 @@ function Get-SqlScriptQueryOrganizationValueTestString } } +<# + .SYNOPSIS + Creates a unique ID for the SqlScriptQuery resource. + .Notes + Required as of version SqlServerDsc 17.0.0. +#> +function Get-SqlScriptQueryId +{ + [CmdletBinding()] + [OutputType([string])] + param + ( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string[]] + $CheckContent + ) + + $collection = Get-AuditEvents -CheckContent $CheckContent + if ($collection) + { + $queryId = '1' + } + else + { + $queryId = New-Guid + } + + return $queryId +} + #endregion Helper Functions diff --git a/source/Module/Rule.SqlScriptQuery/Convert/SqlScriptQueryRule.Convert.psm1 b/source/Module/Rule.SqlScriptQuery/Convert/SqlScriptQueryRule.Convert.psm1 index 0a48da7d6..57d67ef1f 100644 --- a/source/Module/Rule.SqlScriptQuery/Convert/SqlScriptQueryRule.Convert.psm1 +++ b/source/Module/Rule.SqlScriptQuery/Convert/SqlScriptQueryRule.Convert.psm1 @@ -47,6 +47,7 @@ class SqlScriptQueryRuleConvert : SqlScriptQueryRule $this.SetTestScript($ruleType) $this.SetSetScript($ruleType, $fixText) $this.SetVariable($ruleType) + $this.SetQueryId($ruleType) if ($null -ne $this.Variable) { $this.SetOrganizationValueTestString($ruleType) @@ -141,6 +142,24 @@ class SqlScriptQueryRuleConvert : SqlScriptQueryRule } } + <# + .SYNOPSIS + Creates a unique ID for the SqlScriptQuery resource. + .DESCRIPTION + Gets the id string to be used in the SqlScriptQuery resource + .PARAMETER RuleType + The type of rule to get the variable string for. + #> + [void] SetQueryId ([string] $RuleType) + { + $thisId = Get-SqlScriptQueryId -CheckContent $this.SplitCheckContent + + if (-not $this.SetStatus($thisId)) + { + $this.set_QueryId($thisId) + } + } + <# .SYNOPSIS Extracts the rule type from the check-content and sets the value diff --git a/source/Module/Rule.SqlScriptQuery/SqlScriptQueryRule.psm1 b/source/Module/Rule.SqlScriptQuery/SqlScriptQueryRule.psm1 index 4391667d1..eb3754000 100644 --- a/source/Module/Rule.SqlScriptQuery/SqlScriptQueryRule.psm1 +++ b/source/Module/Rule.SqlScriptQuery/SqlScriptQueryRule.psm1 @@ -23,6 +23,7 @@ class SqlScriptQueryRule : Rule [string] $SetScript <#(ExceptionValue)#> [string[]] $Variable [String[]] $VariableValue + [string] $QueryId <# .SYNOPSIS diff --git a/source/PowerStig.psd1 b/source/PowerStig.psd1 index 2b4e10141..75c0a1411 100644 --- a/source/PowerStig.psd1 +++ b/source/PowerStig.psd1 @@ -44,7 +44,7 @@ @{ModuleName = 'GPRegistryPolicyDsc'; ModuleVersion = '1.3.1' }, @{ModuleName = 'PSDscResources'; ModuleVersion = '2.12.0.0' }, @{ModuleName = 'SecurityPolicyDsc'; ModuleVersion = '2.10.0.0' }, - @{ModuleName = 'SqlServerDsc'; ModuleVersion = '15.1.1' }, + @{ModuleName = 'SqlServerDsc'; ModuleVersion = '17.1.0' }, @{ModuleName = 'WindowsDefenderDsc'; ModuleVersion = '2.2.0' }, @{ModuleName = 'xDnsServer'; ModuleVersion = '1.16.0.0' }, @{ModuleName = 'xWebAdministration'; ModuleVersion = '3.2.0' }, diff --git a/source/StigData/Processed/SqlServer-2012-Database-1.19.xml b/source/StigData/Processed/SqlServer-2012-Database-1.19.xml index fbd78b077..225d1c58a 100644 --- a/source/StigData/Processed/SqlServer-2012-Database-1.19.xml +++ b/source/StigData/Processed/SqlServer-2012-Database-1.19.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. @@ -795,6 +795,7 @@ The DBMS must provide auditing for the list of events defined by the organizatio False + 6b1826e1-ee86-41a2-8464-9af9cd730b96 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -839,6 +840,7 @@ Within the database, object ownership implies full privileges to the owned objec True {0} is a database owner + baf9f4fc-49bb-40ef-8c1f-5d0b403531f9 Review system documentation to identify SQL Server accounts authorized to own database objects. If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. diff --git a/source/StigData/Processed/SqlServer-2012-Database-1.20.xml b/source/StigData/Processed/SqlServer-2012-Database-1.20.xml index 9a11137df..9cb686f38 100644 --- a/source/StigData/Processed/SqlServer-2012-Database-1.20.xml +++ b/source/StigData/Processed/SqlServer-2012-Database-1.20.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. @@ -795,6 +795,7 @@ The DBMS must provide auditing for the list of events defined by the organizatio False + 6084df45-dac2-4467-b3c4-85ed0d8bea28 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -839,6 +840,7 @@ Within the database, object ownership implies full privileges to the owned objec True {0} is a database owner + 93580376-9eec-4fdd-bf60-bf09ab50f9e9 Review system documentation to identify SQL Server accounts authorized to own database objects. If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. diff --git a/source/StigData/Processed/SqlServer-2012-Instance-1.19.xml b/source/StigData/Processed/SqlServer-2012-Instance-1.19.xml index a1e1b0d63..93e876552 100644 --- a/source/StigData/Processed/SqlServer-2012-Instance-1.19.xml +++ b/source/StigData/Processed/SqlServer-2012-Instance-1.19.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), VPN, or IPSEC tunnel. @@ -4929,6 +4929,7 @@ Some applications that run on SQL Server require the 'sa' account to be enabled False + 4f982e9f-9e6d-4219-b19f-24de8035e099 Check SQL Server settings to determine if the 'sa' (sysadmin) account has been disabled by executing the following query: USE MASTER @@ -4962,6 +4963,7 @@ Demonstration and sample database objects and applications present publicly know False + d3c17933-935d-4197-8012-86e6f64ebf9d Check SQL Server for the existence of the publicly available "AdventureWorks" database by performing the following query: SELECT name from sysdatabases where name like 'AdventureWorks%'; @@ -4987,6 +4989,7 @@ Demonstration and sample database objects and applications present publicly know False + d89232d5-38d9-46df-a7dc-6b95261a4c30 Check SQL Server for the existence of the publicly available "NorthWind" database by performing the following query: SELECT name from sysdatabases where name like 'Northwind%'; @@ -5008,6 +5011,7 @@ Detection of suspicious activity, including access attempts and successful acces False + ffb69915-0a39-4232-aaa6-7fc759436ae7 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5056,6 +5060,7 @@ Note that trace file rollover does not count as an audit failure, provided that True {0} is the path to the trace file + da113a7d-9751-4cb0-9795-3eeaddf6a848 From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5103,6 +5108,7 @@ After the initial setup of SQL Server audit log configuration, it is best to che True {0} is the trace file limit + 361f8bcc-d286-4319-b0c7-1888352baad0 Check the SQL Server audit setting on the maximum number of files of the trace used for the auditing requirement. Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. @@ -5115,19 +5121,20 @@ If auditing will outgrow the space reserved for logging before being overwritten TraceFilePath={0} MaxRollOverFileCount={1} MaxTraceFileSize={2} - + <VulnDiscussion>SQL Server auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server does have a means available to add organizationally defined additional, more detailed information in the audit event records. These events may be identified by type, location, or subject. An example of more detailed information the organization may require in audit records could be the name of the application where the request is coming from. Some organizations may determine that more detailed information is required for specific database event types. If this information is not available, it could negatively impact forensic investigations into user actions or other malicious events.