Title: Attempts to bypass access controls must be audited.
Vulnerability ID: V-32390
IA Controls: None
Description: Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
Detection of suspicious activity including access attempts and successful access from unexpected places, during unexpected times, or other unusual indicators can support decisions to apply countermeasures to deter an attack. Without detection, malicious activity may proceed without hindrance.
Check Text: Review any audit settings for:
– Unsuccessful logon attempts;
– Account locking events;
– Account disabling from a specific source location;
– Failed database object attempts or attempts to access objects that do not exist; and
– Other activities that may produce unexpected failures or trigger DBMS lockdown actions.
If any of the above events as applicable to the DBMS are not audited, this is a finding.
Fix Text: Configure auditing to capture the events listed below where available in the DBMS:
– Unsuccessful logon attempts
– Account locking events
– Account disabling from a specific source location
– Failed database object attempts or attempts to access objects that do not exist
– Other activities that may produce unexpected failures or trigger DBMS lockdown actions