← Back to Microsoft Azure SQL Managed Instance Security Technical Implementation Guide

V-276257

CAT II (Medium)

Azure SQL Managed Instance must generate audit records when attempts to delete security objects occur.

Rule ID

SV-276257r1150023_rule

STIG

Microsoft Azure SQL Managed Instance Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000172

Discussion

The removal of security objects from the database/database management system (DBMS) would seriously degrade a system's information assurance posture. If such an action is attempted, it must be logged. To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones. Satisfies: SRG-APP-000501-DB-000337, SRG-APP-000501-DB-000336

Check Content

Review Azure SQL Managed Instance configuration to verify audit records are produced when unsuccessful attempts to delete security objects occur.  

Run this TSQL command to determine if Azure SQL Managed Instance Auditing AuditActionGroups are configured:
  
SELECT a.name AS 'AuditName',  s.name AS 'SpecName',   d.audit_action_name AS 'ActionName',   d.audited_result AS 'Result'   
FROM sys.server_audit_specifications s  
JOIN sys.server_audits a ON s.audit_guid = a.audit_guid  
JOIN sys.server_audit_specification_details d ON s.server_specification_id = d.server_specification_id   
WHERE a.is_state_enabled = 1  
AND d.audit_action_name = 'SCHEMA_OBJECT_CHANGE_GROUP'    
  
If the 'SCHEMA_OBJECT_ACCESS_GROUP' is not returned in an active audit, this is a finding.

Fix Text

Deploy an Azure SQL Managed Instance audit.

Refer to the supplemental file "AzureSQLMIAudit.txt" script. 

Reference: https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/auditing-configure?view=azuresql-mi