Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide

V1R3 · · · Released 25 Jul 2014 · 156 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

The Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.
Sort by
b
SQL Server must verify there have not been unauthorized changes to SQL Server software and information.
SI-7 - Medium - CCI-001297 - V-40904 - SV-53258r1_rule
RMF Control
SI-7
Severity
M
CCI
CCI-001297
Version
SQL2-00-023900
Vuln IDs
  • V-40904
Rule IDs
  • SV-53258r1_rule
Organizations are required to employ integrity verification applications on information systems to look for evidence of information tampering, errors, and omissions. The organization is also required to employ good software engineering practices with regard to commercial off-the-shelf integrity mechanisms (e.g., parity checks, cyclical redundancy checks, and cryptographic hashes), and to use tools to automatically monitor the integrity of the information system and the applications it hosts. SQL Server opens data files and reads configuration files at system startup, system shutdown, and during abort recovery efforts.
Checks: C-47559r2_chk

Determine if a baselining process, along with a regular comparison, is being performed on SQL Server software. By default, SQL Server is installed in the "program files/microsoft sql server" directory. If baselining and a comparison process are not being performed, this is a finding.

Fix: F-46186r1_fix

Utilize a baselining and comparison process for the SQL Server software files.

b
SQL Server must support the requirement to activate an alarm and/or automatically shut down the information system if an application component failure is detected. This can include conducting a graceful application shutdown to avoid losing information.
SI-13 - Medium - CCI-001328 - V-40905 - SV-53259r1_rule
RMF Control
SI-13
Severity
M
CCI
CCI-001328
Version
SQL2-00-023000
Vuln IDs
  • V-40905
Rule IDs
  • SV-53259r1_rule
Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining system security fail to function, then SQL Server could continue operating in an insecure state. The organization must be prepared, and SQL Server and applications using SQL Server's databases must be configured to send an alarm for such conditions and/or automatically shut down SQL Server. If appropriate actions are not taken when application component failures occur, a denial of service condition may occur.
Checks: C-47560r2_chk

Check SQL Server configuration to verify the system activates and alarms and/or triggers a system shutdown when an application component failure is detected. If SQL Server does not take either or both actions, this is a finding.

Fix: F-46187r1_fix

Configure SQL Server to activate an alarm and/or trigger a system shutdown when an application component failure is detected.

b
SQL Server must identify potential security-relevant error conditions.
SI-11 - Medium - CCI-001311 - V-40906 - SV-53260r1_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001311
Version
SQL2-00-022700
Vuln IDs
  • V-40906
Rule IDs
  • SV-53260r1_rule
The structure and content of SQL Server error messages need to be carefully considered by the organization and development team. The extent to which the application is able to identify and handle error conditions is guided by organizational policy and operational requirements. Database logs can be monitored for specific security-related errors. Any error that can have a negative effect on database security should be quickly identified and forwarded to the appropriate personnel. If security-relevant error conditions are not identified by SQL Server they may be overlooked by the personnel responsible for addressing them.
Checks: C-47561r2_chk

Security-related errors must be identified and monitored. In most cases, these items would appear in the SQL Server log file. If security-related error conditions are not being monitored to meet this requirement, this is a finding.

Fix: F-46188r2_fix

Monitor SQL Server log files to determine when a security-related error occurs. Add/Update list of appropriate personnel that are to be alerted when a security related error condition occurs to system documentation. Consider an automated job for both the monitor and the alerting.

c
SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission, unless the transmitted data is otherwise protected by alternative physical measures.
SC-9 - High - CCI-001131 - V-40907 - SV-53261r1_rule
RMF Control
SC-9
Severity
H
CCI
CCI-001131
Version
SQL2-00-022600
Vuln IDs
  • V-40907
Rule IDs
  • SV-53261r1_rule
Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. Alternative physical protection measures include Protected Distribution Systems (PDS). PDS are used to transmit unencrypted classified NSI through an area of lesser classification or control. In as much as the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation. Refer to NSTSSI No. 7003 for additional details on a PDS. Information in transmission is particularly vulnerable to attack. If the DBMS does not employ cryptographic mechanisms preventing unauthorized disclosure of information during transit, the information may be compromised.
Checks: C-47562r2_chk

Check SQL Server settings to determine whether cryptographic mechanisms are used to prevent the unauthorized disclosure of information during transmission. Determine whether physical measures are being used instead of cryptographic mechanisms. If neither cryptographic nor physical measures are being utilized, this is a finding. Review system documentation to determine whether the system handles classified information. If the system does not handle classified information, the severity of this check should be downgraded to Category Code 2. From Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab. If Force Encryption is set, a DoD Certificate is not utilized, and some type of physical encryption measure is utilized, examine the physical encryption devices to determine the following: 1. The plaintext connection to the database server is afforded the highest protections, allowing no access to unauthorized or non-cleared personnel. 2. The encryption device is configured to pass traffic to only the specific IP addresses as identified by the database documentation. 3. The encryption keys utilized are current and valid keys. 4. The keys utilized meet approved organizationally defined compliant algorithms. If one of the preceding requirements is not met, this is a finding. If Force Encryption is set to No, a DoD Certificate is not utilized, and some type of physical encryption measure is not utilized, this is a finding.

