← Back to Microsoft Azure SQL Managed Instance Security Technical Implementation Guide

V-276263

CAT II (Medium)

Azure SQL Managed Instance must be able to generate audit records when access to objects occur.

Rule ID

SV-276263r1150070_rule

STIG

Microsoft Azure SQL Managed Instance Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000172

Discussion

Without tracking all or selected types of access to all or selected objects (tables, views, procedures, functions, etc.), it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. In an Azure SQL Managed Instance environment, types of access include, but are not necessarily limited to: SELECT INSERT UPDATE DELETE EXECUTE Satisfies: SRG-APP-000507-DB-000356, SRG-APP-000507-DB-000357

Check Content

Review Azure SQL Managed Instance configuration to verify audit records are produced when successful accesses to objects occur.  

Run this TSQL command to determine if SQL Auditing AuditActionGroups are configured: 

SELECT a.name AS 'AuditName',  s.name AS 'SpecName',  
d.audit_action_name AS 'ActionName', 
d.audited_result AS 'Result'  
FROM sys.server_audit_specifications s  
JOIN sys.server_audits a ON s.audit_guid = a.audit_guid  
JOIN sys.server_audit_specification_details d ON s.server_specification_id = d.server_specification_id  
WHERE a.is_state_enabled = 1 
AND d.audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP'    
 
If no values are listed for AuditActionGroups, this is a finding.

Fix Text

Deploy an Azure SQL Managed Instance audit. Refer to the supplemental file "AzureSQLMIAudit.sql" script. 

Reference: https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/auditing-configure?view=azuresql-mi