From e2eb9fd6ae9f8b248c4383e66f1c3a88039cee4c Mon Sep 17 00:00:00 2001 From: adam <=> Date: Sat, 23 Aug 2025 17:42:28 -0500 Subject: [PATCH 1/3] Modified files to support SqlServerDsc 17.1.0 --- .../Unit/Module/SqlScriptQueryRule.tests.ps1 | 25 +++++ .../Resources/SqlServer.ScriptQuery.ps1 | 6 ++ .../SqlServer/SqlServer.schema.psm1 | 12 ++- .../Rule.SqlScriptQuery/Convert/Methods.ps1 | 31 ++++++ .../Convert/SqlScriptQueryRule.Convert.psm1 | 19 ++++ .../SqlScriptQueryRule.psm1 | 1 + source/PowerStig.psd1 | 2 +- .../SqlServer-2012-Database-1.19.xml | 4 +- .../SqlServer-2012-Database-1.20.xml | 4 +- .../SqlServer-2012-Instance-1.19.xml | 99 ++++++++++++++----- .../SqlServer-2012-Instance-1.20.xml | 99 ++++++++++++++----- .../Processed/SqlServer-2016-Instance-3.3.xml | 24 ++++- .../Processed/SqlServer-2016-Instance-3.4.xml | 28 +++++- 13 files changed, 296 insertions(+), 58 deletions(-) diff --git a/Tests/Unit/Module/SqlScriptQueryRule.tests.ps1 b/Tests/Unit/Module/SqlScriptQueryRule.tests.ps1 index 7fdb6e5ea..898b4244d 100644 --- a/Tests/Unit/Module/SqlScriptQueryRule.tests.ps1 +++ b/Tests/Unit/Module/SqlScriptQueryRule.tests.ps1 @@ -44,6 +44,7 @@ try Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.' FixText = 'This will not be used for this type of rule.' EventId = '(14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178)' + QueryId = '2' } Permission = @{ GetScript = "SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any endpoint' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;" @@ -121,6 +122,7 @@ try USE master REVOKE ALTER ANY ENDPOINT TO <'account name'> GO" + QueryId = '2' } SysAdminAccount = @{ GetScript = "USE [master] SELECT name, is_disabled FROM sys.sql_logins WHERE principal_id = 1 AND is_disabled <> 1;" @@ -137,6 +139,7 @@ try USE master; GO ALTER LOGIN [sa] WITH NAME = GO" + QueryId = '2' } Audit = @{ GetScript = "IF Not Exists (SELECT name AS 'Audit Name', status_desc AS 'Audit Status', audit_file_path AS 'Current Audit File' FROM sys.dm_server_audit_status WHERE status_desc = 'STARTED') Select 'Doest exist'" @@ -201,6 +204,7 @@ try SERVER_STATE_CHANGE_GROUP TRACE_CHANGE_GROUP See the supplemental file `"SQL 2016 Audit.sql`". " + QueryId = '1' } PlainSQL = @{ GetScript = "SELECT name from sysdatabases where name like 'AdventureWorks%';" @@ -211,6 +215,7 @@ try If the `"AdventureWorks`" database is present, this is a finding." FixText = "Remove the publicly available `"AdventureWorks`" database from SQL Server by running the following query: DROP DATABASE AdventureWorks" + QueryId = '2' } SaAccountRename = @{ GetScript = "SELECT name FROM sys.server_principals WHERE TYPE = 'S' and name not like '%##%'" @@ -222,6 +227,7 @@ try FixText = "Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> click 'sa' account name. Hit <F2> while the name is highlighted in order to edit the name. Rename the 'sa' account." + QueryId = '2' } TraceFileLimit = @{ GetScript = "SELECT * FROM ::fn_trace_getinfo(NULL)" @@ -233,6 +239,7 @@ try If auditing will outgrow the space reserved for logging before being overwritten, this is a finding." FixText = "Configure the maximum number of audit log files that are to be generated, staying within the number of logs the system was sized to support. Update the max_files parameter of the audits to ensure the correct number of files is defined." + QueryId = '2' } ShutdownOnError = @{ GetScript = "SELECT * FROM ::fn_trace_getinfo(NULL)" @@ -262,6 +269,7 @@ try FixText = "If a trace does not exist, create a trace specification that complies with requirements. If a trace exists, but is not set to SHUTDOWN_ON_ERROR, modify the SQL Server audit setting to immediately shutdown the database in the event of an audit failure by setting property 1 to a value of 4 or 6 for the audit. (See the SQL Server Help page for sys.sp_trace_create for implementation details.)" + QueryId = '2' } ViewAnyDatabase = @{ GetScript = "SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View any database' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name" @@ -340,6 +348,7 @@ try " FixText = "Remove the `"View any database`" permission access from the role that is not authorized by executing the following query: REVOKE View any database TO <'role name'>" + QueryId = '2' } ChangeDatabaseOwner= @{ GetScript = "select suser_sname(owner_sid) AS 'Owner' from sys.databases where name = `$(Database)" @@ -358,6 +367,7 @@ try Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Databases >> right click <'database name'> >> Properties >> Files. Select new database `"Owner`": Navigate to click on […] >> Select new Database Owner >> Browse… >> click on box to indicate account >> <'OK'> >> <'OK'> >> <'OK'>" + QueryId = '2' } AuditShutDownOnError = @{ GetScript = 'SELECT on_failure_desc FROM sys.server_audits' @@ -393,6 +403,7 @@ try GO ALTER SERVER AUDIT [AuditNameHere] WITH (STATE = ON); GO ' + QueryId = '2' } AuditFileSize = @{ GetScript = 'CREATE TABLE #AuditFileSize (Name nvarchar (30),Type_Desc nvarchar (30),Max_RollOver_Files int) INSERT INTO #AuditFileSize (Name, Type_Desc) SELECT Name, type_desc FROM sys.server_audits WHERE is_state_enabled = 1 IF (SELECT Type_Desc FROM #AuditFileSize) = ''FILE'' BEGIN UPDATE #AuditFileSize SET Max_RollOver_Files = (SELECT max_rollover_files FROM sys.server_file_audits) WHERE Name IS NOT NULL END SELECT * FROM #AuditFileSize DROP TABLE #AuditFileSize' @@ -424,6 +435,7 @@ try GO ALTER SERVER AUDIT [AuditName] WITH (STATE = ON); GO ' + QueryId = '2' } } #endregion @@ -468,6 +480,19 @@ try $result | Should be $setScript } } + + Context 'Sql Query Id' { + It 'Should return a query id'{ + $result = Get-SqlScriptQueryId -CheckContent $sqlScriptQueryRule.$($ruleType).CheckContent + if ($rule -eq 'Audit') { + $queryId = '1' + $queryId | Should be '1' + } + else { + $result | Should not be '1' + } + } + } } Context 'Get-Query' { diff --git a/source/DSCResources/Resources/SqlServer.ScriptQuery.ps1 b/source/DSCResources/Resources/SqlServer.ScriptQuery.ps1 index 80c8d3a98..63d652c66 100644 --- a/source/DSCResources/Resources/SqlServer.ScriptQuery.ps1 +++ b/source/DSCResources/Resources/SqlServer.ScriptQuery.ps1 @@ -33,6 +33,8 @@ foreach ($instance in $ServerInstance) TestQuery = $rule.TestScript SetQuery = $rule.SetScript Variable = Format-SqlScriptVariable -Database $db -Variable $($rule.Variable) -VariableValue $($rule.VariableValue) + Encrypt = $encrypt + Id = $rule.QueryId } } } @@ -51,6 +53,8 @@ foreach ($instance in $ServerInstance) TestQuery = $rule.TestScript SetQuery = $rule.SetScript Variable = Format-SqlScriptVariable -Variable $($rule.Variable) -VariableValue $($rule.VariableValue) + Encrypt = $encrypt + Id = $rule.QueryId } continue } @@ -62,6 +66,8 @@ foreach ($instance in $ServerInstance) GetQuery = $rule.GetScript TestQuery = $rule.TestScript SetQuery = $rule.SetScript + Encrypt = $encrypt + Id = $rule.QueryId } } } diff --git a/source/DSCResources/SqlServer/SqlServer.schema.psm1 b/source/DSCResources/SqlServer/SqlServer.schema.psm1 index 4d855bfab..0205668c9 100644 --- a/source/DSCResources/SqlServer/SqlServer.schema.psm1 +++ b/source/DSCResources/SqlServer/SqlServer.schema.psm1 @@ -21,6 +21,8 @@ using module ..\..\PowerStig.psm1 .PARAMETER Database The Name of the database that you would like to be applied to. This parameter is only used for the SQL Database STIG. + .PARAMETER Encrypt + The Encrypt parameter is used to specify if the connection to the SQL instance should be encrypted. .PARAMETER Exception A hashtable of StigId=Value key pairs that are injected into the STIG data and applied to the target node. The title of STIG settings are tagged with the text 'Exception' to identify @@ -37,6 +39,9 @@ using module ..\..\PowerStig.psm1 .PARAMETER SkipRuleType All STIG rule IDs of the specified type are collected in an array and passed to the Skip-Rule function. Each rule follows the same process as the SkipRule parameter. + .NOTES + Encrypt parameter does not fully support strict mode yet. This is due to a limitation in the SqlServerDsc module + as of version 17.1.0. #> configuration SqlServer { @@ -66,6 +71,11 @@ configuration SqlServer [string[]] $Database, + [Parameter()] + [ValidateSet('Strict', 'Optional', 'Mandatory')] + [string] + $Encrypt = 'Optional', + [Parameter()] [ValidateNotNullOrEmpty()] [hashtable] @@ -97,7 +107,7 @@ configuration SqlServer $stig.LoadRules($OrgSettings, $Exception, $SkipRule, $SkipRuleType, $SkipRuleSeverity) ##### END DO NOT MODIFY ##### - Import-DscResource -ModuleName SqlServerDsc -ModuleVersion 15.1.1 + Import-DscResource -ModuleName SqlServerDsc -ModuleVersion 17.1.0 . "$resourcePath\SqlServer.ScriptQuery.ps1" . "$resourcePath\SqlServer.SqlLogin.ps1" . "$resourcePath\SqlServer.SqlProtocol.ps1" diff --git a/source/Module/Rule.SqlScriptQuery/Convert/Methods.ps1 b/source/Module/Rule.SqlScriptQuery/Convert/Methods.ps1 index 4d709ce2c..67ece639b 100644 --- a/source/Module/Rule.SqlScriptQuery/Convert/Methods.ps1 +++ b/source/Module/Rule.SqlScriptQuery/Convert/Methods.ps1 @@ -2225,4 +2225,35 @@ function Get-SqlScriptQueryOrganizationValueTestString } } +<# + .SYNOPSIS + Creates a unique ID for the SqlScriptQuery resource. + .Notes + Required as of version SqlServerDsc 17.0.0. +#> +function Get-SqlScriptQueryId +{ + [CmdletBinding()] + [OutputType([string])] + param + ( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string[]] + $CheckContent + ) + + $collection = Get-AuditEvents -CheckContent $CheckContent + if ($collection) + { + $queryId = '1' + } + else + { + $queryId = New-Guid + } + + return $queryId +} + #endregion Helper Functions diff --git a/source/Module/Rule.SqlScriptQuery/Convert/SqlScriptQueryRule.Convert.psm1 b/source/Module/Rule.SqlScriptQuery/Convert/SqlScriptQueryRule.Convert.psm1 index 0a48da7d6..57d67ef1f 100644 --- a/source/Module/Rule.SqlScriptQuery/Convert/SqlScriptQueryRule.Convert.psm1 +++ b/source/Module/Rule.SqlScriptQuery/Convert/SqlScriptQueryRule.Convert.psm1 @@ -47,6 +47,7 @@ class SqlScriptQueryRuleConvert : SqlScriptQueryRule $this.SetTestScript($ruleType) $this.SetSetScript($ruleType, $fixText) $this.SetVariable($ruleType) + $this.SetQueryId($ruleType) if ($null -ne $this.Variable) { $this.SetOrganizationValueTestString($ruleType) @@ -141,6 +142,24 @@ class SqlScriptQueryRuleConvert : SqlScriptQueryRule } } + <# + .SYNOPSIS + Creates a unique ID for the SqlScriptQuery resource. + .DESCRIPTION + Gets the id string to be used in the SqlScriptQuery resource + .PARAMETER RuleType + The type of rule to get the variable string for. + #> + [void] SetQueryId ([string] $RuleType) + { + $thisId = Get-SqlScriptQueryId -CheckContent $this.SplitCheckContent + + if (-not $this.SetStatus($thisId)) + { + $this.set_QueryId($thisId) + } + } + <# .SYNOPSIS Extracts the rule type from the check-content and sets the value diff --git a/source/Module/Rule.SqlScriptQuery/SqlScriptQueryRule.psm1 b/source/Module/Rule.SqlScriptQuery/SqlScriptQueryRule.psm1 index 4391667d1..eb3754000 100644 --- a/source/Module/Rule.SqlScriptQuery/SqlScriptQueryRule.psm1 +++ b/source/Module/Rule.SqlScriptQuery/SqlScriptQueryRule.psm1 @@ -23,6 +23,7 @@ class SqlScriptQueryRule : Rule [string] $SetScript <#(ExceptionValue)#> [string[]] $Variable [String[]] $VariableValue + [string] $QueryId <# .SYNOPSIS diff --git a/source/PowerStig.psd1 b/source/PowerStig.psd1 index 7862659f3..8ba623b75 100644 --- a/source/PowerStig.psd1 +++ b/source/PowerStig.psd1 @@ -44,7 +44,7 @@ @{ModuleName = 'GPRegistryPolicyDsc'; ModuleVersion = '1.3.1'}, @{ModuleName = 'PSDscResources'; ModuleVersion = '2.12.0.0'}, @{ModuleName = 'SecurityPolicyDsc'; ModuleVersion = '2.10.0.0'}, - @{ModuleName = 'SqlServerDsc'; ModuleVersion = '15.1.1'}, + @{ModuleName = 'SqlServerDsc'; ModuleVersion = '17.1.0'}, @{ModuleName = 'WindowsDefenderDsc'; ModuleVersion = '2.2.0'}, @{ModuleName = 'xDnsServer'; ModuleVersion = '1.16.0.0'}, @{ModuleName = 'xWebAdministration'; ModuleVersion = '3.2.0'}, diff --git a/source/StigData/Processed/SqlServer-2012-Database-1.19.xml b/source/StigData/Processed/SqlServer-2012-Database-1.19.xml index fbd78b077..9d76b518d 100644 --- a/source/StigData/Processed/SqlServer-2012-Database-1.19.xml +++ b/source/StigData/Processed/SqlServer-2012-Database-1.19.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. @@ -795,6 +795,7 @@ The DBMS must provide auditing for the list of events defined by the organizatio False + cb0f3ba2-2f8b-4ad1-9a5f-9cf471b72656 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -839,6 +840,7 @@ Within the database, object ownership implies full privileges to the owned objec True {0} is a database owner + 3e14b6ec-8842-4770-8451-d2f23e8e811f Review system documentation to identify SQL Server accounts authorized to own database objects. If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. diff --git a/source/StigData/Processed/SqlServer-2012-Database-1.20.xml b/source/StigData/Processed/SqlServer-2012-Database-1.20.xml index 9a11137df..81c99e130 100644 --- a/source/StigData/Processed/SqlServer-2012-Database-1.20.xml +++ b/source/StigData/Processed/SqlServer-2012-Database-1.20.