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 6f1056e6-f7e9-44a5-8d7e-8598aacdbe09 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5161,17 +5168,18 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. Database software is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed a given action. If user identification information is not recorded and stored with the audit record, the record itself is of very limited use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 2924bbbf-5140-446c-9922-3b4e2a586324 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5205,7 +5213,7 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know the outcome of attempted actions. This requires specific information regarding the outcome of the action or event that the audit record is referring to. If outcome status information is not recorded and stored with the audit record, the record itself is of very limited use. @@ -5213,13 +5221,14 @@ SQL Server is capable of a range of actions on data stored within the database. Success and failure indicators ascertain the outcome of a particular event. As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Without knowing the outcome of audit events, it is very difficult to accurately recreate the series of events during forensic analysis. If auditing is enabled, SQL Server does capture the outcome status-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 48c2ddad-966a-4092-981c-488abec2af51 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5253,19 +5262,20 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed what actions. This requires specific information regarding the source of the event an audit record is referring to. If the source of the event information is not recorded and stored with the audit record, the record itself is of very limited use. The source of the event can be a user account and sometimes a system account when timed jobs are run. Without information establishing the source of activity, the value of audit records from a forensics perspective is questionable. If auditing is enabled, SQL Server does capture the source of the event-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 63eb1dc7-973f-4e9e-b044-066dfb231c05 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5299,19 +5309,20 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly where actions were performed. This requires specific information regarding the event location an audit record is referring to. If event location information is not recorded and stored with the audit record, the record itself is of very limited use. An event location can be a database instance, table, column, row, etc. Without sufficient information establishing where the audit events occurred, investigation into the cause of events is severely hindered. If auditing is enabled, SQL Server does capture the event location-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 399243aa-fc0b-4cc1-a5b2-f832749168f2 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5345,19 +5356,20 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly when actions were performed. This requires specific information regarding the date and time an audit record is referring to. If date and time information is not recorded and stored with the audit record, the record itself is of very limited use. If auditing is enabled, SQL Server does capture the date and time-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 413cd559-01f3-46bc-9f5a-dddfbe10d33f Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5391,19 +5403,20 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly what actions were performed. This requires specific information regarding the event type an audit record is referring to. If event type information is not recorded and stored with the audit record, the record itself is of very limited use. If auditing is enabled, SQL Server does capture the event type-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 1e2461a2-c431-4666-8871-e16c522ef9d0 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5437,7 +5450,7 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Audit records can be generated from various components within the information system, such as network interfaces, hard disks, modems, etc. From an application perspective, certain specific application functionalities may be audited, as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked). @@ -5445,13 +5458,14 @@ The list of audited events is the set of events for which audits are to be gener Organizations may define the organizational personnel accountable for determining which application components shall provide auditable events. Auditing provides accountability for changes made to the SQL Server configuration or its objects and data. It provides a means to discover suspicious activity and unauthorized changes. Without auditing, a compromise may go undetected and without a means to determine accountability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 9f393b55-2a1d-490d-838a-868163a83903 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5496,6 +5510,7 @@ Since the SQL Server 'sa' is administrative in nature, the compromise of a defau True {0} is populated with a non-default SA account name + a18e424b-2c21-4e3b-8aac-b0b326a2b0d3 Verify the SQL Server default 'sa' account name has been changed. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins. @@ -5506,15 +5521,16 @@ If SQL Server default 'sa' account name is in the 'Logins' list, this is a findi saAccountName={0} - + <VulnDiscussion>This is intended to limit exposure, by making it possible to trace any unauthorized access to other data or functionality by a privileged user account or role that has permissions on security functions or security-relevant information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 60f4014f-8484-475e-bdcd-ba8eb872ef9b Check to see that all required events are being audited. From the query prompt: @@ -5569,6 +5585,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + 055e42cb-0b7c-434d-9d8b-d8a4d0509418 Obtain the list of accounts that have direct access to the server-level permission 'Alter any endpoint' by running the following query: SELECT @@ -5666,6 +5683,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + a39a6c5a-ab86-4f11-9bd6-d80d8ef0c44a Obtain the list of accounts that have direct access to the server-level permission 'Alter any database' by running the following query: SELECT @@ -5763,6 +5781,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 0ad3fbb9-91a9-45ad-987c-233947c8e3d8 Obtain the list of accounts that have direct access to the server-level permission 'Alter any credential' by running the following query: SELECT @@ -5860,6 +5879,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + 8c495943-ab0f-4a49-b239-334f10a256f8 Obtain the list of accounts that have direct access to the server-level permission 'Alter any connection' by running the following query: SELECT @@ -5957,6 +5977,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 5f5bcf65-6c64-4a4c-b64f-94aaaf271356 Obtain the list of accounts that have direct access to the server-level permission 'Alter server state' by running the