Title: The DBMS must initiate session auditing upon startup of the database.
Vulnerability ID: V-32365
IA Controls: None
Description: Session auditing activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.
Typically, auditing is limited to specific user actions or security events. Session auditing can record every user action of a specific user or group of users. If session auditing is not available it could impede legal investigations into malicious use or compromise of the database.
Check Text: Review DBMS vendor documentation to determine whether the DBMS software is capable of session auditing. Review the DBMS settings to determine whether session auditing is enabled. If the DBMS is not capable of session auditing and a third party product is not being used for session level auditing, this is a finding.
If the DBMS is capable of session level auditing but session auditing is not enabled, or if a third party product is available for session auditing but is not enabled, this is a finding.
Fix Text: Utilize DBMS software or a third party product that supports session auditing.
Configure the DBMS software or third party product to enable session auditing.[divider]
SQL Server can have session auditing performed using profiler, and other tools. These actions are resource intensive yet keep track of every action performed by a user. By default the auditing tools in SQL Server would need a lot of configuration to collect every action of a single user. Depending on the level of detail required to collect a 3rd party tool may be easier to configure and use, but they are still going to use resources (disk, memory and CPU to run). In general, since SQL Server is transactional, all actions are technically recording in the transaction log. There are third party tools than can be used to analyze the transaction logs, but it is usually a last resort. Keep in mind though that a simple query to extract data is not recorded in the transaction log. only actions that change the database and data are recorded in the logs.