Fix: F-46189r2_fix

Deploy organization approved encryption to the SQL Server Network Connections. From Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, set Force Encryption to YES, provide a DoD certificate on the Certificate tab.

b
SQL Server must ensure, if Database Availability Groups are being used and there is a server failure, that none of the potential failover servers would suffer from resource exhaustion.
SC-6 - Medium - CCI-001096 - V-40908 - SV-53262r1_rule
RMF Control
SC-6
Severity
M
CCI
CCI-001096
Version
SQL2-00-022400
Vuln IDs
  • V-40908
Rule IDs
  • SV-53262r1_rule
SQL Server has a feature called 'Availability Group' which provides automatic failover from a primary SQL Server to a secondary server. This concept is not new, but because SQL Server does warn that if the secondary SQL Server is not dedicated 100% to being a backup server, that "resource exhaustion" may be an issue if there is some load balancing going on. If the primary SQL Server has a backup/secondary server that is dedicated 100% to the primary server's process, this is not a finding. If, however, the processing of the primary SQL Server is loaded to a secondary server that is already partly resourced to process something other than that of the primary SQL Server responsibility, then there can be load balancing issues. Load balancing for the purpose of sharing a secondary/backup SQL Server is often done to share and save on resources.
Checks: C-47563r2_chk

Check the system documentation and check with the administrator regarding processing resources of the backup/secondary SQL Server. If the primary SQL Server has a backup/secondary server that is dedicated 100% to the primary server's processing, this is not a finding. If the secondary/backup SQL Server is already partly resourced to process something other than that of the primary SQL Server processing, then determine what resources would be required for the secondary/backup SQL Server. If the secondary/backup SQL Server is determined to not have enough processing resources to fulfill the function of the primary server's SQL Server process, this is a finding.

Fix: F-46190r2_fix

Allocate Replacement Server(s) to provide failover support to the Primary SQL Server. If a single solution cannot be employed, split the processing of a secondary SQL Server amongst two or more secondary servers.

a
SQL Server must limit the use of resources by priority and not impede the host from servicing processes designated as a higher priority.
SC-6 - Low - CCI-001096 - V-40909 - SV-53263r1_rule
RMF Control
SC-6
Severity
L
CCI
CCI-001096
Version
SQL2-00-022300
Vuln IDs
  • V-40909
Rule IDs
  • SV-53263r1_rule
Priority protection helps prevent a lower-priority process from delaying or interfering with the information system servicing any higher-priority process. This control does not apply to components in the information system for which there is only a single user/role. The application must limit the use of resources by priority. SQL Server often runs queries for multiple users at the same time. If lower priority processes are utilizing a disproportionately high amount of database resources, this can severely impact higher priority processes. Even if SQL Server's utilization is very small and there may seem to be no need to priority protection, often resources grow exponentially and must be implemented as part of an initial deployment.
Checks: C-47564r2_chk

Review system documentation and determine if one type or more of SQL Server users has a business need for priority usage over other types of users. The need for prioritization most frequently occurs when SQL Server resources are shared between two or more applications or systems where the number of users on more than one system is small or non-existent. This needs to be the case, because SQL Server limits resource based on user accounts and not what process is running. If SQL Server has users that are determined to run significantly high priority processes than other users and the SQL Server "Resource Governor" is not being implemented, this is a finding.

Fix: F-46191r2_fix

SQL Server utilizes the "Resource Governor" to determine who is allowed high processing resources. There are several configurations regarding the "Resource Governor" that mostly comes down to users or groups of users having a "MAX_CPU_PERCENT", "MIN_CPU_PERCENT", "MIN_MEMORY_PERCENT", and/or "MAX_MEMORY_PERCENT" settings. Users are assigned to Workgroups and the Workgroups are configured processing resources via the "Resource Governor".

b
SQL Server must isolate security functions from nonsecurity functions by means of separate security domains.
SC-3 - Medium - CCI-001084 - V-40910 - SV-53264r1_rule
RMF Control
SC-3
Severity
M
CCI
CCI-001084
Version
SQL2-00-021500
Vuln IDs
  • V-40910
Rule IDs
  • SV-53264r1_rule
Security functions are defined as "the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based". Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Database Management Systems typically separate security functionality from nonsecurity functionality via separate databases or schemas. Database objects or code implementing security functionality should not be commingled with objects or code implementing application logic. When security and nonsecurity functionality is commingled, users who have access to nonsecurity functionality may be able to access security functionality.
Checks: C-47565r2_chk

Determine elements of security functionality (lists of permissions, additional authentication information, stored procedures, application specific auditing, etc.) which are being housed inside SQL server. For any elements found, check SQL Server to determine if these objects or code implementing security functionality are located in a separate security domain, such as a separate database or schema created specifically for security functionality. Run the following script to list all the user-defined databases: PRINT 'LIST OF NON-SYSTEM DATABASES:' + CHAR(10) EXEC sp_MSforeachdb ' IF NOT ''?'' IN (''master'', ''tempdb'', ''model'', ''msdb'') PRINT ''?'' ' If security-related database objects or code are not kept separate, this is a finding.

Fix: F-46192r1_fix

Locate security-related database objects and code in a separate database, schema, or other separate security domain from database objects and code implementing application logic.

b
SQL Server must protect data at rest and ensure confidentiality and integrity of data.
SC-28 - Medium - CCI-001199 - V-40911 - SV-53265r1_rule
RMF Control
SC-28
Severity
M
CCI
CCI-001199
Version
SQL2-00-021300
Vuln IDs
  • V-40911
Rule IDs
  • SV-53265r1_rule
This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Applications and application users generate information throughout the course of their application use. User-generated data, as well as, application-specific configuration data, needs to be protected. Configurations and/or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content are examples of system information likely requiring protection. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate. If the confidentiality and integrity of SQL Server data is not protected, the data will be open to compromise and unauthorized modification.
Checks: C-47566r2_chk

Ensure the data on secondary devices is encrypted. If full-disk encryption is being used, this is not a finding. Ensure the data is encrypted before being put on the secondary device by executing: SELECT * FROM [master].sys.databases For each user database, ensure the Is_encrypted column is set to 1. If it is not set to 1, this is a finding.

Fix: F-46193r2_fix

Apply appropriate controls to protect the confidentiality and integrity of data on a secondary device. This can be done by full-disk encryption or by database encryption. To enable database encryption, create a master key, create a database encryption key, and protect it by using mechanisms tied to the master key, and then set encryption on.

a
SQL Server must associate and maintain security labels when exchanging information between systems.
SC-16 - Low - CCI-001157 - V-40912 - SV-53266r1_rule
RMF Control
SC-16
Severity
L
CCI
CCI-001157
Version
SQL2-00-020400
Vuln IDs
  • V-40912
Rule IDs
  • SV-53266r1_rule
When data is exchanged between information systems, the security attributes associated with said data needs to be maintained. Security attributes are an abstraction representing the basic properties or characteristics of an entity with respect to safeguarding information, typically associated with internal data structures (e.g., records, buffers, files) within the information system and used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Security attributes may be explicitly or implicitly associated with the information contained within the information system. If database security labels are not maintained as information moves between systems, handling instructions can be lost and data can be accidentally distributed to unauthorized individuals.
Checks: C-47567r2_chk

Review system documentation to determine if the labeling of sensitive data is required under organization-defined guidelines. If the labeling of sensitive data is not required, this is NA. Obtain system configuration setting to determine how data labeling is being performed. This can be through triggers or some other SQL developed means or via a third-party tool. Check to ensure that labels are being associated to data when information is being exchanged between systems. If the labeling is not being associated to data when exchanging data between systems, this is a finding.

Fix: F-46194r2_fix

Develop SQL code or acquire a third party tool to perform data labeling. SQL Server Label Security Toolkit 2.0 can be downloaded from http://sqlserverlst.codeplex.com/releases/view/83460. This tool can satisfy all data labeling and security data labeling requirements.

b
SQL Server must protect the integrity of publicly available information and SQL Servers configuration from unauthorized Server Roles access.
SC-14 - Medium - CCI-001149 - V-40913 - SV-53267r1_rule
RMF Control
SC-14
Severity
M
CCI
CCI-001149
Version
SQL2-00-020300
Vuln IDs
  • V-40913
Rule IDs
  • SV-53267r1_rule
The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications, with such protection likely being implemented as part of other security controls. If SQL Server contains publicly available information, though not concerned with confidentiality, SQL Server must maintain the integrity of the data. If data available to the public is not protected from unauthorized modification or deletion, then the data cannot be trusted by those accessing it. The user account associated with public access must not have access to the OS or SQL Server configuration information, include read access to schema information.
Checks: C-47568r2_chk