following query: SELECT @@ -6054,6 +6075,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 1ad66084-ee1e-4e2e-8db8-7ef3aa91b0c5 Obtain the list of accounts that have direct access to the server-level permission 'Alter any event notification' by running the following query: SELECT @@ -6151,6 +6173,7 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok True {0} is a user that can view any database + 9d5be458-9fcf-4119-9007-35dc0108c02c Obtain the list of roles that are authorized for the SQL Server 'View any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT @@ -6246,6 +6269,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 3f7835e6-0663-4175-aeb7-562f62d50af9 Obtain the list of accounts that have direct access to the server-level permission 'Alter any server audit' by running the following query: SELECT @@ -6343,6 +6367,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + e99f369e-adb5-42a6-a974-0a528eb4d112 Obtain the list of accounts that have direct access to the server-level permission 'Authenticate Server' by running the following query: SELECT @@ -6440,6 +6465,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 9e7b30f0-3e0d-43f6-8b45-1242d40dee54 Obtain the list of accounts that have direct access to the server-level permission 'Administer bulk operations' by running the following query: SELECT @@ -6537,6 +6563,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 4c2244f9-7a97-4e2b-95f1-8b3816e39d49 Obtain the list of accounts that have direct access to the server-level permission 'Create endpoint' by running the following query: SELECT @@ -6634,6 +6661,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + 8938041e-3b27-498e-93d4-ee075b26d182 Obtain the list of accounts that have direct access to the server-level permission 'Create DDL Event Notification' by running the following query: SELECT @@ -6732,6 +6760,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + aafcf669-c1c4-41b9-b96d-8aae24e39c6c Obtain the list of accounts that have direct access to the server-level permission 'Create availability group' by running the following query: SELECT @@ -6829,6 +6858,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 3c04c622-4b14-4c63-93a2-26c719c4aecb Obtain the list of accounts that have direct access to the server-level permission 'Create any database' by running the following query: SELECT @@ -6926,6 +6956,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + c6197714-1d46-4d5b-8fe4-6e96256255f2 Obtain the list of accounts that have direct access to the server-level permission 'Control server' by running the following query: SELECT @@ -7023,6 +7054,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 388e1600-fb48-45d0-808c-d8a7799dee93 Obtain the list of accounts that have direct access to the server-level permission 'Alter any linked server' by running the following query: SELECT @@ -7120,6 +7152,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 131216c7-300f-4031-8922-4394e1780101 Obtain the list of accounts that have direct access to the server-level permission 'Alter any event session' by running the following query: SELECT @@ -7217,6 +7250,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + b8871972-7268-4b9b-b837-bdadd1273892 Obtain the list of accounts that have direct access to the server-level permission 'Alter trace' by running the following query: SELECT @@ -7314,6 +7348,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + b31cf183-f8ac-416a-a2c8-875fd05b8024 Obtain the list of accounts that have direct access to the server-level permission 'Alter Settings' by running the following query: SELECT @@ -7411,6 +7446,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + d200d9bc-a987-49a7-9e1d-de8abc9edff9 Obtain the list of accounts that have direct access to the server-level permission 'Create trace event notification' by running the following query: SELECT @@ -7508,6 +7544,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 970c16fb-7a98-4040-ae93-393a6e624879 Obtain the list of accounts that have direct access to the server-level permission 'Alter resources' by running the following query: SELECT @@ -7605,6 +7642,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 402c13c8-d77c-406a-a854-1f621efde0ba Obtain the list of accounts that have direct access to the server-level permission 'External access assembly' by running the following query: SELECT @@ -7702,6 +7740,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + d4786177-9049-40b4-9cbb-d9811784ad97 Obtain the list of accounts that have direct access to the server-level permission 'Alter any login' by running the following query: SELECT @@ -7799,6 +7838,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + ecc78282-3c51-4c55-bc68-18a47ef50461 Obtain the list of accounts that have direct access to the server-level permission 'Shutdown' by running the following query: SELECT @@ -7896,6 +7936,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + a480e8b4-82b0-4cb5-8405-3341f1174073 Obtain the list of accounts that have direct access to the server-level permission 'Unsafe assembly' by running the following query: SELECT @@ -7993,6 +8034,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + 62dbde06-7fef-4a99-90cc-0af782dc210f Obtain the list of accounts that have direct access to the server-level permission 'Create server role' by running the following query: SELECT @@ -8090,6 +8132,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + bce557c8-d6a4-488d-8d5a-85215e22be07 Obtain the list of accounts that have direct access to the server-level permission 'View server state' by running the following query: SELECT @@ -8187,6 +8230,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + fe766e91-f27d-4c44-a56b-8af166b0daf7 Obtain the list of accounts that have direct access to the server-level permission 'Alter any server role' by running the following query: SELECT @@ -8284,6 +8328,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 1f9c4ac3-c8d7-4a57-a2fc-c67169aa0197 Obtain the list of accounts that have direct access to the server-level permission 'View any definition' by running the following query: SELECT @@ -8364,19 +8409,20 @@ GO - + <VulnDiscussion>Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to modify an existing account for later use. Notification of account creation is one method and best practice for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and/or application owners exist. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 8dc27e2e-5cab-4ca4-ac72-09b61d3f3abd Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -8410,7 +8456,7 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method and best practice for mitigating this risk. A comprehensive application account management process ensures an audit trail automatically documents the modification of application user accounts and, as required, notifies administrators, application owners, and/or appropriate individuals. Applications must provide this capability directly, leverage complimentary technology providing this capability, or a combination thereof. @@ -8418,13 +8464,14 @@ Auditing of account modification is one method and best practice for mitigating Automated account-auditing processes greatly reduce the risk that accounts will be surreptitiously modified, and provides logging that can be used for forensic purposes. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + f6ed09e4-5fa4-4e5f-97f3-c2bfa0fb8efb Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -8458,20 +8505,21 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network and system access is accomplished by leveraging common communication protocols to establish a remote connection. These connections will typically originate over either the public Internet or the Public Switched Telephone Network (PSTN). Neither of these internetworking mechanisms is private or secure, and they do not by default restrict access to networked resources once connectivity is established. Numerous best practices are employed to protect remote connections, such as utilizing encryption to protect data sessions and firewalls to restrict and control network connectivity. In addition to these protections, auditing must also be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + cc0ca451-1780-4ecf-98ba-a2fc16bf85f5 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -8522,6 +8570,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + 156d2340-bd5c-4381-b7bb-41519ede432c Obtain the list of accounts that have direct access to the server-level permission 'View Any Database' by running the following query: SELECT diff --git a/source/StigData/Processed/SqlServer-2012-Instance-1.20.xml b/source/StigData/Processed/SqlServer-2012-Instance-1.20.xml index e74648fb0..e1f3730dc 100644 --- a/source/StigData/Processed/SqlServer-2012-Instance-1.20.xml +++ b/source/StigData/Processed/SqlServer-2012-Instance-1.20.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), VPN, or IPSEC tunnel. @@ -4929,6 +4929,7 @@ Some applications that run on SQL Server require the 'sa' account to be enabled False + b9b38c01-8b1d-46f4-9e81-b05ae40e0362 Check SQL Server settings to determine if the 'sa' (sysadmin) account has been disabled by executing the following query: USE MASTER @@ -4962,6 +4963,7 @@ Demonstration and sample database objects and applications present publicly know False + 7ad02e73-dba0-42a7-b917-eedd3c371b6b Check SQL Server for the existence of the publicly available "AdventureWorks" database by performing the following query: SELECT name from sysdatabases where name like 'AdventureWorks%'; @@ -4987,6 +4989,7 @@ Demonstration and sample database objects and applications present publicly know False + af392ad1-5757-4d83-a947-e0fa23e613d3 Check SQL Server for the existence of the publicly available "NorthWind" database by performing the following query: SELECT name from sysdatabases where name like 'Northwind%'; @@ -5008,6 +5011,7 @@ Detection of suspicious activity, including access attempts and successful acces False + 59f285c6-a011-47b8-a7a7-215d792dfd93 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5056,6 +5060,7 @@ Note that trace file rollover does not count as an audit failure, provided that True {0} is the path to the trace file + 92f2f6d7-abe4-459b-8b1b-9e5a68156271 From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5103,6 +5108,7 @@ After the initial setup of SQL Server audit log configuration, it is best to che True {0} is the trace file limit + 27c6e939-70e2-408a-83d2-260147717f52 Check the SQL Server audit setting on the maximum number of files of the trace used for the auditing requirement. Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. @@ -5115,19 +5121,20 @@ If auditing will outgrow the space reserved for logging before being overwritten TraceFilePath={0} MaxRollOverFileCount={1} MaxTraceFileSize={2} - + <VulnDiscussion>SQL Server auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server does have a means available to add organizationally defined additional, more detailed information in the audit event records. These events may be identified by type, location, or subject. An example of more detailed information the organization may require in audit records could be the name of the application where the request is coming from. Some organizations may determine that more detailed information is required for specific database event types. If this information is not available, it could negatively impact forensic investigations into user actions or other malicious events.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + feea7718-853d-4f9c-88ba-3c7f90efa26b Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5161,17 +5168,18 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. Database software is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed a given action. If user identification information is not recorded and stored with the audit record, the record itself is of very limited use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 78b12083-9e9f-4edb-9cad-1c40cc17e042 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5205,7 +5213,7 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know the outcome of attempted actions. This requires specific information regarding the outcome of the action or event that the audit record is referring to. If outcome status information is not recorded and stored with the audit record, the record itself is of very limited use. @@ -5213,13 +5221,14 @@ SQL Server is capable of a range of actions on data stored within the database. Success and failure indicators ascertain the outcome of a particular event. As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Without knowing the outcome of audit events, it is very difficult to accurately recreate the series of events during forensic analysis. If auditing is enabled, SQL Server does capture the outcome status-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 067dc003-c192-4226-b0e5-777b2e43f0f3 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5253,19 +5262,20 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed what actions. This requires specific information regarding the source of the event an audit record is referring to. If the source of the event information is not recorded and stored with the audit record, the record itself is of very limited use. The source of the event can be a user account and sometimes a system account when timed jobs are run. Without information establishing the source of activity, the value of audit records from a forensics perspective is questionable. If auditing is enabled, SQL Server does capture the source of the event-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 18494457-144c-42ba-83b3-df8342f3de9a Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5299,19 +5309,20 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly where actions were performed. This requires specific information regarding the event location an audit record is referring to. If event location information is not recorded and stored with the audit record, the record itself is of very limited use. An event location can be a database instance, table, column, row, etc. Without sufficient information establishing where the audit events occurred, investigation into the cause of events is severely hindered. If auditing is enabled, SQL Server does capture the event location-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 9f0926e7-c3a6-4276-828b-98f11db6a5a0 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5345,19 +5356,20 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly when actions were performed. This requires specific information regarding the date and time an audit record is referring to. If date and time information is not recorded and stored with the audit record, the record itself is of very limited use. If auditing is enabled, SQL Server does capture the date and time-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + ab260c20-1c8c-456f-b8ef-cdf82d143344 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5391,19 +5403,20 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly what actions were performed. This requires specific information regarding the event type an audit record is referring to. If event type information is not recorded and stored with the audit record, the record itself is of very limited use. If auditing is enabled, SQL Server does capture the event type-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + a4f81f28-2d60-4ed0-8bf8-0baf6af84696 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5437,7 +5450,7 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Audit records can be generated from various components within the information system, such as network interfaces, hard disks, modems, etc. From an application perspective, certain specific application functionalities may be audited, as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked). @@ -5445,13 +5458,14 @@ The list of audited events is the set of events for which audits are to be gener Organizations may define the organizational personnel accountable for determining which application components shall provide auditable events. Auditing provides accountability for changes made to the SQL Server configuration or its objects and data. It provides a means to discover suspicious activity and unauthorized changes. Without auditing, a compromise may go undetected and without a means to determine accountability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 64d6235c-eb35-4fa3-9b5b-d36538b24bf2 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5496,6 +5510,7 @@ Since the SQL Server 'sa' is administrative in nature, the compromise of a defau True {0} is populated with a non-default SA account name + 3e5783c2-e602-45dd-bac6-1cc6c45b3f93 Verify the SQL Server default 'sa' account name has been changed. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins. @@ -5506,15 +5521,16 @@ If SQL Server default 'sa' account name is in the 'Logins' list, this is a findi saAccountName={0} - + <VulnDiscussion>This is intended to limit exposure, by making it possible to trace any unauthorized access to other data or functionality by a privileged user account or role that has permissions on security functions or security-relevant information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 31fd616f-36ee-4ed2-b4fe-d849635fa6b2 Check to see that all required events are being audited. From the query prompt: @@ -5569,6 +5585,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + 57ce0555-8423-4679-95cc-27be7cd3845d Obtain the list of accounts that have direct access to the server-level permission 'Alter any endpoint' by running the following query: SELECT @@ -5666,6 +5683,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + 0be052aa-da47-410f-b588-dec06f844cab Obtain the list of accounts that have direct access to the server-level permission 'Alter any database' by running the following query: SELECT @@ -5763,6 +5781,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 00b83386-bbd6-4b55-847a-0e23a784731f Obtain the list of accounts that have direct access to the server-level permission 'Alter any credential' by running the following query: SELECT @@ -5860,6 +5879,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + 41a9ccc5-f937-4333-8921-0aeb6eaa5be2 Obtain the list of accounts that have direct access to the server-level permission 'Alter any connection' by running the following query: SELECT @@ -5957,6 +5977,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 189cd72a-495f-4815-95e7-4f0fab6c133e Obtain the list of accounts that have direct access to the server-level permission 'Alter server state' by running the following query: SELECT @@ -6054,6 +6075,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 67553070-b3c0-4c79-a5b6-8ee41de2ef44 Obtain the list of accounts that have direct access to the server-level permission 'Alter any event notification' by running the following query: SELECT @@ -6151,6 +6173,7 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok True {0} is a user that can view any database + 7bd7b9a7-68e8-4162-9f6c-beff4fbe2f24 Obtain the list of roles that are authorized for the SQL Server 'View any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT @@ -6246,6 +6269,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 1654213e-8973-4ccb-bd32-7a131cdaa9aa Obtain the list of accounts that have direct access to the server-level permission 'Alter any server audit' by running the following query: SELECT @@ -6343,6 +6367,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 89887d00-c318-4730-891b-d436fae39744 Obtain the list of accounts that have direct access to the server-level permission 'Authenticate Server' by running the following query: SELECT @@ -6440,6 +6465,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + ce01b7ea-6ce6-4679-a3f1-e8e7c4d59a92 Obtain the list of accounts that have direct access to the server-level permission 'Administer bulk operations' by running the following query: SELECT @@ -6537,6 +6563,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 68e1ba58-b291-4fcb-8eac-719eef8373c3 Obtain the list of accounts that have direct access to the server-level permission 'Create endpoint' by running the following query: SELECT @@ -6634,6 +6661,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + b328bee5-d076-4bb6-992b-199ef62551f4 Obtain the list of accounts that have direct access to the server-level permission 'Create DDL Event Notification' by running the following query: SELECT @@ -6732,6 +6760,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 5ff9fdb5-0038-4972-a08e-befdd6f07dd3 Obtain the list of accounts that have direct access to the server-level permission 'Create availability group' by running the following query: SELECT @@ -6829,6 +6858,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + d921ace7-db5a-4e52-a7a3-84d0539269e6 Obtain the list of accounts that have direct access to the server-level permission 'Create any database' by running the following query: SELECT @@ -6926,6 +6956,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + f9b17edd-96b8-448d-8261-89df937d7ce5 Obtain the list of accounts that have direct access to the server-level permission 'Control server' by running the following query: SELECT @@ -7023,6 +7054,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 6c7456b6-4627-4635-9355-f5a9e6d446ca Obtain the list of accounts that have direct access to the server-level permission 'Alter any linked server' by running the following query: SELECT @@ -7120,6 +7152,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 5f972885-bf21-4818-be87-fc4972a8a805 Obtain the list of accounts that have direct access to the server-level permission 'Alter any event session' by running the following query: SELECT @@ -7217,6 +7250,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 24c4d8f5-9e30-4da8-887b-9f1c5252f893 Obtain the list of accounts that have direct access to the server-level permission 'Alter trace' by running the following query: SELECT @@ -7314,6 +7348,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 