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. @@ -795,6 +795,7 @@ The DBMS must provide auditing for the list of events defined by the organizatio False + 997c034d-5f51-43ee-a4ab-15abc3230d2f Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -839,6 +840,7 @@ Within the database, object ownership implies full privileges to the owned objec True {0} is a database owner + 1a675b3e-cafe-487f-9e87-153bd8e44abf Review system documentation to identify SQL Server accounts authorized to own database objects. If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. diff --git a/source/StigData/Processed/SqlServer-2012-Instance-1.19.xml b/source/StigData/Processed/SqlServer-2012-Instance-1.19.xml index a1e1b0d63..715f2bd2d 100644 --- a/source/StigData/Processed/SqlServer-2012-Instance-1.19.xml +++ b/source/StigData/Processed/SqlServer-2012-Instance-1.19.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), VPN, or IPSEC tunnel. @@ -4929,6 +4929,7 @@ Some applications that run on SQL Server require the 'sa' account to be enabled False + d2cf69c0-3a8a-433c-b0fd-f8a62efc6b9c Check SQL Server settings to determine if the 'sa' (sysadmin) account has been disabled by executing the following query: USE MASTER @@ -4962,6 +4963,7 @@ Demonstration and sample database objects and applications present publicly know False + 3d823404-5d18-43f5-af17-f193bce245ed Check SQL Server for the existence of the publicly available "AdventureWorks" database by performing the following query: SELECT name from sysdatabases where name like 'AdventureWorks%'; @@ -4987,6 +4989,7 @@ Demonstration and sample database objects and applications present publicly know False + 6799db0f-a69d-4324-a087-691a7942e1f3 Check SQL Server for the existence of the publicly available "NorthWind" database by performing the following query: SELECT name from sysdatabases where name like 'Northwind%'; @@ -5008,6 +5011,7 @@ Detection of suspicious activity, including access attempts and successful acces False + f5208f8a-b70c-4c8e-87ba-06f6aaf10ddf Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5056,6 +5060,7 @@ Note that trace file rollover does not count as an audit failure, provided that True {0} is the path to the trace file + 33d8559a-1b6b-4f01-964e-0532f523389b From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5103,6 +5108,7 @@ After the initial setup of SQL Server audit log configuration, it is best to che True {0} is the trace file limit + 03e1d08c-b54f-4d7d-a7b7-e6cba237769e Check the SQL Server audit setting on the maximum number of files of the trace used for the auditing requirement. Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. @@ -5115,19 +5121,20 @@ If auditing will outgrow the space reserved for logging before being overwritten TraceFilePath={0} MaxRollOverFileCount={1} MaxTraceFileSize={2} - + <VulnDiscussion>SQL Server auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server does have a means available to add organizationally defined additional, more detailed information in the audit event records. These events may be identified by type, location, or subject. An example of more detailed information the organization may require in audit records could be the name of the application where the request is coming from. Some organizations may determine that more detailed information is required for specific database event types. If this information is not available, it could negatively impact forensic investigations into user actions or other malicious events.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + d453478a-f28d-420c-8eb0-a2e42b5fb275 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5161,17 +5168,18 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. Database software is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed a given action. If user identification information is not recorded and stored with the audit record, the record itself is of very limited use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 2eaee00c-de05-4319-b75d-ae59d2dbf88b Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5205,7 +5213,7 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know the outcome of attempted actions. This requires specific information regarding the outcome of the action or event that the audit record is referring to. If outcome status information is not recorded and stored with the audit record, the record itself is of very limited use. @@ -5213,13 +5221,14 @@ SQL Server is capable of a range of actions on data stored within the database. Success and failure indicators ascertain the outcome of a particular event. As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Without knowing the outcome of audit events, it is very difficult to accurately recreate the series of events during forensic analysis. If auditing is enabled, SQL Server does capture the outcome status-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 43224d6c-a8c3-489f-9636-897f2af056c9 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5253,19 +5262,20 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed what actions. This requires specific information regarding the source of the event an audit record is referring to. If the source of the event information is not recorded and stored with the audit record, the record itself is of very limited use. The source of the event can be a user account and sometimes a system account when timed jobs are run. Without information establishing the source of activity, the value of audit records from a forensics perspective is questionable. If auditing is enabled, SQL Server does capture the source of the event-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 16ee74f8-f8e2-487a-9bef-d268674ce90d Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5299,19 +5309,20 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly where actions were performed. This requires specific information regarding the event location an audit record is referring to. If event location information is not recorded and stored with the audit record, the record itself is of very limited use. An event location can be a database instance, table, column, row, etc. Without sufficient information establishing where the audit events occurred, investigation into the cause of events is severely hindered. If auditing is enabled, SQL Server does capture the event location-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 833a13e3-8ee8-4f6c-a11e-b03718ee0f38 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5345,19 +5356,20 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly when actions were performed. This requires specific information regarding the date and time an audit record is referring to. If date and time information is not recorded and stored with the audit record, the record itself is of very limited use. If auditing is enabled, SQL Server does capture the date and time-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 892bde48-4315-4ea8-9dc2-ce40bfcdf0b7 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5391,19 +5403,20 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly what actions were performed. This requires specific information regarding the event type an audit record is referring to. If event type information is not recorded and stored with the audit record, the record itself is of very limited use. If auditing is enabled, SQL Server does capture the event type-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + c578699d-7095-4c1d-8206-67ebea9e7b3d Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5437,7 +5450,7 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Audit records can be generated from various components within the information system, such as network interfaces, hard disks, modems, etc. From an application perspective, certain specific application functionalities may be audited, as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked). @@ -5445,13 +5458,14 @@ The list of audited events is the set of events for which audits are to be gener Organizations may define the organizational personnel accountable for determining which application components shall provide auditable events. Auditing provides accountability for changes made to the SQL Server configuration or its objects and data. It provides a means to discover suspicious activity and unauthorized changes. Without auditing, a compromise may go undetected and without a means to determine accountability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + da37067c-c2f0-4516-b04f-2b2ba14a5950 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5496,6 +5510,7 @@ Since the SQL Server 'sa' is administrative in nature, the compromise of a defau True {0} is populated with a non-default SA account name + 6c668e0a-a95b-41d7-a442-9f800bc394d6 Verify the SQL Server default 'sa' account name has been changed. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins. @@ -5506,15 +5521,16 @@ If SQL Server default 'sa' account name is in the 'Logins' list, this is a findi saAccountName={0} - + <VulnDiscussion>This is intended to limit exposure, by making it possible to trace any unauthorized access to other data or functionality by a privileged user account or role that has permissions on security functions or security-relevant information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + e7fc90b1-4b63-4f0d-aad1-8d944155ee55 Check to see that all required events are being audited. From the query prompt: @@ -5569,6 +5585,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + 0f0f07a8-f2ca-4f4a-a938-ef8781b9d396 Obtain the list of accounts that have direct access to the server-level permission 'Alter any endpoint' by running the following query: SELECT @@ -5666,6 +5683,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + 8f5a489e-6aab-4014-b80f-224827589f9f Obtain the list of accounts that have direct access to the server-level permission 'Alter any database' by running the following query: SELECT @@ -5763,6 +5781,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + f3d06b3d-502f-4c61-9b2c-cb8c3c5c9ac1 Obtain the list of accounts that have direct access to the server-level permission 'Alter any credential' by running the following query: SELECT @@ -5860,6 +5879,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + e23892a7-60f2-4df4-8348-eeec7eb1da1d Obtain the list of accounts that have direct access to the server-level permission 'Alter any connection' by running the following query: SELECT @@ -5957,6 +5977,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 5577bcb9-0b5e-42a1-abc2-d9f42656fa85 Obtain the list of accounts that have direct access to the server-level permission 'Alter server state' by running the following query: SELECT @@ -6054,6 +6075,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 964107ee-9a93-4d13-9a55-086d7db706b8 Obtain the list of accounts that have direct access to the server-level permission 'Alter any event notification' by running the following query: SELECT @@ -6151,6 +6173,7 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok True {0} is a user that can view any database + ea1fc987-85e4-4969-a880-6067a1680106 Obtain the list of roles that are authorized for the SQL Server 'View any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT @@ -6246,6 +6269,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + ec54551c-8f3c-4e20-9297-4657eb69892a Obtain the list of accounts that have direct access to the server-level permission 'Alter any server audit' by running the following query: SELECT @@ -6343,6 +6367,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 07921e55-989c-485f-a8e2-f3d383f6d420 Obtain the list of accounts that have direct access to the server-level permission 'Authenticate Server' by running the following query: SELECT @@ -6440,6 +6465,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 1d349d7d-168e-4479-acba-bff85f1f7ea8 Obtain the list of accounts that have direct access to the server-level permission 'Administer bulk operations' by running the following query: SELECT @@ -6537,6 +6563,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 24813c80-ceb4-4473-9ce8-7ca51e06ec2a Obtain the list of accounts that have direct access to the server-level permission 'Create endpoint' by running the following query: SELECT @@ -6634,6 +6661,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + d65eb92d-f5be-4767-bbe5-0ff5225d57fc Obtain the list of accounts that have direct access to the server-level permission 'Create DDL Event Notification' by running the following query: SELECT @@ -6732,6 +6760,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + ebcc3b9e-1372-438f-9683-a17a8e020bd8 Obtain the list of accounts that have direct access to the server-level permission 'Create availability group' by running the following query: SELECT @@ -6829,6 +6858,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 04251e61-1c27-4174-ac59-3dbb37653074 Obtain the list of accounts that have direct access to the server-level permission 'Create any database' by running the following query: SELECT @@ -6926,6 +6956,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 0f2eb710-d963-435a-b173-5ac3b3d623dd Obtain the list of accounts that have direct access to the server-level permission 'Control server' by running the following query: SELECT @@ -7023,6 +7054,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 8a69ecc9-aee8-4fb6-906d-4f74c330583c Obtain the list of accounts that have direct access to the server-level permission 'Alter any linked server' by running the following query: SELECT @@ -7120,6 +7152,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + f6f04556-7198-4caf-b276-df7dfe2128ac Obtain the list of accounts that have direct access to the server-level permission 'Alter any event session' by running the following query: SELECT @@ -7217,6 +7250,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 735bd361-c2b6-4f4c-abf4-7229f2785d53 Obtain the list of accounts that have direct access to the server-level permission 'Alter trace' by running the following query: SELECT @@ -7314,6 +7348,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 605b7fef-bc8c-4a19-ae94-0cb859aeba21 Obtain the list of accounts that have direct access to the server-level permission 'Alter Settings' by running the following query: SELECT @@ -7411,6 +7446,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 9cd46062-49f9-40e0-8ac8-f87fe2be96f4 Obtain the list of accounts that have direct access to the server-level permission 'Create trace event notification' by running the following query: SELECT @@ -7508,6 +7544,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + d64ad30d-60a9-48f3-9470-27f15d23e2a5 Obtain the list of accounts that have direct access to the server-level permission 'Alter resources' by running the following query: SELECT @@ -7605,6 +7642,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 6c3dd820-5223-4a4e-800d-df961ede1565 Obtain the list of accounts that have direct access to the server-level permission 'External access assembly' by running the following query: SELECT @@ -7702,6 +7740,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 09969c90-7c78-4890-b598-0aa4c2183406 Obtain the list of accounts that have direct access to the server-level permission 'Alter any login' by running the following query: SELECT @@ -7799,6 +7838,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + b967a22b-62ba-403c-99b5-b36aa394f580 Obtain the list of accounts that have direct access to the server-level permission 'Shutdown' by running the following query: SELECT @@ -7896,6 +7936,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 7d6a4fb3-dd3e-4b43-b933-6b079d77239d Obtain the list of accounts that have direct access to the server-level permission 'Unsafe assembly' by running the following query: SELECT @@ -7993,6 +8034,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + 9cd70d59-027c-434f-944b-52f10cef7362 Obtain the list of accounts that have direct access to the server-level permission 'Create server role' by running the following query: SELECT @@ -8090,6 +8132,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 66e50e92-1b16-4f7e-bfd4-1c3906917158 Obtain the list of accounts that have direct access to the server-level permission 'View server state' by running the following query: SELECT @@ -8187,6 +8230,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 434f36ca-d0b3-401b-b790-b0bc9443d2d3 Obtain the list of accounts that have direct access to the server-level permission 'Alter any server role' by running the following query: SELECT @@ -8284,6 +8328,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + d7db65f6-2023-4878-9b1d-2ee3b064d158 Obtain the list of accounts that have direct access to the server-level permission 'View any definition' by running the following query: SELECT @@ -8364,19 +8409,20 @@ GO - + <VulnDiscussion>Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to modify an existing account for later use. Notification of account creation is one method and best practice for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and/or application owners exist. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 3f0285fb-cf9a-47f7-b442-d1645ac4979a Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -8410,7 +8456,7 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method and best practice for mitigating this risk. A comprehensive application account management process ensures an audit trail automatically documents the modification of application user accounts and, as required, notifies administrators, application owners, and/or appropriate individuals. Applications must provide this capability directly, leverage complimentary technology providing this capability, or a combination thereof. @@ -8418,13 +8464,14 @@ Auditing of account modification is one method and best practice for mitigating Automated account-auditing processes greatly reduce the risk that accounts will be surreptitiously modified, and provides logging that can be used for forensic purposes. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 5a2c6e8b-fe79-4a31-a710-336c17efc42e Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -8458,20 +8505,21 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network and system access is accomplished by leveraging common communication protocols to establish a remote connection. These connections will typically originate over either the public Internet or the Public Switched Telephone Network (PSTN). Neither of these internetworking mechanisms is private or secure, and they do not by default restrict access to networked resources once connectivity is established. Numerous best practices are employed to protect remote connections, such as utilizing encryption to protect data sessions and firewalls to restrict and control network connectivity. In addition to these protections, auditing must also be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 764a8eed-175d-4f02-b8e6-775a5e8437e4 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -8522,6 +8570,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + 713d0fc2-1f5a-47e9-a9f1-f596b5002f3e Obtain the list of accounts that have direct access to the server-level permission 'View Any Database' by running the following query: SELECT diff --git a/source/StigData/Processed/SqlServer-2012-Instance-1.20.xml b/source/StigData/Processed/SqlServer-2012-Instance-1.20.xml index e74648fb0..9c9e896fa 100644 --- a/source/StigData/Processed/SqlServer-2012-Instance-1.20.xml +++ b/source/StigData/Processed/SqlServer-2012-Instance-1.20.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), VPN, or IPSEC tunnel. @@ -4929,6 +4929,7 @@ Some applications that run on SQL Server require the 'sa' account to be enabled False + 18bb8f8b-1e5d-4da9-b18a-ca2ca5ab2f00 Check SQL Server settings to determine if the 'sa' (sysadmin) account has been disabled by executing the following query: USE MASTER @@ -4962,6 +4963,7 @@ Demonstration and sample database objects and applications present publicly know False + b2579ca1-fbe1-4799-802f-5d9f02ba44de Check SQL Server for the existence of the publicly available "AdventureWorks" database by performing the following query: SELECT name from sysdatabases where name like 'AdventureWorks%'; @@ -4987,6 +4989,7 @@ Demonstration and sample database objects and applications present publicly know False + 4e2f03cc-fb1a-45a4-baaa-92ca06b304ff Check SQL Server for the existence of the publicly available "NorthWind" database by performing the following query: SELECT name from sysdatabases where name like 'Northwind%'; @@ -5008,6 +5011,7 @@ Detection of suspicious activity, including access attempts and successful acces False + 683f3145-a7ff-46a4-8839-042d5e03ee82 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5056,6 +5060,7 @@ Note that trace file rollover does not count as an audit failure, provided that True {0} is the path to the trace file + 3622a024-d24c-4d02-a9ad-37224f55dccc From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5103,6 +5108,7 @@ After the initial setup of SQL Server audit log configuration, it is best to che True {0} is the trace file limit + 813a8856-dd0f-4ec0-901a-fdb828d50255 Check the SQL Server audit setting on the maximum number of files of the trace used for the auditing requirement. Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. @@ -5115,19 +5121,20 @@ If auditing will outgrow the space reserved for logging before being overwritten TraceFilePath={0} MaxRollOverFileCount={1} MaxTraceFileSize={2} - + <VulnDiscussion>SQL Server auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server does have a means available to add organizationally defined additional, more detailed information in the audit event records. These events may be identified by type, location, or subject. An example of more detailed information the organization may require in audit records could be the name of the application where the request is coming from. Some organizations may determine that more detailed information is required for specific database event types. If this information is not available, it could negatively impact forensic investigations into user actions or other malicious events.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 595de426-b0f6-4d22-8a45-7f5142931136 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5161,17 +5168,18 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. Database software is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed a given action. If user identification information is not recorded and stored with the audit record, the record itself is of very limited use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + df0381fb-7e72-4dda-a07a-0b7c7127d928 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5205,7 +5213,7 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know the outcome of attempted actions. This requires specific information regarding the outcome of the action or event that the audit record is referring to. If outcome status information is not recorded and stored with the audit record, the record itself is of very limited use. @@ -5213,13 +5221,14 @@ SQL Server is capable of a range of actions on data stored within the database. Success and failure indicators ascertain the outcome of a particular event. As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Without knowing the outcome of audit events, it is very difficult to accurately recreate the series of events during forensic analysis. If auditing is enabled, SQL Server does capture the outcome status-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 3d282c8d-f771-4aa5-9788-447d7dfda641 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5253,19 +5262,20 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed what actions. This requires specific information regarding the source of the event an audit record is referring to. If the source of the event information is not recorded and stored with the audit record, the record itself is of very limited use. The source of the event can be a user account and sometimes a system account when timed jobs are run. Without information establishing the source of activity, the value of audit records from a forensics perspective is questionable. If auditing is enabled, SQL Server does capture the source of the event-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 7cd71d55-f4ac-405d-8194-ea09c4277db1 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5299,19 +5309,20 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly where actions were performed. This requires specific information regarding the event location an audit record is referring to. If event location information is not recorded and stored with the audit record, the record itself is of very limited use. An event location can be a database instance, table, column, row, etc. Without sufficient information establishing where the audit events occurred, investigation into the cause of events is severely hindered. If auditing is enabled, SQL Server does capture the event location-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 1519bb3c-d427-4d35-9dcf-88d0ecd9d339 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5345,19 +5356,20 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly when actions were performed. This requires specific information regarding the date and time an audit record is referring to. If date and time information is not recorded and stored with the audit record, the record itself is of very limited use. If auditing is enabled, SQL Server does capture the date and time-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 1bba013b-9772-493b-8b4b-e2c2f3318d4e Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5391,19 +5403,20 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly what actions were performed. This requires specific information regarding the event type an audit record is referring to. If event type information is not recorded and stored with the audit record, the record itself is of very limited use. If auditing is enabled, SQL Server does capture the event type-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + e460400a-4c45-4933-8577-3ffb2a92036d Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5437,7 +5450,7 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Audit records can be generated from various components within the information system, such as network interfaces, hard disks, modems, etc. From an application perspective, certain specific application functionalities may be audited, as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked). @@ -5445,13 +5458,14 @@ The list of audited events is the set of events for which audits are to be gener Organizations may define the organizational personnel accountable for determining which application components shall provide auditable events. Auditing provides accountability for changes made to the SQL Server configuration or its objects and data. It provides a means to discover suspicious activity and unauthorized changes. Without auditing, a compromise may go undetected and without a means to determine accountability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + f2b122cf-1e8f-4bb3-be9d-3fc7274a59a1 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5496,6 +5510,7 @@ Since the SQL Server 'sa' is administrative in nature, the compromise of a defau True {0} is populated with a non-default SA account name + b1c7ccab-4a83-49f0-95e5-ee53e672aef3 Verify the SQL Server default 'sa' account name has been changed. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins. @@ -5506,15 +5521,16 @@ If SQL Server default 'sa' account name is in the 'Logins' list, this is a findi saAccountName={0} - + <VulnDiscussion>This is intended to limit exposure, by making it possible to trace any unauthorized access to other data or functionality by a privileged user account or role that has permissions on security functions or security-relevant information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + e63f70d7-3b69-4d60-bbb2-e3ea8c6873ae Check to see that all required events are being audited. From the query prompt: @@ -5569,6 +5585,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + 0867fab9-c929-46d0-82c0-afff5bfc5ce8 Obtain the list of accounts that have direct access to the server-level permission 'Alter any endpoint' by running the following query: SELECT @@ -5666,6 +5683,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + 5e600191-d7de-435b-bfa8-2260e55680a5 Obtain the list of accounts that have direct access to the server-level permission 'Alter any database' by running the following query: SELECT @@ -5763,6 +5781,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 4d807725-ebc4-46e7-b7d8-7ed7f2b6d2fb Obtain the list of accounts that have direct access to the server-level permission 'Alter any credential' by running the following query: SELECT @@ -5860,6 +5879,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + 3bde76c0-0a92-4dd4-b0de-1d2d330af58e Obtain the list of accounts that have direct access to the server-level permission 'Alter any connection' by running the following query: SELECT @@ -5957,6 +5977,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + d404bc8a-090d-42c9-871b-eda7d70348c7 Obtain the list of accounts that have direct access to the server-level permission 'Alter server state' by running the following query: SELECT @@ -6054,6 +6075,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + e14c6984-6772-4588-8dd2-944ad3365545 Obtain the list of accounts that have direct access to the server-level permission 'Alter any event notification' by running the following query: SELECT @@ -6151,6 +6173,7 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok True {0} is a user that can view any database + e5f7c20f-0541-48f9-ab28-8184ea32a88a Obtain the list of roles that are authorized for the SQL Server 'View any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT @@ -6246,6 +6269,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 79025981-6f64-41d0-9506-2f4ce62ab016 Obtain the list of accounts that have direct access to the server-level permission 'Alter any server audit' by running the following query: SELECT @@ -6343,6 +6367,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 6e6a1df4-51bc-4dd2-9bd9-4f53af754488 Obtain the list of accounts that have direct access to the server-level permission 'Authenticate Server' by running the following query: SELECT @@ -6440,6 +6465,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 4637e7ec-2c7e-4492-a9c8-4b5d6094c86d Obtain the list of accounts that have direct access to the server-level permission 'Administer bulk operations' by running the following query: SELECT @@ -6537,6 +6563,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + e0e9ffd1-86f7-4c94-98d8-08f529f8133f Obtain the list of accounts that have direct access to the server-level permission 'Create endpoint' by running the following query: SELECT @@ -6634,6 +6661,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + d8ac7a53-af2e-4487-93fd-296e8ad3953b Obtain the list of accounts that have direct access to the server-level permission 'Create DDL Event Notification' by running the following query: SELECT @@ -6732,6 +6760,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + b7b30f96-5b93-404a-b32a-1ac89fcf8672 Obtain the list of accounts that have direct access to the server-level permission 'Create availability group' by running the following query: SELECT @@ -6829,6 +6858,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + b24a2d39-225d-4d33-a5a4-e3be06dd2205 Obtain the list of accounts that have direct access to the server-level permission 'Create any database' by running the following query: SELECT @@ -6926,6 +6956,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + bfbd5c1e-2355-4ce2-97b5-3ecf14cfeab5 Obtain the list of accounts that have direct access to the server-level permission 'Control server' by running the following query: SELECT @@ -7023,6 +7054,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 2c3c186e-422e-4c35-bfe1-98a9ad6ffd94 Obtain the list of accounts that have direct access to the server-level permission 'Alter any linked server' by running the following query: SELECT @@ -7120,6 +7152,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + f443d4e8-a3e5-4ec5-adab-44b22e51620f Obtain the list of accounts that have direct access to the server-level permission 'Alter any event session' by running the following query: SELECT @@ -7217,6 +7250,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 19f1565e-3b4c-4dbd-9fc2-d0d06c1ba7db Obtain the list of accounts that have direct access to the server-level permission 'Alter trace' by running the following query: SELECT @@ -7314,6 +7348,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 06179de8-9e6b-45e6-bf2c-55d08e486e4d Obtain the list of accounts that have direct access to the server-level permission 'Alter Settings' by running the following query: SELECT @@ -7411,6 +7446,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + bc86b3c9-6cda-4377-90ba-3f999042944d Obtain the list of accounts that have direct access to the server-level permission 'Create trace event notification' by running the following query: SELECT @@ -7508,6 +7544,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + cc501322-ce85-449b-9494-a2818e0e08fb Obtain the list of accounts that have direct access to the server-level permission 'Alter resources' by running the following query: SELECT @@ -7605,6 +7642,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + ecf597db-42f2-4455-8651-b81e4815119f Obtain the list of accounts that have direct access to the server-level permission 'External access assembly' by running the following query: SELECT @@ -7702,6 +7740,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 9140e542-c06a-49a7-a5d2-476276b0d31b Obtain the list of accounts that have direct access to the server-level permission 'Alter any login' by running the following query: SELECT @@ -7799,6 +7838,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + c62df6e6-b69f-4eb4-b708-693adb5591e3 Obtain the list of accounts that have direct access to the server-level permission 'Shutdown' by running the following query: SELECT @@ -7896,6 +7936,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + b3789a4b-3964-4cc1-9ee4-d36751277779 Obtain the list of accounts that have direct access to the server-level permission 'Unsafe assembly' by running the following query: SELECT @@ -7993,6 +8034,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + e8e3b031-5e2a-4430-86e0-4a98c72789aa Obtain the list of accounts that have direct access to the server-level permission 'Create server role' by running the following query: SELECT @@ -8090,6 +8132,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + 9a797551-bc76-4473-b3d2-b9e37d02ae16 Obtain the list of accounts that have direct access to the server-level permission 'View server state' by running the following query: SELECT @@ -8187,6 +8230,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + d2b3edbd-2f78-492f-ad9c-40a8c5b8e07b Obtain the list of accounts that have direct access to the server-level permission 'Alter any server role' by running the following query: SELECT @@ -8284,6 +8328,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False + e06b067f-bd60-462e-9766-a43ff7f2c73b Obtain the list of accounts that have direct access to the server-level permission 'View any definition' by running the following query: SELECT @@ -8364,19 +8409,20 @@ GO - + <VulnDiscussion>Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to modify an existing account for later use. Notification of account creation is one method and best practice for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and/or application owners exist. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 900ce343-1e07-44ca-863e-a034c6d8e9c7 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -8410,7 +8456,7 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method and best practice for mitigating this risk. A comprehensive application account management process ensures an audit trail automatically documents the modification of application user accounts and, as required, notifies administrators, application owners, and/or appropriate individuals. Applications must provide this capability directly, leverage complimentary technology providing this capability, or a combination thereof. @@ -8418,13 +8464,14 @@ Auditing of account modification is one method and best practice for mitigating Automated account-auditing processes greatly reduce the risk that accounts will be surreptitiously modified, and provides logging that can be used for forensic purposes. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + b32c1c99-d8b0-47c0-89c0-34435f84bc60 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -8458,20 +8505,21 @@ Use the following query to obtain a list of all event IDs, and their meaning: - + <VulnDiscussion>Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network and system access is accomplished by leveraging common communication protocols to establish a remote connection. These connections will typically originate over either the public Internet or the Public Switched Telephone Network (PSTN). Neither of these internetworking mechanisms is private or secure, and they do not by default restrict access to networked resources once connectivity is established. Numerous best practices are employed to protect remote connections, such as utilizing encryption to protect data sessions and firewalls to restrict and control network connectivity. In addition to these protections, auditing must also be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - V-41021 + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END False False + 1df33274-7fb8-4f02-9497-6db8f94d7d0c Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -8522,6 +8570,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False + 508f6d24-bdfd-4cb4-8219-ea15a8692210 Obtain the list of accounts that have direct access to the server-level permission 'View Any Database' by running the following query: SELECT diff --git a/source/StigData/Processed/SqlServer-2016-Instance-3.3.xml b/source/StigData/Processed/SqlServer-2016-Instance-3.3.xml index e140307b9..d8adc4f5b 100644 --- a/source/StigData/Processed/SqlServer-2016-Instance-3.3.xml +++ b/source/StigData/Processed/SqlServer-2016-Instance-3.3.