Summary of Audit-Specific STIG ID's

The DoD Database Security Technical Implementation Guide (STIG) has quite a few requirements in the area of auditing, but they're scattered throughout the document. Here's a list of all the audit-related STIG ID's that I found.

From the Security Readiness Review: "The majority of Microsoft SQL Server security auditing is provided by the trace facility. Traces may be created using system stored procedures or with Microsoft SQL Profiler. The trace must be running in order for security event data to be collected for analysis."

DG = Database, General
DM = Database, Microsoft

Audit IDs

DG0029: Database Auditing
  Changes made to the DBMS configuration or its objects and data must be recorded.
  This ID requires that C2 Security be turned on for standard and enterprise editions. (Common Criteria replaces C2 Security and is available as of SQL Server 2005 SP2.)

DG0030: DBMS Audit Data Maintenance
  Retain the audit trail information at least 1 year with at least the last 30 days online.

DG0031: DBMS Audit of Changes to Data
 Only applicable if required by an application.

DG0032: DBMS Audit Record Access
  File-level Access Control Lists (ACLs) must be managed on audit logs to prevent unauthorized access.

DG0041: DBMS installation account use logging
  The account used to install SQL Server should have no special SQL Server privileges after installation.

DG0052: DBMS Software Access Audit
  Periodically review the audit logs for unexpected application names.

DG0054: DBMS Software Access Audit Review
  Audit log review procedures must be documented in the written Security Plan.
  Manual reviews must be weekly and documented unless automated alerts are used.

DG0060: DBMS Shared Account Authorization
  Applications must pass individual user information where feasible for audit accountability.

DG0067: DBMS Account Password External Storage
  Application passwords should not be stored in the clear.
  The DBA must maintain a record of authorized applications.
  Audit reviews (see DG0052) should find new applications to be evaluated for password storage compliance.

DG0074: DBMS Inactive Accounts
  Audit expired accounts and accounts unused for 30 days.

DG0080: DBMS Application User Privilege Assignment Review
  Assignment of privileges must be reviewed and reported to auditors at least monthly.

DG0083: DBMS Audit Report Automation
  An efficient audit review method is required: The Database STIG V8R1 section 3.3.17 that DG0083 is based on is more ambiguous, and merely requires that the audit data be presented in an "efficient way." This is easy to comply with and can be performed without 3rd party tools, and we can filter and summarize events such as failed login attempts. To summarize, I believe it is only possible to comply with the STIG on this requirement, not the Checklist.

DG0085: Minimum DBA Privilege Assignment
  Audit privilege upgrades by DBAs if their data access is restricted.

DG0095: DBMS Audit Trail Data Review
  Documented daily review is required for audit traces, system error logs, system logs (Windows), and application logs (Windows). This is the responsibility of the IAO, not the DBA.

DG0099: DBMS Access To External Local Executables
  Enable auditing on execution of stored procedures; Review the audit data after a sufficient period to capture all operational usage, and then restrict access to unused extended stored procedures. If no operational issues arise after a sufficient time (you should double the period used before), remove the unused extended stored procedures.

DG0111: DBMS Dedicated Software Directory and Partition
  Audit log files must be in a dedicated directory.

DG0114: Critical DBMS Files Fault Protection
  Audit log files must be on fault-tolerant storage devices.

DG0116: DBMS Privileged Role Assignments
  Only personnel authorized to manage the system audit configuration may be SQL Server System Administrators.

DG0140: DBMS Security Data Access
  Enable auditing for access to any security data where supported by the DBMS. If auditing for security data access results in an unacceptable adverse impact on application operation, scale back the audit to a reasonable and acceptable level. Document any incomplete audit with acceptance of the risk of incomplete audit in the System Security Plan.

DG0141: DBMS Access Control Bypass
  Enable auditing of failed or both failed and successful logins.

DG0142: DBMS Privileged Action Audit
  The default trace must be enabled or all of its events must be included in a custom trace.

DG0145: DBMS Audit Record Content
  This ID requires:
  1. C2 Security be turned on for standard and enterprise editions. (Common Criteria replaces C2 Security and is available as of SQL Server 2005 SP2.)
  OR
  2. A custom audit trace with a specific list of events must always be running.

DG0158: DBMS Remote Administration Audit
  Audit all actions by DBAs, regardless of remote vs. local, because SQL Server does not distinguish remote vs. local administrative sessions, and most SQL Server administration is remote.

DG0159: Review of DBMS Remote Adminstrative Access
  If DG0158 is implemented, the IAO will review the remote adminstrative activity daily.

DG0161: DBMS Audit Tool
  SQL Server Alerts can create and log alerts and SQL Server Database Mail can be used to send email alerts to DBAs and IAOs to satisfy the immediate-reporting requirement.

DG0166: Protection of DBMS Asymmetric Encryption Keys
  Examine evidence that an audit record is created whenever the asymmetric key is accessed by other than authorized users.

DG0172: DBMS Classification Level Audit
  Changes to data security labels will be audited if the data owner requires it. See SQL Server Row-level or Cell-level Security.

DG0175: DBMS Host And Component STIG Compliancy
  Regularly audit the security configuration of related applications and the application servers to confirm their continued compliance with security requirements.

DG0176: DBMS Audit Log Backups
  Configure and ensure SQL Server audit trace files, instance, and other error log files are included in regular backups.

DG0198: DBMS Remote Administration Encryption
  Verify during audit reviews that:
  1. Administrative access is limited to local connections.
  OR
  2. Administrative access is limited to a dedicated and encrypted port.

--------------------------------------------------

DM0510: C2 Audit Mode
  This ID requires that C2 Security be turned on for standard and enterprise editions. (Common Criteria replaces C2 Security and is available as of SQL Server 2005 SP2.)

DM1761: Scan For Startup Stored Procedures
  C2/Common Criteria requires a default audit trace to run at SQL Server startup.

DM5267: Trace Rollover On Audit Trace
  Audit traces must use TRACE_FILE_ROLLOVER option 2 and SHUTDOWN_ON_ERROR option 4.