The DBMS must be able to generate audit records when privileges/permissions are retrieved.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-206525 | SRG-APP-000091 | SRG-APP-000091-DB-000066 | SV-206525r960885_rule | 2024-12-04 | 4 |
| Description |
|---|
| Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions. This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted. |
| ℹ️ Check |
|---|
| Review DBMS documentation to verify that audit records can be produced when privileges/permissions/role memberships are retrieved. If the DBMS is not capable of this, this is a finding. If the DBMS is currently required to audit the retrieval of privilege/permission/role membership information, review the DBMS/database security and audit configurations to verify that audit records are produced when privileges/permissions/role memberships are retrieved. If they are not produced, this is a finding. |
| ✔️ Fix |
|---|
| Deploy a DBMS capable of producing the required audit records when privileges/permissions/role memberships are retrieved. If currently required, configure the DBMS to produce audit records when privileges/permissions/role memberships are retrieved. |