Database executable and configuration files should be monitored for unauthorized modifications.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2420 | DG0010-SQLServer9 | SV-24121r1_rule | DCSL-1 | Low |
| Description |
|---|
| Changes to files in the DBMS software directory including executable, configuration, script, or batch files can indicate malicious compromise of the software files. Changes to non-executable files, such as log files and data files, do not usually reflect unauthorized changes, but are modified by the DBMS as part of normal operation. These modifications can be ignored. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-1792r1_chk ) |
|---|
| Ask the DBA to describe/demonstrate any software modification detection procedures in place and request documents of these procedures to review. If procedures exist that include review of the database software directories and database application directories, this is Not a Finding. Verify by reviewing reports for inclusion of the DBMS executable and configuration files: Sample Questions: What procedures/software do you have in place to detect unauthorized modification to application files? Are the database application software files including both the SQL Server and third party files scanned for modification? Do you scan for modifications to the configuration files? |
| Fix Text (F-20146r1_fix) |
|---|
| Establish and implement procedures to monitor any changes made to the database software. Identify all database files and directories to be included in the host system or database backups and provide these to the person responsible for backups. For Windows systems, use the dir /s > filename.txt run weekly to store and compare file modification/creation dates and file sizes using the DOS fc command. This is not as comprehensive as some tools available, but may be enhanced by also checking checksum or file hashes. |