7c5fdbab-c1d2-4b53-bc4e-ecfaa82df947 Obtain the list of accounts that have direct access to the server-level permission 'Alter Settings' by running the following query: SELECT @@ -7411,6 +7446,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 81d5d11c-293a-496b-9be3-a0a174049659 Obtain the list of accounts that have direct access to the server-level permission 'Create trace event notification' by running the following query: SELECT @@ -7508,6 +7544,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 9b2f5001-7fdc-43a6-a761-4ab745472ea9 Obtain the list of accounts that have direct access to the server-level permission 'Alter resources' by running the following query: SELECT @@ -7605,6 +7642,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 296df99e-7d37-466a-9f0c-3044d00e4efb Obtain the list of accounts that have direct access to the server-level permission 'External access assembly' by running the following query: SELECT @@ -7702,6 +7740,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 7dcfdbaf-365f-479e-86b4-0d115f18355b Obtain the list of accounts that have direct access to the server-level permission 'Alter any login' by running the following query: SELECT @@ -7799,6 +7838,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + e53bfbf7-35f8-4120-a970-b54fcf6915ad Obtain the list of accounts that have direct access to the server-level permission 'Shutdown' by running the following query: SELECT @@ -7896,6 +7936,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 5b8a3ada-4346-4e6a-84f1-89edfafcbb36 Obtain the list of accounts that have direct access to the server-level permission 'Unsafe assembly' by running the following query: SELECT @@ -7993,6 +8034,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + 355338d1-4468-4c7f-b518-47f0aa281eb9 Obtain the list of accounts that have direct access to the server-level permission 'Create server role' by running the following query: SELECT @@ -8090,6 +8132,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 7bbca216-ad68-4f79-bbdc-4b22f73020fa Obtain the list of accounts that have direct access to the server-level permission 'View server state' by running the following query: SELECT @@ -8187,6 +8230,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + bccdf694-2a71-46e9-9b62-ab8810f95b69 Obtain the list of accounts that have direct access to the server-level permission 'Alter any server role' by running the following query: SELECT @@ -8284,6 +8328,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + c99c1450-0be5-451a-9434-f3415ce192fc Obtain the list of accounts that have direct access to the server-level permission 'View any definition' by running the following query: SELECT @@ -8364,19 +8409,20 @@ GO - + <VulnDiscussion>Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to modify an existing account for later use. Notification of account creation is one method and best practice for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and/or application owners exist. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + e5225504-a7be-4745-82ef-2168ff392816 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -8410,7 +8456,7 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method and best practice for mitigating this risk. A comprehensive application account management process ensures an audit trail automatically documents the modification of application user accounts and, as required, notifies administrators, application owners, and/or appropriate individuals. Applications must provide this capability directly, leverage complimentary technology providing this capability, or a combination thereof. @@ -8418,13 +8464,14 @@ Auditing of account modification is one method and best practice for mitigating Automated account-auditing processes greatly reduce the risk that accounts will be surreptitiously modified, and provides logging that can be used for forensic purposes. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 27e863ff-c656-4c37-8538-f2bd8e774f43 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -8458,20 +8505,21 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network and system access is accomplished by leveraging common communication protocols to establish a remote connection. These connections will typically originate over either the public Internet or the Public Switched Telephone Network (PSTN). Neither of these internetworking mechanisms is private or secure, and they do not by default restrict access to networked resources once connectivity is established. Numerous best practices are employed to protect remote connections, such as utilizing encryption to protect data sessions and firewalls to restrict and control network connectivity. In addition to these protections, auditing must also be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 7684c047-ec82-43b6-94a7-c5507a58fea7 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -8522,6 +8570,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + e928304e-ba79-4f65-9b76-7dbb54b4f6f8 Obtain the list of accounts that have direct access to the server-level permission 'View Any Database' by running the following query: SELECT diff --git a/source/StigData/Processed/SqlServer-2016-Instance-3.4.xml b/source/StigData/Processed/SqlServer-2016-Instance-3.4.xml index 51bbd5d39..01dc4239e 100644 --- a/source/StigData/Processed/SqlServer-2016-Instance-3.4.xml +++ b/source/StigData/Processed/SqlServer-2016-Instance-3.4.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Database management includes the ability to control the number of users and user sessions utilizing SQL Server. Unlimited concurrent connections to SQL Server could allow a successful denial-of-service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions is helpful in reducing these risks. @@ -761,7 +761,7 @@ If any nonauthorized users have access to the SQL Server Error Log located at Pr In addition, the SQL Server Error Log is also located at Program Files\Microsoft SQL Server\MSSQL.n\MSSQL\LOG\. Review the permissions on this folder to ensure that only authorized users are listed. -If any nonauthorized users have access to the SQL Server Error Log in SQL Server Management Studio or if vendor documentation does not exist stating that full error messages must be returned, this is a finding. +If any nonauthorized users have access to the SQL Server Error Log in SQL Server Management Studio or if documentation does not exist stating that full error messages must be returned, this is a finding. Otherwise, verify if trace flag 3625 is enabled to mask certain system-level error information returned to nonadministrative users. @@ -1559,7 +1559,7 @@ If individuals are not individually authenticated before using the shared accoun If accounts are determined to be shared, determine if they are directly accessible to end users. If so, this is a finding. - <VulnDiscussion>The DoD standard for authentication is DoD-approved PKI certificates. + <VulnDiscussion>The DOD standard for authentication is DOD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate and requires AO approval. @@ -2807,6 +2807,7 @@ Satisfies: SRG-APP-000091-DB-000066</VulnDiscussion><FalsePositives> V-79139 False + 1 Review the system documentation to determine if SQL Server is required to audit the retrieval of privilege/permission/role membership information. If SQL Server is not