Title: The application must reject or delay, as defined by the organization, network traffic generated above configurable traffic volume thresholds.
Vulnerability ID: V-32380
IA Controls: None
Description: It is critical when a system is at risk of failing to process audit logs as required; actions are automatically taken to mitigate the failure or risk of failure.
One method used to thwart the auditing system is for an attacker to attempt to overwhelm the auditing system with large amounts of irrelevant data. The end result being audit logs that are either overwritten and activity thereby erased or disk space that is exhausted and any future activity is no longer logged.
In many system configurations, the disk space allocated to the auditing system is separate from the disks allocated for the operating system; therefore, this may not result in a system outage.
This requirement is specific to applications and network devices that restrict network traffic. This requirement is NA for databases.
Check Text: This check is NA for databases.
Fix Text: This fix is NA for databases.[divider]
Even though this STIG does not apply directly to databases, it does bring up some things to be concerned about when it comes to event and error logs files on your SQL Server.
It is important to remember to change the number of past SQL error logs to hold onto from the default minimum quantity of 6. Each time the server is restarted (or the appropriate command issued) the event log cycles and removes the oldest one. This may not normally be an issue, but if too many restarts begin before you are able to capture and save the logs elsewhere to review, you could lose valuable troubleshooting information.
You can change the value by opening the object explorer in SSMS. Connect to your SQL Server, and expend Management, right-click on SQL Server Logs, and then click Configure.
In the Configure SQL Server Error Logs check the check box and set the numeric value to the number of logs you would like to keep.
You can also use the following T-SQL code to set the value.
EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'NumErrorLogs', REG_DWORD, 10
This script changes the default from 6 to 10. You can change the 10 value to any value between 6 and 99.
This script also uses a default configuration of SQL Server. You may have to change the registry key location as well though the xp_instance_regwrite should adapt to your instance’s registry path automatically. If in doubt, use the GUI.