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Database management includes the ability to control the number of users and user sessions utilizing SQL Server. Unlimited concurrent connections to SQL Server could allow a successful denial-of-service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions is helpful in reducing these risks. @@ -2808,6 +2808,7 @@ Satisfies: SRG-APP-000091-DB-000066</VulnDiscussion><FalsePositives> V-79139 False + 1 Review the system documentation to determine if SQL Server is required to audit the retrieval of privilege/permission/role membership information. If SQL Server is not required to audit the retrieval of privilege/permission/role membership information, this is not a finding. @@ -2846,6 +2847,7 @@ If the SCHEMA_OBJECT_ACCESS_GROUP is not returned in an active audit, this is a V-79141 False + aa67d65b-aa2a-4904-9dae-9c5e33bccfd5 When Audits are enabled, they start up when the instance starts. https://msdn.microsoft.com/en-us/library/cc280386.aspx#Anchor_2 @@ -2877,6 +2879,7 @@ Systems where audit trail completeness is paramount will most likely be at a low V-79147 False + 709a37ed-4ba9-4dfd-b700-1278b1bcc16c If the system documentation indicates that availability takes precedence over audit trail completeness, this is not applicable (NA). If SQL Server Audit is in use, review the defined server audits by running the statement: @@ -2907,6 +2910,7 @@ Systems where availability is paramount will most likely be MAC I; the final det V-79149 False + 68d7c225-9dca-46b2-bd17-acf0ffa59e33 If the system documentation indicates that availability does not take precedence over audit trail completeness, this is not applicable (NA). Execute the following query: @@ -2939,6 +2943,7 @@ Enforcement actions are the methods or mechanisms used to prevent unauthorized c V-79239 False + 1 Determine if an audit is configured to capture denied actions and started by executing the following query: SELECT name AS 'Audit Name', @@ -3046,6 +3051,7 @@ Satisfies: SRG-APP-000492-DB-000332, SRG-APP-000492-DB-000333</VulnDiscussion V-79251 False + 1 Review the system documentation to determine if SQL Server is required to audit the retrieval of when security objects are accessed. If this is not required, this is not a finding. @@ -3092,6 +3098,7 @@ Satisfies: SRG-APP-000494-DB-000344</VulnDiscussion><FalsePositives> V-79257 False + 1 Review the system documentation to determine if SQL Server is required to audit when data classifications are both successfully and unsuccessfully retrieved. If this is not required, this is not a finding. @@ -3138,6 +3145,7 @@ Satisfies: SRG-APP-000495-DB-000326</VulnDiscussion><FalsePositives> V-79261 False + 1 Check that SQL Server Audit is being used for the STIG compliant audit. Determine if an audit is configured and started by executing the following query: @@ -3203,6 +3211,7 @@ Satisfies: SRG-APP-000495-DB-000328</VulnDiscussion><FalsePositives> V-79265 False + 1 Check that SQL Server Audit is being used for the STIG compliant audit. Determine if an audit is configured and started by executing the following query: @@ -3266,6 +3275,7 @@ Satisfies: SRG-APP-000496-DB-000334</VulnDiscussion><FalsePositives> V-79269 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3306,6 +3316,7 @@ Satisfies: SRG-APP-000498-DB-000346</VulnDiscussion><FalsePositives> V-79273 False + 1 Review the system documentation to determine if SQL Server is required to audit when data classifications are successfully and unsuccessfully modified. If this is not required, this is not a finding. @@ -3350,6 +3361,7 @@ To aid in diagnosis, it is necessary to keep track of failed attempts in additio V-79277 False + 1 Check that SQL Server Audit is being used for the STIG compliant audit. Determine if an audit is configured and started by executing the following query. If no records are returned, this is a finding. @@ -3413,6 +3425,7 @@ Satisfies: SRG-APP-000501-DB-000336</VulnDiscussion><FalsePositives> V-79281 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3453,6 +3466,7 @@ Satisfies: SRG-APP-000502-DB-000348</VulnDiscussion><FalsePositives> V-79285 False + 1 Review the system documentation to determine if SQL Server is required to audit when data classifications are successfully and unsuccessfully deleted. If this is not required, this is not a finding. @@ -3495,6 +3509,7 @@ Satisfies: SRG-APP-000503-DB-000350</VulnDiscussion><FalsePositives> V-79289 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3564,6 +3579,7 @@ Note that it is particularly important to audit, and tightly control, any action V-79291 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3643,6 +3659,7 @@ To aid in diagnosis, it is necessary to keep track of failed attempts in additio V-79293 False + 1 Determine if an audit is configured and started by executing the following query. SELECT name AS 'Audit Name', @@ -3745,6 +3762,7 @@ Disconnection may be initiated by the user or forced by the system (as in a time V-79295 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3849,6 +3867,7 @@ Concurrent connections by the same user from multiple workstations may be valid V-79297 False + 1 Determine if an audit is configured and started by executing the following query. SELECT name AS 'Audit Name', @@ -3901,6 +3920,7 @@ Satisfies: SRG-APP-000507-DB-000356</VulnDiscussion><FalsePositives> V-79301 False + 1 Review the system documentation to determine if SQL Server is required to audit when successful and unsuccessful accesses to objects occur. If this is not required, this is not a finding. @@ -3945,6 +3965,7 @@ Some applications that run on SQL Server require the [sa] account to be enabled V-79317 False + bc7553cb-8f2e-48b4-a3e6-13c51ae48734 Check SQL Server settings to determine if the [sa] (system administrator) account has been disabled by executing the following query: USE master; @@ -3972,6 +3993,7 @@ Since the SQL Server [sa] is administrative in nature, the compromise of a defau V-79319 True {0} is populated with a non-default SA account name + a7b52c00-d683-4780-953f-9717cfb3ca59 Verify the SQL Server default [sa] (system administrator) account name has been changed by executing the following query: USE master; diff --git a/source/StigData/Processed/SqlServer-2016-Instance-3.4.xml b/source/StigData/Processed/SqlServer-2016-Instance-3.4.xml index 51bbd5d39..23a67b85d 100644 --- a/source/StigData/Processed/SqlServer-2016-Instance-3.4.xml +++ b/source/StigData/Processed/SqlServer-2016-Instance-3.4.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Database management includes the ability to control the number of users and user sessions utilizing SQL Server. Unlimited concurrent connections to SQL Server could allow a successful denial-of-service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions is helpful in reducing these risks. @@ -761,7 +761,7 @@ If any nonauthorized users have access to the SQL Server Error Log located at Pr In addition, the SQL Server Error Log is also located at Program Files\Microsoft SQL Server\MSSQL.n\MSSQL\LOG\. Review the permissions on this folder to ensure that only authorized users are listed. -If any nonauthorized users have access to the SQL Server Error Log in SQL Server Management Studio or if vendor documentation does not exist stating that full error messages must be returned, this is a finding. +If any nonauthorized users have access to the SQL Server Error Log in SQL Server Management Studio or if documentation does not exist stating that full error messages must be returned, this is a finding. Otherwise, verify if trace flag 3625 is enabled to mask certain system-level error information returned to nonadministrative users. @@ -1559,7 +1559,7 @@ If individuals are not individually authenticated before using the shared accoun If accounts are determined to be shared, determine if they are directly accessible to end users. If so, this is a finding. - <VulnDiscussion>The DoD standard for authentication is DoD-approved PKI certificates. + <VulnDiscussion>The DOD standard for authentication is DOD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate and requires AO approval. @@ -2807,6 +2807,7 @@ Satisfies: SRG-APP-000091-DB-000066</VulnDiscussion><FalsePositives> V-79139 False + 1 Review the system documentation to determine if SQL Server is required to audit the retrieval of privilege/permission/role membership information. If SQL Server is not required to audit the retrieval of privilege/permission/role membership information, this is not a finding. @@ -2845,6 +2846,7 @@ If the SCHEMA_OBJECT_ACCESS_GROUP is not returned in an active audit, this is a V-79141 False + d63fee4b-8cde-4adc-b9a2-5ff07b1dfacc When Audits are enabled, they start up when the instance starts. https://msdn.microsoft.com/en-us/library/cc280386.aspx#Anchor_2 @@ -2876,6 +2878,7 @@ Systems where audit trail completeness is paramount will most likely be at a low V-79147 False + 08799b52-54d4-475b-a1c9-794ea42c019f If the system documentation indicates that availability takes precedence over audit trail completeness, this is not applicable (NA). If SQL Server Audit is in use, review the defined server audits by running the statement: @@ -2906,6 +2909,7 @@ Systems where availability is paramount will most likely be MAC I; the final det V-79149 False + 10eff293-6ad8-4ad4-ac40-fbba6ee3c85a If the system documentation indicates that availability does not take precedence over audit trail completeness, this is not applicable (NA). Execute the following query: @@ -2938,6 +2942,7 @@ Enforcement actions are the methods or mechanisms used to prevent unauthorized c V-79239 False + 1 Determine if an audit is configured to capture denied actions and started by executing the following query: SELECT name AS 'Audit Name', @@ -3045,6 +3050,7 @@ Satisfies: SRG-APP-000492-DB-000332, SRG-APP-000492-DB-000333</VulnDiscussion V-79251 False + 1 Review the system documentation to determine if SQL Server is required to audit the retrieval of when security objects are accessed. If this is not required, this is not a finding. @@ -3091,6 +3097,7 @@ Satisfies: SRG-APP-000494-DB-000344</VulnDiscussion><FalsePositives> V-79257 False + 1 Review the system documentation to determine if SQL Server is required to audit when data classifications are both successfully and unsuccessfully retrieved. If this is not required, this is not a finding. @@ -3137,6 +3144,7 @@ Satisfies: SRG-APP-000495-DB-000326</VulnDiscussion><FalsePositives> V-79261 False + 1 Check that SQL Server Audit is being used for the STIG compliant audit. Determine if an audit is configured and started by executing the following query: @@ -3202,6 +3210,7 @@ Satisfies: SRG-APP-000495-DB-000328</VulnDiscussion><FalsePositives> V-79265 False + 1 Check that SQL Server Audit is being used for the STIG compliant audit. Determine if an audit is configured and started by executing the following query: @@ -3265,6 +3274,7 @@ Satisfies: SRG-APP-000496-DB-000334</VulnDiscussion><FalsePositives> V-79269 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3305,6 +3315,7 @@ Satisfies: SRG-APP-000498-DB-000346</VulnDiscussion><FalsePositives> V-79273 False + 1 Review the system documentation to determine if SQL Server is required to audit when data classifications are successfully and unsuccessfully modified. If this is not required, this is not a finding. @@ -3349,6 +3360,7 @@ To aid in diagnosis, it is necessary to keep track of failed attempts in additio V-79277 False + 1 Check that SQL Server Audit is being used for the STIG compliant audit. Determine if an audit is configured and started by executing the following query. If no records are returned, this is a finding. @@ -3412,6 +3424,7 @@ Satisfies: SRG-APP-000501-DB-000336</VulnDiscussion><FalsePositives> V-79281 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3452,6 +3465,7 @@ Satisfies: SRG-APP-000502-DB-000348</VulnDiscussion><FalsePositives> V-79285 False + 1 Review the system documentation to determine if SQL Server is required to audit when data classifications are successfully and unsuccessfully deleted. If this is not required, this is not a finding. @@ -3494,6 +3508,7 @@ Satisfies: SRG-APP-000503-DB-000350</VulnDiscussion><FalsePositives> V-79289 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3563,6 +3578,7 @@ Note that it is particularly important to audit, and tightly control, any action V-79291 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3642,6 +3658,7 @@ To aid in diagnosis, it is necessary to keep track of failed attempts in additio V-79293 False + 1 Determine if an audit is configured and started by executing the following query. SELECT name AS 'Audit Name', @@ -3744,6 +3761,7 @@ Disconnection may be initiated by the user or forced by the system (as in a time V-79295 False + 1 Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', @@ -3848,6 +3866,7 @@ Concurrent connections by the same user from multiple workstations may be valid V-79297 False + 1 Determine if an audit is configured and started by executing the following query. SELECT name AS 'Audit Name', @@ -3900,6 +3919,7 @@ Satisfies: SRG-APP-000507-DB-000356</VulnDiscussion><FalsePositives> V-79301 False + 1 Review the system documentation to determine if SQL Server is required to audit when successful and unsuccessful accesses to objects occur. If this is not required, this is not a finding. @@ -3944,6 +3964,7 @@ Some applications that run on SQL Server require the [sa] account to be enabled V-79317 False + 5b306553-3c8e-4016-b45c-830bce12f52d Check SQL Server settings to determine if the [sa] (system administrator) account has been disabled by executing the following query: USE master; @@ -3971,6 +3992,7 @@ Since the SQL Server [sa] is administrative in nature, the compromise of a defau V-79319 True {0} is populated with a non-default SA account name + 94b8b41a-8f66-4ea9-9905-fbdc57267e66 Verify the SQL Server default [sa] (system administrator) account name has been changed by executing the following query: USE master; From 3ce576da53a9296c9a6050f6317099ab8a4d7b4a Mon Sep 17 00:00:00 2001 From: adam <=> Date: Sun, 24 Aug 2025 15:53:31 -0500 Subject: [PATCH 2/3] Updated change log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cb6765ba..5c72fd68c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ # Versions ## [Unreleased] +* Upgrade SqlServerDsc from 15.1.1 to 17.1.0 [#1476](https://github.com/microsoft/PowerStig/issues/1476) ## [4.26.0] - 2025-05-28 From 5c4236064d3c5bec3bb42ba9ab409a9c684c948d Mon Sep 17 00:00:00 2001 From: adam <=> Date: Fri, 26 Sep 2025 14:49:05 -0500 Subject: [PATCH 3/3] Synced changes from 4.27.0 release --- source/PowerStig.psd1 | 2 +- .../SqlServer-2012-Database-1.19.xml | 6 +- .../SqlServer-2012-Database-1.20.xml | 6 +- .../SqlServer-2012-Instance-1.19.xml | 100 +++++++++--------- .../SqlServer-2012-Instance-1.20.xml | 100 +++++++++--------- .../Processed/SqlServer-2016-Instance-3.4.xml | 12 +-- .../Processed/SqlServer-2016-Instance-3.5.xml | 12 +-- .../Processed/SqlServer-2022-Instance-1.1.xml | 9 +- 8 files changed, 127 insertions(+), 120 deletions(-) diff --git a/source/PowerStig.psd1 b/source/PowerStig.psd1 index 2b4e10141..75c0a1411 100644 --- a/source/PowerStig.psd1 +++ b/source/PowerStig.psd1 @@ -44,7 +44,7 @@ @{ModuleName = 'GPRegistryPolicyDsc'; ModuleVersion = '1.3.1' }, @{ModuleName = 'PSDscResources'; ModuleVersion = '2.12.0.0' }, @{ModuleName = 'SecurityPolicyDsc'; ModuleVersion = '2.10.0.0' }, - @{ModuleName = 'SqlServerDsc'; ModuleVersion = '15.1.1' }, + @{ModuleName = 'SqlServerDsc'; ModuleVersion = '17.1.0' }, @{ModuleName = 'WindowsDefenderDsc'; ModuleVersion = '2.2.0' }, @{ModuleName = 'xDnsServer'; ModuleVersion = '1.16.0.0' }, @{ModuleName = 'xWebAdministration'; ModuleVersion = '3.2.0' }, diff --git a/source/StigData/Processed/SqlServer-2012-Database-1.19.xml b/source/StigData/Processed/SqlServer-2012-Database-1.19.xml index 9d76b518d..225d1c58a 100644 --- a/source/StigData/Processed/SqlServer-2012-Database-1.19.xml +++ b/source/StigData/Processed/SqlServer-2012-Database-1.19.