Check: ASQL-00-011000
Microsoft Azure SQL Database STIG:
ASQL-00-011000
(in version v1 r2)
Title
Azure SQL Database must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75 percent of maximum audit record storage capacity. (Cat II impact)
Discussion
Auditing for Azure SQL Database tracks database events and writes them to an audit log in the Azure storage account, Log Analytics workspace, or Event Hubs. Under normal conditions, the audit space allocated by an Azure Storage account can grow quite large. Since a requirement exists to halt processing upon audit failure, a service outage would result.
Check Content
Azure SQL Database must provide notice upon audit storage reaching capacity. Verify if an Azure Rule exists with the following command example: $storageAcct = Get-AzStorageAccount -ResourceGroupName "Name of RG for Audit Storage" -Name "Audit Storage Account Name" $metric = Get-AzMetricAlertRuleV2 | Where-Object TargetResourceId -eq $storageAcct.Id $metric.Criteria If no alert exists, this is a finding. If the criteria does not match 75 percent or less than the maximum capacity of 5 TiB, this is a finding.
Fix Text
Utilize Alerts in Microsoft Azure Monitoring and/or third-party tools to configure the system to notify appropriate support staff immediately upon storage volume utilization reaching 75 percent. https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview
Additional Identifiers
Rule ID: SV-255344r917654_rule
Vulnerability ID: V-255344
Group Title: SRG-APP-000359-DB-000319
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001855 |
The information system provides a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit record storage volume reaches an organization-defined percentage of repository maximum audit record storage capacity. |
Controls
Number | Title |
---|---|
AU-5 (1) |
Audit Storage Capacity |