If SQL Server is not housing or distributing publicly available information, this finding is NA. Obtain from the DBA or system documentation the list of publicly available data within SQL Server and the role names that assign read-only access to that public data. Obtain the publicly available user account name being used to access SQL Server. Navigate to Start >> Administrative Tools >> Server Manager >> Server Manager (<'server name'>) >> Configuration >> Local Users and Groups >> Groups >> right click 'Guests' >> Properties >> 'Members:' The publicly available user account will likely be in the OS 'Guests' group. Determine if SQL Server is granting more than read access to the publicly available information through SQL Server 'Server Roles'. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account'> >> Properties >> Server Roles. If any 'Server Roles' are marked that grant more than read access to the publicly available information, this is a finding.

Fix: F-46195r2_fix

Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account'> >> Properties >> Server Roles. Uncheck the 'Server Roles' that are checked and grant more than read-only access to the publicly available information.

b
SQL Server must protect the integrity of publicly available information and SQL Servers configuration from unauthorized User Mapping access.
SC-14 - Medium - CCI-001149 - V-40914 - SV-53268r1_rule
RMF Control
SC-14
Severity
M
CCI
CCI-001149
Version
SQL2-00-020200
Vuln IDs
  • V-40914
Rule IDs
  • SV-53268r1_rule
The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications, with such protection likely being implemented as part of other security controls. If SQL Server contains publicly available information, though not concerned with confidentiality, SQL Server must maintain the integrity of the data. If data available to the public is not protected from unauthorized modification or deletion, then the data cannot be trusted by those accessing it. The user account associated with public access must not have access to the OS or SQL Server configuration information, include read access to schema information. This access includes, but is not limited to, SQL Server 'User Mapping' assignments. SQL Server access to any of the three system databases (master, model, or msdb) is restricted from the publicly available user account, because this would grant more than read-only access to public information. Of the existing user-defined databases, privileges must be checked to allow only read access to publically available data.
Checks: C-47569r2_chk

If SQL Server is not housing or distributing publicly available information, this finding is NA. Obtain from the DBA or system documentation the list of publicly available data within SQL Server. Obtain the publicly available user account name being used to access SQL Server. Navigate to Start &gt;&gt; Administrative Tools &gt;&gt; Server Manager &gt;&gt; Server Manager (&lt;'server name'&gt;) &gt;&gt; Configuration &gt;&gt; Local Users and Groups &gt;&gt; Groups &gt;&gt; right click 'Guests' &gt;&gt; Properties &gt;&gt; 'Members:' The publicly available user account will likely be in the OS 'Guests' group. Determine if SQL Server is granting more than read access to the publicly available information through SQL Server 'User Mapping'. Navigate to SQL Server Management Studio &gt;&gt; Object Explorer &gt;&gt; &lt;'SQL Server name'&gt; &gt;&gt; Security &gt;&gt; Logins &gt;&gt; right click &lt;'user account'&gt; &gt;&gt; Properties &gt;&gt; User Mapping. If any of the three system databases are checked (indicating a granted privilege): master, model, or msdb, this is a finding.

Fix: F-46196r2_fix

Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account'> >> Properties >> User Mapping >> highlight checked database. Uncheck the 'Database role membership' that is checked and grants more than read-only access to the publicly available information.

b
SQL Server must protect the integrity of publicly available information and applications.
SC-14 - Medium - CCI-001149 - V-40915 - SV-53269r1_rule
RMF Control
SC-14
Severity
M
CCI
CCI-001149
Version
SQL2-00-020100
Vuln IDs
  • V-40915
Rule IDs
  • SV-53269r1_rule
The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications, with such protection likely being implemented as part of other security controls. If SQL Server contains publicly available information, though not concerned with confidentiality, SQL Server OS must maintain the integrity of the data. If data available to the public is not protected from unauthorized modification or deletion, then the data cannot be trusted by those accessing it. The user account associated with public access must not have access to the OS configuration information. Determine what publicly available user account is being used to access SQL Server and validate that the publicly available user account only has read access to the public data and nothing else. The OS level 'Guests' role grants connection access to the server without granting any other privileges. SQL Server configuration settings are used to grant access to the publicly available information, but this control ensures that the OS only is granted connection access to the server.
Checks: C-47570r2_chk

If SQL Server is not housing or distributing publicly available information, this finding is NA. Obtain the publicly available user account name being used to access SQL Server. Using an account with System Administrator privileges, from a command prompt, type lusrmgr.msc, and press [ENTER]. Navigate to Groups &gt;&gt; right click 'Guests' &gt;&gt; Properties &gt;&gt; 'Members:' The publicly available user account will be in the OS 'Guests' group, or another explicitly defined group. Determine if the obtained publicly available user account is located in any other groups. In lusrmgr.msc, navigate to Users. Right click publicly available account name. Click Properties, then click the 'Member of' tab. If the publicly available user account is found in any group 'Members' listing other than 'Guests', this is a finding. In SQL, for the account that is used for public access, ensure that read-only access is the only access granted. If any other access is granted, this is a finding.