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. @@ -795,7 +795,7 @@ The DBMS must provide auditing for the list of events defined by the organizatio False - cb0f3ba2-2f8b-4ad1-9a5f-9cf471b72656 + 6b1826e1-ee86-41a2-8464-9af9cd730b96 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -840,7 +840,7 @@ Within the database, object ownership implies full privileges to the owned objec True {0} is a database owner - 3e14b6ec-8842-4770-8451-d2f23e8e811f + baf9f4fc-49bb-40ef-8c1f-5d0b403531f9 Review system documentation to identify SQL Server accounts authorized to own database objects. If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. diff --git a/source/StigData/Processed/SqlServer-2012-Database-1.20.xml b/source/StigData/Processed/SqlServer-2012-Database-1.20.xml index 81c99e130..9cb686f38 100644 --- a/source/StigData/Processed/SqlServer-2012-Database-1.20.xml +++ b/source/StigData/Processed/SqlServer-2012-Database-1.20.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. @@ -795,7 +795,7 @@ The DBMS must provide auditing for the list of events defined by the organizatio False - 997c034d-5f51-43ee-a4ab-15abc3230d2f + 6084df45-dac2-4467-b3c4-85ed0d8bea28 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -840,7 +840,7 @@ Within the database, object ownership implies full privileges to the owned objec True {0} is a database owner - 1a675b3e-cafe-487f-9e87-153bd8e44abf + 93580376-9eec-4fdd-bf60-bf09ab50f9e9 Review system documentation to identify SQL Server accounts authorized to own database objects. If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. diff --git a/source/StigData/Processed/SqlServer-2012-Instance-1.19.xml b/source/StigData/Processed/SqlServer-2012-Instance-1.19.xml index 715f2bd2d..93e876552 100644 --- a/source/StigData/Processed/SqlServer-2012-Instance-1.19.xml +++ b/source/StigData/Processed/SqlServer-2012-Instance-1.19.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), VPN, or IPSEC tunnel. @@ -4929,7 +4929,7 @@ Some applications that run on SQL Server require the 'sa' account to be enabled False - d2cf69c0-3a8a-433c-b0fd-f8a62efc6b9c + 4f982e9f-9e6d-4219-b19f-24de8035e099 Check SQL Server settings to determine if the 'sa' (sysadmin) account has been disabled by executing the following query: USE MASTER @@ -4963,7 +4963,7 @@ Demonstration and sample database objects and applications present publicly know False - 3d823404-5d18-43f5-af17-f193bce245ed + d3c17933-935d-4197-8012-86e6f64ebf9d Check SQL Server for the existence of the publicly available "AdventureWorks" database by performing the following query: SELECT name from sysdatabases where name like 'AdventureWorks%'; @@ -4989,7 +4989,7 @@ Demonstration and sample database objects and applications present publicly know False - 6799db0f-a69d-4324-a087-691a7942e1f3 + d89232d5-38d9-46df-a7dc-6b95261a4c30 Check SQL Server for the existence of the publicly available "NorthWind" database by performing the following query: SELECT name from sysdatabases where name like 'Northwind%'; @@ -5011,7 +5011,7 @@ Detection of suspicious activity, including access attempts and successful acces False - f5208f8a-b70c-4c8e-87ba-06f6aaf10ddf + ffb69915-0a39-4232-aaa6-7fc759436ae7 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5060,7 +5060,7 @@ Note that trace file rollover does not count as an audit failure, provided that True {0} is the path to the trace file - 33d8559a-1b6b-4f01-964e-0532f523389b + da113a7d-9751-4cb0-9795-3eeaddf6a848 From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5108,7 +5108,7 @@ After the initial setup of SQL Server audit log configuration, it is best to che True {0} is the trace file limit - 03e1d08c-b54f-4d7d-a7b7-e6cba237769e + 361f8bcc-d286-4319-b0c7-1888352baad0 Check the SQL Server audit setting on the maximum number of files of the trace used for the auditing requirement. Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. @@ -5134,7 +5134,7 @@ Some organizations may determine that more detailed information is required for False - d453478a-f28d-420c-8eb0-a2e42b5fb275 + 6f1056e6-f7e9-44a5-8d7e-8598aacdbe09 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5179,7 +5179,7 @@ Database software is capable of a range of actions on data stored within the dat False - 2eaee00c-de05-4319-b75d-ae59d2dbf88b + 2924bbbf-5140-446c-9922-3b4e2a586324 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5228,7 +5228,7 @@ If auditing is enabled, SQL Server does capture the outcome status-specific info False - 43224d6c-a8c3-489f-9636-897f2af056c9 + 48c2ddad-966a-4092-981c-488abec2af51 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5275,7 +5275,7 @@ The source of the event can be a user account and sometimes a system account whe False - 16ee74f8-f8e2-487a-9bef-d268674ce90d + 63eb1dc7-973f-4e9e-b044-066dfb231c05 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5322,7 +5322,7 @@ An event location can be a database instance, table, column, row, etc. Without s False - 833a13e3-8ee8-4f6c-a11e-b03718ee0f38 + 399243aa-fc0b-4cc1-a5b2-f832749168f2 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5369,7 +5369,7 @@ If auditing is enabled, SQL Server does capture the date and time-specific infor False - 892bde48-4315-4ea8-9dc2-ce40bfcdf0b7 + 413cd559-01f3-46bc-9f5a-dddfbe10d33f Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5416,7 +5416,7 @@ If auditing is enabled, SQL Server does capture the event type-specific informat False - c578699d-7095-4c1d-8206-67ebea9e7b3d + 1e2461a2-c431-4666-8871-e16c522ef9d0 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5465,7 +5465,7 @@ Auditing provides accountability for changes made to the SQL Server configuratio False - da37067c-c2f0-4516-b04f-2b2ba14a5950 + 9f393b55-2a1d-490d-838a-868163a83903 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5510,7 +5510,7 @@ Since the SQL Server 'sa' is administrative in nature, the compromise of a defau True {0} is populated with a non-default SA account name - 6c668e0a-a95b-41d7-a442-9f800bc394d6 + a18e424b-2c21-4e3b-8aac-b0b326a2b0d3 Verify the SQL Server default 'sa' account name has been changed. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins. @@ -5530,7 +5530,7 @@ If SQL Server default 'sa' account name is in the 'Logins' list, this is a findi False - e7fc90b1-4b63-4f0d-aad1-8d944155ee55 + 60f4014f-8484-475e-bdcd-ba8eb872ef9b Check to see that all required events are being audited. From the query prompt: @@ -5585,7 +5585,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False - 0f0f07a8-f2ca-4f4a-a938-ef8781b9d396 + 055e42cb-0b7c-434d-9d8b-d8a4d0509418 Obtain the list of accounts that have direct access to the server-level permission 'Alter any endpoint' by running the following query: SELECT @@ -5683,7 +5683,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False - 8f5a489e-6aab-4014-b80f-224827589f9f + a39a6c5a-ab86-4f11-9bd6-d80d8ef0c44a Obtain the list of accounts that have direct access to the server-level permission 'Alter any database' by running the following query: SELECT @@ -5781,7 +5781,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - f3d06b3d-502f-4c61-9b2c-cb8c3c5c9ac1 + 0ad3fbb9-91a9-45ad-987c-233947c8e3d8 Obtain the list of accounts that have direct access to the server-level permission 'Alter any credential' by running the following query: SELECT @@ -5879,7 +5879,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False - e23892a7-60f2-4df4-8348-eeec7eb1da1d + 8c495943-ab0f-4a49-b239-334f10a256f8 Obtain the list of accounts that have direct access to the server-level permission 'Alter any connection' by running the following query: SELECT @@ -5977,7 +5977,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 5577bcb9-0b5e-42a1-abc2-d9f42656fa85 + 5f5bcf65-6c64-4a4c-b64f-94aaaf271356 Obtain the list of accounts that have direct access to the server-level permission 'Alter server state' by running the following query: SELECT @@ -6075,7 +6075,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 964107ee-9a93-4d13-9a55-086d7db706b8 + 1ad66084-ee1e-4e2e-8db8-7ef3aa91b0c5 Obtain the list of accounts that have direct access to the server-level permission 'Alter any event notification' by running the following query: SELECT @@ -6173,7 +6173,7 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok True {0} is a user that can view any database - ea1fc987-85e4-4969-a880-6067a1680106 + 9d5be458-9fcf-4119-9007-35dc0108c02c Obtain the list of roles that are authorized for the SQL Server 'View any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT @@ -6269,7 +6269,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - ec54551c-8f3c-4e20-9297-4657eb69892a + 3f7835e6-0663-4175-aeb7-562f62d50af9 Obtain the list of accounts that have direct access to the server-level permission 'Alter any server audit' by running the following query: SELECT @@ -6367,7 +6367,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 07921e55-989c-485f-a8e2-f3d383f6d420 + e99f369e-adb5-42a6-a974-0a528eb4d112 Obtain the list of accounts that have direct access to the server-level permission 'Authenticate Server' by running the following query: SELECT @@ -6465,7 +6465,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 1d349d7d-168e-4479-acba-bff85f1f7ea8 + 9e7b30f0-3e0d-43f6-8b45-1242d40dee54 Obtain the list of accounts that have direct access to the server-level permission 'Administer bulk operations' by running the following query: SELECT @@ -6563,7 +6563,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 24813c80-ceb4-4473-9ce8-7ca51e06ec2a + 4c2244f9-7a97-4e2b-95f1-8b3816e39d49 Obtain the list of accounts that have direct access to the server-level permission 'Create endpoint' by running the following query: SELECT @@ -6661,7 +6661,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False - d65eb92d-f5be-4767-bbe5-0ff5225d57fc + 8938041e-3b27-498e-93d4-ee075b26d182 Obtain the list of accounts that have direct access to the server-level permission 'Create DDL Event Notification' by running the following query: SELECT @@ -6760,7 +6760,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - ebcc3b9e-1372-438f-9683-a17a8e020bd8 + aafcf669-c1c4-41b9-b96d-8aae24e39c6c Obtain the list of accounts that have direct access to the server-level permission 'Create availability group' by running the following query: SELECT @@ -6858,7 +6858,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 04251e61-1c27-4174-ac59-3dbb37653074 + 3c04c622-4b14-4c63-93a2-26c719c4aecb Obtain the list of accounts that have direct access to the server-level permission 'Create any database' by running the following query: SELECT @@ -6956,7 +6956,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 0f2eb710-d963-435a-b173-5ac3b3d623dd + c6197714-1d46-4d5b-8fe4-6e96256255f2 Obtain the list of accounts that have direct access to the server-level permission 'Control server' by running the following query: SELECT @@ -7054,7 +7054,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 8a69ecc9-aee8-4fb6-906d-4f74c330583c + 388e1600-fb48-45d0-808c-d8a7799dee93 Obtain the list of accounts that have direct access to the server-level permission 'Alter any linked server' by running the following query: SELECT @@ -7152,7 +7152,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - f6f04556-7198-4caf-b276-df7dfe2128ac + 131216c7-300f-4031-8922-4394e1780101 Obtain the list of accounts that have direct access to the server-level permission 'Alter any event session' by running the following query: SELECT @@ -7250,7 +7250,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 