Azure SQL Database must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75 percent of maximum audit record storage capacity.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-255344 | ASQL-00-011000 | SV-255344r871158_rule | Medium |
| Description |
|---|
| Auditing for Azure SQL Database tracks database events and writes them to an audit log in the Azure storage account, Log Analytics workspace, or Event Hubs. Under normal conditions, the audit space allocated by an Azure Storage account can grow quite large. Since a requirement exists to halt processing upon audit failure, a service outage would result. |
| STIG | Date |
|---|---|
| Microsoft Azure SQL Database Security Technical Implementation Guide | 2022-11-16 |
Details
| Check Text ( C-59017r871156_chk ) |
|---|
| Azure SQL Database must provide notice upon audit storage reaching capacity. If no alert exists to notify support staff in the event the SQL Audit storage reaches 75 percent, this is a finding. Verify if an Azure Rule exists with the following command example: Get-AzAlertRule -ResourceGroupName -Name [-DetailedOutput] [-DefaultProfile [ The Get-AzAlertRule cmdlet gets an alert rule by its name or URI, or all alert rules from a specified resource group. If the monitoring or alert configuration is missing a rule that alerts if the storage account is 75 percent of maximum capacity, this is a finding. |
| Fix Text (F-58961r871157_fix) |
|---|
| Utilize Alerts in Microsoft Azure Monitoring and/or third-party tools to configure the system to notify appropriate support staff immediately upon storage volume utilization reaching 75 percent. https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview |