Check: ASQL-00-004700
Microsoft Azure SQL Database STIG:
ASQL-00-004700
(in versions v1 r2 through v1 r1)
Title
Azure SQL Database must initiate session auditing upon startup. (Cat II impact)
Discussion
Session auditing is for use when a user's activities are under investigation. To ensure capture of all activity during those periods when session auditing is in use, it needs to be in operation for the whole time Azure SQL Database is running.
Check Content
When Audits are enabled, they start up when the audits are enabled and remain operating until the audit is disabled. Check if an audit is configured and enabled. To determine if session auditing is configured and enabled, follow the instructions below: Run this TSQL command to determine if SQL Auditing is configured and enabled: SELECT * FROM sys.database_audit_specifications where (name = 'SqlDbAuditing_ServerAuditSpec' or name = 'SqlDbAuditing_AuditSpec') and is_state_enabled = 1 All currently defined audits for the Azure SQL Database instance will be listed. If no audits are returned, this is a finding.
Fix Text
Deploy an Azure SQL Database audit. Refer to the supplemental file "AzureSQLDatabaseAudit.txt" PowerShell script. Reference: https://docs.microsoft.com/en-us/powershell/module/az.sql/set-azsqlserveraudit
Additional Identifiers
Rule ID: SV-255328r879562_rule
Vulnerability ID: V-255328
Group Title: SRG-APP-000092-DB-000208
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001464 |
The information system initiates session audits at system start-up. |
Controls
Number | Title |
---|---|
AU-14 (1) |
System Start-Up |