OpenControls Logo

STIG Viewer

The DBMS must be able to generate audit records when privileges/permissions are retrieved.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-206525SRG-APP-000091-DB-000066SV-206525r960885_ruleCCI-000172medium
Description
Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions. This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted.
STIGDate
Database Security Requirements Guide2024-12-04

Related Frameworks

4 paths across 3 frameworks
NIST 800-531 mapping
AU-12
1.00
  • DISA · 4 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.3.1
1.00
  • DISA · 4 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.3.2
1.00
  • DISA · 4 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000172
1.00
  • DISA · 4 · disa_xccdf · related

Details

Check Text (C-206525r960885_chk)

Review DBMS documentation to verify that audit records can be produced when privileges/permissions/role memberships are retrieved. If the DBMS is not capable of this, this is a finding. If the DBMS is currently required to audit the retrieval of privilege/permission/role membership information, review the DBMS/database security and audit configurations to verify that audit records are produced when privileges/permissions/role memberships are retrieved. If they are not produced, this is a finding.

Fix Text (F-6785r291244_fix)

Deploy a DBMS capable of producing the required audit records when privileges/permissions/role memberships are retrieved. If currently required, configure the DBMS to produce audit records when privileges/permissions/role memberships are retrieved.