required to audit the retrieval of privilege/permission/role membership information, this is not a finding. @@ -2845,6 +2846,7 @@ If the SCHEMA_OBJECT_ACCESS_GROUP is not returned in an active audit, this is a V-79141 False + e9ade4e5-5545-46a0-9e50-6083af9d4769 When Audits are enabled, they start up when the instance starts. https://msdn.microsoft.com/en-us/library/cc280386.aspx#Anchor_2 @@ -2876,6 +2878,7 @@ Systems where audit trail completeness is paramount will most likely be at a low V-79147 False + c990b496-3da9-48a4-ae84-5b59133a9473 If the system documentation indicates that availability takes precedence over audit trail completeness, this is not applicable (NA). If SQL Server Audit is in use, review the defined server audits by running the statement: @@ -2906,6 +2909,7 @@ Systems where availability is paramount will most likely be MAC I; the final det V-79149 False + 9cdde175-2eea-4603-9d44-44cefa3876e6 If the system documentation indicates that availability does not take precedence over audit trail completeness, this is not applicable (NA). Execute the following query: @@ -2938,6 +2942,7 @@ Enforcement actions are the methods or mechanisms used to prevent unauthorized c V-79239 False + 1 Determine if an audit is configured to capture denied actions and started by executing the following query: SELECT name AS 'Audit Name', @@ -3045,6 +3050,7 @@ Satisfies: SRG-APP-000492-DB-000332, SRG-APP-000492-DB-000333</VulnDiscussion V-79251 False + 1 Review the system documentation to determine if SQL Server is required to audit the retrieval of when security objects are accessed. If this is not required, this is not a finding. @@ -3091,6 +3097,7 @@ Satisfies: SRG-APP-000494-DB-000344</VulnDiscussion><FalsePositives> V-79257 False + 1 Review the system documentation to determine if SQL Server is required to audit when data classifications are both successfully and unsuccessfully retrieved. If this is not required, this is not a finding. @@ -3137,6 +3144,7 @@ Satisfies: SRG-APP-000495-DB-000326</VulnDiscussion><FalsePositives> V-79261 False + 1 Check that SQL Server Audit is being used for the STIG compliant audit. Determine if an audit is configured and started by executing the following query: @@ -3202,6 +3210,7 @@ Satisfies: SRG-APP-000495-DB-000328</VulnDiscussion><FalsePositives> V-79265 False + 1 Check that SQL Server Audit is being used for the STIG compliant audit. Determine if an audit is configured and started by executing the following query: @@ -3265,6 +3274,7 @@ Satisfies: SRG-APP-000496-DB-000334</VulnDiscussion><FalsePositives> V-79269 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3305,6 +3315,7 @@ Satisfies: SRG-APP-000498-DB-000346</VulnDiscussion><FalsePositives> V-79273 False + 1 Review the system documentation to determine if SQL Server is required to audit when data classifications are successfully and unsuccessfully modified. If this is not required, this is not a finding. @@ -3349,6 +3360,7 @@ To aid in diagnosis, it is necessary to keep track of failed attempts in additio V-79277 False + 1 Check that SQL Server Audit is being used for the STIG compliant audit. Determine if an audit is configured and started by executing the following query. If no records are returned, this is a finding. @@ -3412,6 +3424,7 @@ Satisfies: SRG-APP-000501-DB-000336</VulnDiscussion><FalsePositives> V-79281 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3452,6 +3465,7 @@ Satisfies: SRG-APP-000502-DB-000348</VulnDiscussion><FalsePositives> V-79285 False + 1 Review the system documentation to determine if SQL Server is required to audit when data classifications are successfully and unsuccessfully deleted. If this is not required, this is not a finding. @@ -3494,6 +3508,7 @@ Satisfies: SRG-APP-000503-DB-000350</VulnDiscussion><FalsePositives> V-79289 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3563,6 +3578,7 @@ Note that it is particularly important to audit, and tightly control, any action V-79291 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3642,6 +3658,7 @@ To aid in diagnosis, it is necessary to keep track of failed attempts in additio V-79293 False + 1 Determine if an audit is configured and started by executing the following query. SELECT name AS 'Audit Name', @@ -3744,6 +3761,7 @@ Disconnection may be initiated by the user or forced by the system (as in a time V-79295 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3848,6 +3866,7 @@ Concurrent connections by the same user from multiple workstations may be valid V-79297 False + 1 Determine if an audit is configured and started by executing the following query. SELECT name AS 'Audit Name', @@ -3900,6 +3919,7 @@ Satisfies: SRG-APP-000507-DB-000356</VulnDiscussion><FalsePositives> V-79301 False + 1 Review the system documentation to determine if SQL Server is required to audit when successful and unsuccessful accesses to objects occur. If this is not required, this is not a finding. @@ -3944,6 +3964,7 @@ Some applications that run on SQL Server require the [sa] account to be enabled V-79317 False + 56d3330b-d8ed-4527-935d-4617e3cf2bbb Check SQL Server settings to determine if the [sa] (system administrator) account has been disabled by executing the following query: USE master; @@ -3971,6 +3992,7 @@ Since the SQL Server [sa] is administrative in nature, the compromise of a defau V-79319 True {0} is populated with a non-default SA account name + b752adae-4ef0-4ea6-a393-f1a0bc6efd10 Verify the SQL Server default [sa] (system administrator) account name has been changed by executing the following query: USE master; diff --git a/source/StigData/Processed/SqlServer-2016-Instance-3.5.xml b/source/StigData/Processed/SqlServer-2016-Instance-3.5.xml index d375d0c4e..a21823747 100644 --- a/source/StigData/Processed/SqlServer-2016-Instance-3.5.xml +++ b/source/StigData/Processed/SqlServer-2016-Instance-3.5.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Database management includes the ability to control the number of users and user sessions utilizing SQL Server. Unlimited concurrent connections to SQL Server could allow a successful denial-of-service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions is helpful in reducing these risks. @@ -2807,6 +2807,7 @@ Satisfies: SRG-APP-000091-DB-000066</VulnDiscussion><FalsePositives> V-79139 False + 1 Review the system documentation to determine if SQL Server is required to audit the retrieval of privilege/permission/role membership information. If SQL Server is not required to audit the retrieval of privilege/permission/role membership information, this is not a finding. @@ -2845,6 +2846,7 @@ If the SCHEMA_OBJECT_ACCESS_GROUP is not returned in an active audit, this is a V-79141 False + 39b790bc-331c-4d3b-b8a3-e4e3ee8d6452 When Audits are enabled, they start up when the instance starts. https://msdn.microsoft.com/en-us/library/cc280386.aspx#Anchor_2 @@ -2876,6 +2878,7 @@ Systems where audit trail completeness is paramount will most likely be at a low V-79147 False + 2ff4a621-0c00-4324-ade3-eec20f4f7daa If the system documentation indicates that availability takes precedence over audit trail completeness, this is not applicable (NA). If SQL Server Audit is in use, review the defined server audits by running the statement: @@ -2906,6 +2909,7 @@ Systems where availability is paramount will most likely be MAC I; the final det V-79149 False + dca41cec-ba31-4a25-bd95-d9b1df2c981d If the system documentation indicates that availability does not take precedence over audit trail completeness, this is not applicable (NA). Execute the following query: @@ -2938,6 +2942,7 @@ Enforcement actions are the methods or mechanisms used to prevent unauthorized c V-79239 False + 1 Determine if an audit is configured to capture denied actions and started by executing the following query: SELECT name AS 'Audit Name', @@ -3045,6 +3050,7 @@ Satisfies: SRG-APP-000492-DB-000332, SRG-APP-000492-DB-000333</VulnDiscussion V-79251 False + 1 Review the system documentation to determine if SQL Server is required to audit the retrieval of when security objects are accessed. If this is not required, this is not a finding. @@ -3091,6 +3097,7 @@ Satisfies: SRG-APP-000494-DB-000344</VulnDiscussion><FalsePositives> V-79257 False + 1 Review the system documentation to determine if SQL Server is required to audit when data classifications are both successfully and unsuccessfully retrieved. If this is not required, this is not a finding. @@ -3137,6 +3144,7 @@ Satisfies: SRG-APP-000495-DB-000326</VulnDiscussion><FalsePositives> V-79261 False + 1 Check that SQL Server Audit is being used for the STIG compliant audit. Determine if an audit is configured and started by executing the following query: @@ -3202,6 +3210,7 @@ Satisfies: SRG-APP-000495-DB-000328</VulnDiscussion><FalsePositives> V-79265 False + 1 Check that SQL Server Audit is being used for the STIG compliant audit. Determine if an audit is configured and started by executing the following query: @@ -3265,6 +3274,7 @@ Satisfies: SRG-APP-000496-DB-000334</VulnDiscussion><FalsePositives> V-79269 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3305,6 +3315,7 @@ Satisfies: SRG-APP-000498-DB-000346</VulnDiscussion><FalsePositives> V-79273 False + 1 Review the system documentation to determine if SQL Server is required to audit when data classifications are successfully and unsuccessfully modified. If this is not required, this is not a finding. @@ -3349,6 +3360,7 @@ To aid in diagnosis, it is necessary to keep track of failed attempts in additio V-79277 False + 1 Check that SQL Server Audit is being used for the STIG compliant audit. Determine if an audit is configured and started by executing the following query. If no records are returned, this is a finding. @@ -3412,6 +3424,7 @@ Satisfies: SRG-APP-000501-DB-000336</VulnDiscussion><FalsePositives> V-79281 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3452,6 +3465,7 @@ Satisfies: SRG-APP-000502-DB-000348</VulnDiscussion><FalsePositives> V-79285 False + 1 Review the system documentation to determine if SQL Server is required to audit when data classifications are successfully and unsuccessfully deleted. If this is not required, this is not a finding. @@ -3494,6 +3508,7 @@ Satisfies: SRG-APP-000503-DB-000350</VulnDiscussion><FalsePositives> V-79289 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3563,6 +3578,7 @@ Note that it is particularly important to audit, and tightly control, any action V-79291 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3642,6 +3658,7 @@ To aid in diagnosis, it is necessary to keep track of failed attempts in additio V-79293 False + 1 Determine if an audit is configured and started by executing the following query. SELECT name AS 'Audit Name', @@ -3744,6 +3761,7 @@ Disconnection may be initiated by the user or forced by the system (as in a time V-79295 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3848,6 +3866,7 @@ Concurrent connections by the same user from multiple workstations may be valid V-79297 False + 1 Determine if an audit is configured and started by executing the following query. SELECT name AS 'Audit Name', @@ -3900,6 +3919,7 @@ Satisfies: SRG-APP-000507-DB-000356</VulnDiscussion><FalsePositives> V-79301 False + 1 Review the system documentation to determine if SQL Server is required to audit when successful and unsuccessful accesses to objects occur. If this is not required, this is not a finding. @@ -3944,6 +3964,7 @@ Some applications that run on SQL Server require the [sa] account to be enabled V-79317 False + c560177d-76a2-4d8f-a89a-754c42eaa682 Check SQL Server settings to determine if the [sa] (system administrator) account has been disabled by executing the following query: USE master; @@ -3971,6 +3992,7 @@ Since the SQL Server [sa] is administrative in nature, the compromise of a defau V-79319 True {0} is populated with a non-default SA account name + 17f2104d-da79-489c-ac6f-a89161a6f362 Verify the SQL Server default [sa] (system administrator) account name has been changed by executing the following query: USE master; diff --git a/source/StigData/Processed/SqlServer-2022-Instance-1.1.xml b/source/StigData/Processed/SqlServer-2022-Instance-1.1.xml index 2d2bce961..d27ff5fe2 100644 --- a/source/StigData/Processed/SqlServer-2022-Instance-1.1.xml +++ b/source/StigData/Processed/SqlServer-2022-Instance-1.1.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Database management includes the ability to control the number of users and user sessions using a DBMS. Unlimited concurrent connections to the DBMS could allow a successful denial-of-service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks. @@ -2297,6 +2297,7 @@ Satisfies: SRG-APP-000091-DB-000325, SRG-APP-000091-DB-000066, SRG-APP-000492-DB False + 1 Review the system documentation to determine if SQL Server is required to audit when the following events occur: - Attempts to retrieve privilege/permission/role membership information. @@ -2341,6 +2342,7 @@ If the SCHEMA_OBJECT_ACCESS_GROUP is not returned in an active audit, this is a False + dd61f162-5071-4ba1-8b4f-76672e4bba89 When audits are enabled, they start up when the instance starts. Refer to https://msdn.microsoft.com/en-us/library/cc280386.aspx#Anchor_2 Check if an audit is configured and enabled by executing the following query: @@ -2382,6 +2384,7 @@ Satisfies: SRG-APP-000381-DB-000361, SRG-APP-000495-DB-000326, SRG-APP-000495-DB False + 1 Review the SQL configuration to verify that audit records are produced when denied actions occur. To determine if an audit is configured, execute the following script: @@ -2487,6 +2490,7 @@ Satisfies: SRG-APP-000496-DB-000334, SRG-APP-000496-DB-000335, SRG-APP-000501-DB False + 1 Review the SQL configuration to verify that audit records are produced when denied actions occur. To determine if an audit is configured, execute the following script: @@ -2530,6 +2534,7 @@ Satisfies: SRG-APP-000503-DB-000350, SRG-APP-000503-DB-000351, SRG-APP-000506-DB False + 1 Review the SQL configuration to verify that audit records are produced when denied actions occur. To determine if an audit is configured, execute the following script: @@ -2586,6 +2591,7 @@ Some applications that run on SQL Server require the [sa] account to be enabled False + 0f1b5449-dff7-441b-8c1f-70be2c7a2656 Check SQL Server settings to determine if the [sa] (system administrator) account has been disabled by executing the following query: USE master; GO @@ -2613,6 +2619,7 @@ Since the SQL Server [sa] is administrative in nature, the compromise of a defau False + a1dadc26-7d5c-4994-891e-03efc993e26f Verify the SQL Server default [sa] (system administrator) account name has been changed by executing the following query: USE master; GO