735bd361-c2b6-4f4c-abf4-7229f2785d53 + b8871972-7268-4b9b-b837-bdadd1273892 Obtain the list of accounts that have direct access to the server-level permission 'Alter trace' by running the following query: SELECT @@ -7348,7 +7348,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 605b7fef-bc8c-4a19-ae94-0cb859aeba21 + b31cf183-f8ac-416a-a2c8-875fd05b8024 Obtain the list of accounts that have direct access to the server-level permission 'Alter Settings' by running the following query: SELECT @@ -7446,7 +7446,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 9cd46062-49f9-40e0-8ac8-f87fe2be96f4 + d200d9bc-a987-49a7-9e1d-de8abc9edff9 Obtain the list of accounts that have direct access to the server-level permission 'Create trace event notification' by running the following query: SELECT @@ -7544,7 +7544,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - d64ad30d-60a9-48f3-9470-27f15d23e2a5 + 970c16fb-7a98-4040-ae93-393a6e624879 Obtain the list of accounts that have direct access to the server-level permission 'Alter resources' by running the following query: SELECT @@ -7642,7 +7642,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 6c3dd820-5223-4a4e-800d-df961ede1565 + 402c13c8-d77c-406a-a854-1f621efde0ba Obtain the list of accounts that have direct access to the server-level permission 'External access assembly' by running the following query: SELECT @@ -7740,7 +7740,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 09969c90-7c78-4890-b598-0aa4c2183406 + d4786177-9049-40b4-9cbb-d9811784ad97 Obtain the list of accounts that have direct access to the server-level permission 'Alter any login' by running the following query: SELECT @@ -7838,7 +7838,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False - b967a22b-62ba-403c-99b5-b36aa394f580 + ecc78282-3c51-4c55-bc68-18a47ef50461 Obtain the list of accounts that have direct access to the server-level permission 'Shutdown' by running the following query: SELECT @@ -7936,7 +7936,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 7d6a4fb3-dd3e-4b43-b933-6b079d77239d + a480e8b4-82b0-4cb5-8405-3341f1174073 Obtain the list of accounts that have direct access to the server-level permission 'Unsafe assembly' by running the following query: SELECT @@ -8034,7 +8034,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False - 9cd70d59-027c-434f-944b-52f10cef7362 + 62dbde06-7fef-4a99-90cc-0af782dc210f Obtain the list of accounts that have direct access to the server-level permission 'Create server role' by running the following query: SELECT @@ -8132,7 +8132,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 66e50e92-1b16-4f7e-bfd4-1c3906917158 + bce557c8-d6a4-488d-8d5a-85215e22be07 Obtain the list of accounts that have direct access to the server-level permission 'View server state' by running the following query: SELECT @@ -8230,7 +8230,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 434f36ca-d0b3-401b-b790-b0bc9443d2d3 + fe766e91-f27d-4c44-a56b-8af166b0daf7 Obtain the list of accounts that have direct access to the server-level permission 'Alter any server role' by running the following query: SELECT @@ -8328,7 +8328,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - d7db65f6-2023-4878-9b1d-2ee3b064d158 + 1f9c4ac3-c8d7-4a57-a2fc-c67169aa0197 Obtain the list of accounts that have direct access to the server-level permission 'View any definition' by running the following query: SELECT @@ -8422,7 +8422,7 @@ To address the multitude of policy based access requirements, many application d False - 3f0285fb-cf9a-47f7-b442-d1645ac4979a + 8dc27e2e-5cab-4ca4-ac72-09b61d3f3abd Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -8471,7 +8471,7 @@ To address the multitude of policy based access requirements, many application d False - 5a2c6e8b-fe79-4a31-a710-336c17efc42e + f6ed09e4-5fa4-4e5f-97f3-c2bfa0fb8efb Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -8519,7 +8519,7 @@ Numerous best practices are employed to protect remote connections, such as util False - 764a8eed-175d-4f02-b8e6-775a5e8437e4 + cc0ca451-1780-4ecf-98ba-a2fc16bf85f5 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -8570,7 +8570,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False - 713d0fc2-1f5a-47e9-a9f1-f596b5002f3e + 156d2340-bd5c-4381-b7bb-41519ede432c Obtain the list of accounts that have direct access to the server-level permission 'View Any Database' by running the following query: SELECT diff --git a/source/StigData/Processed/SqlServer-2012-Instance-1.20.xml b/source/StigData/Processed/SqlServer-2012-Instance-1.20.xml index 9c9e896fa..e1f3730dc 100644 --- a/source/StigData/Processed/SqlServer-2012-Instance-1.20.xml +++ b/source/StigData/Processed/SqlServer-2012-Instance-1.20.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), VPN, or IPSEC tunnel. @@ -4929,7 +4929,7 @@ Some applications that run on SQL Server require the 'sa' account to be enabled False - 18bb8f8b-1e5d-4da9-b18a-ca2ca5ab2f00 + b9b38c01-8b1d-46f4-9e81-b05ae40e0362 Check SQL Server settings to determine if the 'sa' (sysadmin) account has been disabled by executing the following query: USE MASTER @@ -4963,7 +4963,7 @@ Demonstration and sample database objects and applications present publicly know False - b2579ca1-fbe1-4799-802f-5d9f02ba44de + 7ad02e73-dba0-42a7-b917-eedd3c371b6b Check SQL Server for the existence of the publicly available "AdventureWorks" database by performing the following query: SELECT name from sysdatabases where name like 'AdventureWorks%'; @@ -4989,7 +4989,7 @@ Demonstration and sample database objects and applications present publicly know False - 4e2f03cc-fb1a-45a4-baaa-92ca06b304ff + af392ad1-5757-4d83-a947-e0fa23e613d3 Check SQL Server for the existence of the publicly available "NorthWind" database by performing the following query: SELECT name from sysdatabases where name like 'Northwind%'; @@ -5011,7 +5011,7 @@ Detection of suspicious activity, including access attempts and successful acces False - 683f3145-a7ff-46a4-8839-042d5e03ee82 + 59f285c6-a011-47b8-a7a7-215d792dfd93 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5060,7 +5060,7 @@ Note that trace file rollover does not count as an audit failure, provided that True {0} is the path to the trace file - 3622a024-d24c-4d02-a9ad-37224f55dccc + 92f2f6d7-abe4-459b-8b1b-9e5a68156271 From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5108,7 +5108,7 @@ After the initial setup of SQL Server audit log configuration, it is best to che True {0} is the trace file limit - 813a8856-dd0f-4ec0-901a-fdb828d50255 + 27c6e939-70e2-408a-83d2-260147717f52 Check the SQL Server audit setting on the maximum number of files of the trace used for the auditing requirement. Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. @@ -5134,7 +5134,7 @@ Some organizations may determine that more detailed information is required for False - 595de426-b0f6-4d22-8a45-7f5142931136 + feea7718-853d-4f9c-88ba-3c7f90efa26b Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5179,7 +5179,7 @@ Database software is capable of a range of actions on data stored within the dat False - df0381fb-7e72-4dda-a07a-0b7c7127d928 + 78b12083-9e9f-4edb-9cad-1c40cc17e042 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5228,7 +5228,7 @@ If auditing is enabled, SQL Server does capture the outcome status-specific info False - 3d282c8d-f771-4aa5-9788-447d7dfda641 + 067dc003-c192-4226-b0e5-777b2e43f0f3 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5275,7 +5275,7 @@ The source of the event can be a user account and sometimes a system account whe False - 7cd71d55-f4ac-405d-8194-ea09c4277db1 + 18494457-144c-42ba-83b3-df8342f3de9a Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5322,7 +5322,7 @@ An event location can be a database instance, table, column, row, etc. Without s False - 1519bb3c-d427-4d35-9dcf-88d0ecd9d339 + 9f0926e7-c3a6-4276-828b-98f11db6a5a0 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5369,7 +5369,7 @@ If auditing is enabled, SQL Server does capture the date and time-specific infor False - 1bba013b-9772-493b-8b4b-e2c2f3318d4e + ab260c20-1c8c-456f-b8ef-cdf82d143344 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5416,7 +5416,7 @@ If auditing is enabled, SQL Server does capture the event type-specific informat False - e460400a-4c45-4933-8577-3ffb2a92036d + a4f81f28-2d60-4ed0-8bf8-0baf6af84696 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5465,7 +5465,7 @@ Auditing provides accountability for changes made to the SQL Server configuratio False - f2b122cf-1e8f-4bb3-be9d-3fc7274a59a1 + 64d6235c-eb35-4fa3-9b5b-d36538b24bf2 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -5510,7 +5510,7 @@ Since the SQL Server 'sa' is administrative in nature, the compromise of a defau True {0} is populated with a non-default SA account name - b1c7ccab-4a83-49f0-95e5-ee53e672aef3 + 3e5783c2-e602-45dd-bac6-1cc6c45b3f93 Verify the SQL Server default 'sa' account name has been changed. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins. @@ -5530,7 +5530,7 @@ If SQL Server default 'sa' account name is in the 'Logins' list, this is a findi False - e63f70d7-3b69-4d60-bbb2-e3ea8c6873ae + 31fd616f-36ee-4ed2-b4fe-d849635fa6b2 Check to see that all required events are being audited. From the query prompt: @@ -5585,7 +5585,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False - 0867fab9-c929-46d0-82c0-afff5bfc5ce8 + 57ce0555-8423-4679-95cc-27be7cd3845d Obtain the list of accounts that have direct access to the server-level permission 'Alter any endpoint' by running the following query: SELECT @@ -5683,7 +5683,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False - 5e600191-d7de-435b-bfa8-2260e55680a5 + 0be052aa-da47-410f-b588-dec06f844cab Obtain the list of accounts that have direct access to the server-level permission 'Alter any database' by running the following query: SELECT @@ -5781,7 +5781,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 4d807725-ebc4-46e7-b7d8-7ed7f2b6d2fb + 00b83386-bbd6-4b55-847a-0e23a784731f Obtain the list of accounts that have direct access to the server-level permission 'Alter any credential' by running the following query: SELECT @@ -5879,7 +5879,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False - 3bde76c0-0a92-4dd4-b0de-1d2d330af58e + 41a9ccc5-f937-4333-8921-0aeb6eaa5be2 Obtain the list of accounts that have direct access to the server-level permission 'Alter any connection' by running the following query: SELECT @@ -5977,7 +5977,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - d404bc8a-090d-42c9-871b-eda7d70348c7 + 189cd72a-495f-4815-95e7-4f0fab6c133e Obtain the list of accounts that have direct access to the server-level permission 'Alter server state' by running the following query: SELECT @@ -6075,7 +6075,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - e14c6984-6772-4588-8dd2-944ad3365545 + 67553070-b3c0-4c79-a5b6-8ee41de2ef44 Obtain the list of accounts that have direct access to the server-level permission 'Alter any event notification' by running the following query: SELECT @@ -6173,7 +6173,7 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok True {0} is a user that can view any database - e5f7c20f-0541-48f9-ab28-8184ea32a88a + 7bd7b9a7-68e8-4162-9f6c-beff4fbe2f24 Obtain the list of roles that are authorized for the SQL Server 'View any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT @@ -6269,7 +6269,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 79025981-6f64-41d0-9506-2f4ce62ab016 + 1654213e-8973-4ccb-bd32-7a131cdaa9aa Obtain the list of accounts that have direct access to the server-level permission 'Alter any server audit' by running the following query: SELECT @@ -6367,7 +6367,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 6e6a1df4-51bc-4dd2-9bd9-4f53af754488 + 89887d00-c318-4730-891b-d436fae39744 Obtain the list of accounts that have direct access to the server-level permission 'Authenticate Server' by running the following query: SELECT @@ -6465,7 +6465,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 4637e7ec-2c7e-4492-a9c8-4b5d6094c86d + ce01b7ea-6ce6-4679-a3f1-e8e7c4d59a92 Obtain the list of accounts that have direct access to the server-level permission 'Administer bulk operations' by running the following query: SELECT @@ -6563,7 +6563,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - e0e9ffd1-86f7-4c94-98d8-08f529f8133f + 68e1ba58-b291-4fcb-8eac-719eef8373c3 Obtain the list of accounts that have direct access to the server-level permission 'Create endpoint' by running the following query: SELECT @@ -6661,7 +6661,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False - d8ac7a53-af2e-4487-93fd-296e8ad3953b + b328bee5-d076-4bb6-992b-199ef62551f4 Obtain the list of accounts that have direct access to the server-level permission 'Create DDL Event Notification' by running the following query: SELECT @@ -6760,7 +6760,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - b7b30f96-5b93-404a-b32a-1ac89fcf8672 + 5ff9fdb5-0038-4972-a08e-befdd6f07dd3 Obtain the list of accounts that have direct access to the server-level permission 'Create availability group' by running the following query: SELECT @@ -6858,7 +6858,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - b24a2d39-225d-4d33-a5a4-e3be06dd2205 + d921ace7-db5a-4e52-a7a3-84d0539269e6 Obtain the list of accounts that have direct access to the server-level permission 'Create any database' by running the following query: SELECT @@ -6956,7 +6956,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - bfbd5c1e-2355-4ce2-97b5-3ecf14cfeab5 + f9b17edd-96b8-448d-8261-89df937d7ce5 Obtain the list of accounts that have direct access to the server-level permission 'Control server' by running the following query: SELECT @@ -7054,7 +7054,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 2c3c186e-422e-4c35-bfe1-98a9ad6ffd94 + 6c7456b6-4627-4635-9355-f5a9e6d446ca Obtain the list of accounts that have direct access to the server-level permission 'Alter any linked server' by running the following query: SELECT @@ -7152,7 +7152,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - f443d4e8-a3e5-4ec5-adab-44b22e51620f + 5f972885-bf21-4818-be87-fc4972a8a805 Obtain the list of accounts that have direct access to the server-level permission 'Alter any event session' by running the following query: SELECT @@ -7250,7 +7250,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 19f1565e-3b4c-4dbd-9fc2-d0d06c1ba7db + 24c4d8f5-9e30-4da8-887b-9f1c5252f893 Obtain the list of accounts that have direct access to the server-level permission 'Alter trace' by running the following query: SELECT @@ -7348,7 +7348,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 06179de8-9e6b-45e6-bf2c-55d08e486e4d + 7c5fdbab-c1d2-4b53-bc4e-ecfaa82df947 Obtain the list of accounts that have direct access to the server-level permission 'Alter Settings' by running the following query: SELECT @@ -7446,7 +7446,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - bc86b3c9-6cda-4377-90ba-3f999042944d + 81d5d11c-293a-496b-9be3-a0a174049659 Obtain the list of accounts that have direct access to the server-level permission 'Create trace event notification' by running the following query: SELECT @@ -7544,7 +7544,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - cc501322-ce85-449b-9494-a2818e0e08fb + 9b2f5001-7fdc-43a6-a761-4ab745472ea9 Obtain the list of accounts that have direct access to the server-level permission 'Alter resources' by running the following query: SELECT @@ -7642,7 +7642,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - ecf597db-42f2-4455-8651-b81e4815119f + 296df99e-7d37-466a-9f0c-3044d00e4efb Obtain the list of accounts that have direct access to the server-level permission 'External access assembly' by running the following query: SELECT @@ -7740,7 +7740,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 9140e542-c06a-49a7-a5d2-476276b0d31b + 7dcfdbaf-365f-479e-86b4-0d115f18355b Obtain the list of accounts that have direct access to the server-level permission 'Alter any login' by running the following query: SELECT @@ -7838,7 +7838,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False - c62df6e6-b69f-4eb4-b708-693adb5591e3 + e53bfbf7-35f8-4120-a970-b54fcf6915ad Obtain the list of accounts that have direct access to the server-level permission 'Shutdown' by running the following query: SELECT @@ -7936,7 +7936,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - b3789a4b-3964-4cc1-9ee4-d36751277779 + 5b8a3ada-4346-4e6a-84f1-89edfafcbb36 Obtain the list of accounts that have direct access to the server-level permission 'Unsafe assembly' by running the following query: SELECT @@ -8034,7 +8034,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False - e8e3b031-5e2a-4430-86e0-4a98c72789aa + 355338d1-4468-4c7f-b518-47f0aa281eb9 Obtain the list of accounts that have direct access to the server-level permission 'Create server role' by running the following query: SELECT @@ -8132,7 +8132,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - 9a797551-bc76-4473-b3d2-b9e37d02ae16 + 7bbca216-ad68-4f79-bbdc-4b22f73020fa Obtain the list of accounts that have direct access to the server-level permission 'View server state' by running the following query: SELECT @@ -8230,7 +8230,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - d2b3edbd-2f78-492f-ad9c-40a8c5b8e07b + bccdf694-2a71-46e9-9b62-ab8810f95b69 Obtain the list of accounts that have direct access to the server-level permission 'Alter any server role' by running the following query: SELECT @@ -8328,7 +8328,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. The False - e06b067f-bd60-462e-9766-a43ff7f2c73b + c99c1450-0be5-451a-9434-f3415ce192fc Obtain the list of accounts that have direct access to the server-level permission 'View any definition' by running the following query: SELECT @@ -8422,7 +8422,7 @@ To address the multitude of policy based access requirements, many application d False - 900ce343-1e07-44ca-863e-a034c6d8e9c7 + e5225504-a7be-4745-82ef-2168ff392816 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -8471,7 +8471,7 @@ To address the multitude of policy based access requirements, many application d False - b32c1c99-d8b0-47c0-89c0-34435f84bc60 + 27e863ff-c656-4c37-8538-f2bd8e774f43 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -8519,7 +8519,7 @@ Numerous best practices are employed to protect remote connections, such as util False - 1df33274-7fb8-4f02-9497-6db8f94d7d0c + 7684c047-ec82-43b6-94a7-c5507a58fea7 Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -8570,7 +8570,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes False - 508f6d24-bdfd-4cb4-8219-ea15a8692210 + e928304e-ba79-4f65-9b76-7dbb54b4f6f8 Obtain the list of accounts that have direct access to the server-level permission 'View Any Database' by running the following query: SELECT diff --git a/source/StigData/Processed/SqlServer-2016-Instance-3.4.xml b/source/StigData/Processed/SqlServer-2016-Instance-3.4.xml index 23a67b85d..01dc4239e 100644 --- a/source/StigData/Processed/SqlServer-2016-Instance-3.4.xml +++ b/source/StigData/Processed/SqlServer-2016-Instance-3.4.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Database management includes the ability to control the number of users and user sessions utilizing SQL Server. Unlimited concurrent connections to SQL Server could allow a successful denial-of-service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions is helpful in reducing these risks. @@ -2846,7 +2846,7 @@ If the SCHEMA_OBJECT_ACCESS_GROUP is not returned in an active audit, this is a V-79141 False - d63fee4b-8cde-4adc-b9a2-5ff07b1dfacc + e9ade4e5-5545-46a0-9e50-6083af9d4769 When Audits are enabled, they start up when the instance starts. https://msdn.microsoft.com/en-us/library/cc280386.aspx#Anchor_2 @@ -2878,7 +2878,7 @@ Systems where audit trail completeness is paramount will most likely be at a low V-79147 False - 08799b52-54d4-475b-a1c9-794ea42c019f + c990b496-3da9-48a4-ae84-5b59133a9473 If the system documentation indicates that availability takes precedence over audit trail completeness, this is not applicable (NA). If SQL Server Audit is in use, review the defined server audits by running the statement: @@ -2909,7 +2909,7 @@ Systems where availability is paramount will most likely be MAC I; the final det V-79149 False - 10eff293-6ad8-4ad4-ac40-fbba6ee3c85a + 9cdde175-2eea-4603-9d44-44cefa3876e6 If the system documentation indicates that availability does not take precedence over audit trail completeness, this is not applicable (NA). Execute the following query: @@ -3964,7 +3964,7 @@ Some applications that run on SQL Server require the [sa] account to be enabled V-79317 False - 5b306553-3c8e-4016-b45c-830bce12f52d + 56d3330b-d8ed-4527-935d-4617e3cf2bbb Check SQL Server settings to determine if the [sa] (system administrator) account has been disabled by executing the following query: USE master; @@ -3992,7 +3992,7 @@ Since the SQL Server [sa] is administrative in nature, the compromise of a defau V-79319 True {0} is populated with a non-default SA account name - 94b8b41a-8f66-4ea9-9905-fbdc57267e66 + b752adae-4ef0-4ea6-a393-f1a0bc6efd10 Verify the SQL Server default [sa] (system administrator) account name has been changed by executing the following query: USE master; diff --git a/source/StigData/Processed/SqlServer-2016-Instance-3.5.xml b/source/StigData/Processed/SqlServer-2016-Instance-3.5.xml index aac1114c4..a21823747 100644 --- a/source/StigData/Processed/SqlServer-2016-Instance-3.5.xml +++ b/source/StigData/Processed/SqlServer-2016-Instance-3.5.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Database management includes the ability to control the number of users and user sessions utilizing SQL Server. Unlimited concurrent connections to SQL Server could allow a successful denial-of-service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions is helpful in reducing these risks. @@ -2846,7 +2846,7 @@ If the SCHEMA_OBJECT_ACCESS_GROUP is not returned in an active audit, this is a V-79141 False - aa67d65b-aa2a-4904-9dae-9c5e33bccfd5 + 39b790bc-331c-4d3b-b8a3-e4e3ee8d6452 When Audits are enabled, they start up when the instance starts. https://msdn.microsoft.com/en-us/library/cc280386.aspx#Anchor_2 @@ -2878,7 +2878,7 @@ Systems where audit trail completeness is paramount will most likely be at a low V-79147 False - 709a37ed-4ba9-4dfd-b700-1278b1bcc16c + 2ff4a621-0c00-4324-ade3-eec20f4f7daa If the system documentation indicates that availability takes precedence over audit trail completeness, this is not applicable (NA). If SQL Server Audit is in use, review the defined server audits by running the statement: @@ -2909,7 +2909,7 @@ Systems where availability is paramount will most likely be MAC I; the final det V-79149 False - 68d7c225-9dca-46b2-bd17-acf0ffa59e33 + dca41cec-ba31-4a25-bd95-d9b1df2c981d If the system documentation indicates that availability does not take precedence over audit trail completeness, this is not applicable (NA). Execute the following query: @@ -3964,7 +3964,7 @@ Some applications that run on SQL Server require the [sa] account to be enabled V-79317 False - bc7553cb-8f2e-48b4-a3e6-13c51ae48734 + c560177d-76a2-4d8f-a89a-754c42eaa682 Check SQL Server settings to determine if the [sa] (system administrator) account has been disabled by executing the following query: USE master; @@ -3992,7 +3992,7 @@ Since the SQL Server [sa] is administrative in nature, the compromise of a defau V-79319 True {0} is populated with a non-default SA account name - a7b52c00-d683-4780-953f-9717cfb3ca59 + 17f2104d-da79-489c-ac6f-a89161a6f362 Verify the SQL Server default [sa] (system administrator) account name has been changed by executing the following query: USE master; diff --git a/source/StigData/Processed/SqlServer-2022-Instance-1.1.xml b/source/StigData/Processed/SqlServer-2022-Instance-1.1.xml index 2d2bce961..d27ff5fe2 100644 --- a/source/StigData/Processed/SqlServer-2022-Instance-1.1.xml +++ b/source/StigData/Processed/SqlServer-2022-Instance-1.1.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>Database management includes the ability to control the number of users and user sessions using a DBMS. Unlimited concurrent connections to the DBMS could allow a successful denial-of-service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks. @@ -2297,6 +2297,7 @@ Satisfies: SRG-APP-000091-DB-000325, SRG-APP-000091-DB-000066, SRG-APP-000492-DB False + 1 Review the system documentation to determine if SQL Server is required to audit when the following events occur: - Attempts to retrieve privilege/permission/role membership information. @@ -2341,6 +2342,7 @@ If the SCHEMA_OBJECT_ACCESS_GROUP is not returned in an active audit, this is a False + dd61f162-5071-4ba1-8b4f-76672e4bba89 When audits are enabled, they start up when the instance starts. Refer to https://msdn.microsoft.com/en-us/library/cc280386.aspx#Anchor_2 Check if an audit is configured and enabled by executing the following query: @@ -2382,6 +2384,7 @@ Satisfies: SRG-APP-000381-DB-000361, SRG-APP-000495-DB-000326, SRG-APP-000495-DB False + 1 Review the SQL configuration to verify that audit records are produced when denied actions occur. To determine if an audit is configured, execute the following script: @@ -2487,6 +2490,7 @@ Satisfies: SRG-APP-000496-DB-000334, SRG-APP-000496-DB-000335, SRG-APP-000501-DB False + 1 Review the SQL configuration to verify that audit records are produced when denied actions occur. To determine if an audit is configured, execute the following script: @@ -2530,6 +2534,7 @@ Satisfies: SRG-APP-000503-DB-000350, SRG-APP-000503-DB-000351, SRG-APP-000506-DB False + 1 Review the SQL configuration to verify that audit records are produced when denied actions occur. To determine if an audit is configured, execute the following script: @@ -2586,6 +2591,7 @@ Some applications that run on SQL Server require the [sa] account to be enabled False + 0f1b5449-dff7-441b-8c1f-70be2c7a2656 Check SQL Server settings to determine if the [sa] (system administrator) account has been disabled by executing the following query: USE master; GO @@ -2613,6 +2619,7 @@ Since the SQL Server [sa] is administrative in nature, the compromise of a defau False + a1dadc26-7d5c-4994-891e-03efc993e26f Verify the SQL Server default [sa] (system administrator) account name has been changed by executing the following query: USE master; GO