The DBMS must be able to generate audit records when privileges/permissions are retrieved.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-206525 | SRG-APP-000091-DB-000066 | SV-206525r960885_rule | CCI-000172 | medium |
| Description | ||||
| Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions. This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted. | ||||
| STIG | Date | |||
| Database Security Requirements Guide | 2024-12-04 | |||
Details
Check Text (C-206525r960885_chk)
Review DBMS documentation to verify that audit records can be produced when privileges/permissions/role memberships are retrieved.
If the DBMS is not capable of this, this is a finding.
If the DBMS is currently required to audit the retrieval of privilege/permission/role membership information, review the DBMS/database security and audit configurations to verify that audit records are produced when privileges/permissions/role memberships are retrieved.
If they are not produced, this is a finding.
Fix Text (F-6785r291244_fix)
Deploy a DBMS capable of producing the required audit records when privileges/permissions/role memberships are retrieved.
If currently required, configure the DBMS to produce audit records when privileges/permissions/role memberships are retrieved.