Fix: F-46197r2_fix

Using an account with System Administrator privileges, from a command prompt, type lusrmgr.msc, and press [ENTER]. Navigate to Groups. Locate the additional group(s) from which the publicly available user account must be removed. Right click <'the group to modify' >> Properties >> 'Members:' Remove the publicly available user account from the group by clicking/highlighting the account and then clicking the 'Remove' button. Revoke any update permissions for a guest being used in the context of a guest account.

b
SQL Server must protect the integrity of publicly available information and SQL Servers configuration from unauthorized Securables access.
SC-14 - Medium - CCI-001149 - V-40916 - SV-53270r1_rule
RMF Control
SC-14
Severity
M
CCI
CCI-001149
Version
SQL2-00-020000
Vuln IDs
  • V-40916
Rule IDs
  • SV-53270r1_rule
The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications, with such protection likely being implemented as part of other security controls. SQL Server must be configured to contain publicly available information. Though not concerned with confidentiality, SQL Server must maintain the integrity of the data. If data available to the public is not protected from unauthorized modification or deletion, then the data cannot be trusted by those accessing it. A publicly available user account must not have access to the OS or SQL Server configuration information, including read access to schema information. Determine what publicly available user account is being used to access SQL Server and validate that the publicly available user account only has read access to the public data and nothing else. This read-only access does not include SQL Server 'Securables' assignments. SQL Server 'Securables' assignments grant the assignee privileges that are beyond read access to data. No public user account must have SQL Server 'Securables' privileges. Any assigned 'Securables' privileges to the public user account must be removed. Likely the only 'Server roles' assignment for the publicly available user account would be 'public'. The only other 'Server roles' that could be authorized as read-only is a user-defined 'Server role'. It is more likely that read-only access is set up at the user database instance in role(s) specifically set up for this purpose. Assignment to the user database instances are made in the 'User Mapping' highlight within a user's properties.
Checks: C-47571r2_chk

If SQL Server is not housing or distributing publicly available information, this finding is NA. Obtain from the DBA or system documentation the list of publicly available data within SQL Server. Obtain the publicly available user account(s) being used to access SQL Server. Determine if SQL Server is granting more than read access to the publicly available information through SQL Server 'Securables'. Navigate to SQL Server Management Studio &gt;&gt; Object Explorer &gt;&gt; &lt;'SQL Server name'&gt; &gt;&gt; Security &gt;&gt; Logins &gt;&gt; right click &lt;'user account'&gt; &gt;&gt; Properties &gt;&gt; Securables. If any 'Securables' are listed, this is a finding.

Fix: F-46198r2_fix

Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account'> >> Properties >> Securables >> highlight 'Securable Name'. Uncheck all 'Grant', 'With Grant', and 'Deny' for the highlighted 'Securable'.

c
SQL Servers data files containing sensitive information must be encrypted.
SC-13 - High - CCI-001144 - V-40917 - SV-53271r1_rule
RMF Control
SC-13
Severity
H
CCI
CCI-001144
Version
SQL2-00-019600
Vuln IDs
  • V-40917
Rule IDs
  • SV-53271r1_rule
Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Data files that are not encrypted are vulnerable to theft. When data files are not encrypted they can be copied and opened on a separate system. The data can be compromised without the information owner's knowledge that the theft has even taken place.
Checks: C-47572r2_chk

Review the system documentation to determine whether the database handles classified information. If no classified information is contained in SQL Server then the Category Code 2 is a finding. Review the system documentation to discover sensitive or classified data identified by the Information Owner that requires encryption. Have the DBA use select statements in the database to review sensitive data stored in tables as identified in the system documentation. Note: All encrypted data should be human unreadable by unauthorized users. If any data identified as sensitive is not encrypted within any database, this is a finding.

Fix: F-46199r1_fix

Configure SQL Server to encrypt sensitive or classified data stored in each database. Use only NIST-certified or NSA-approved cryptography to provide encryption.

b
SQL Server must employ NSA-approved cryptography to protect classified information.
SC-13 - Medium - CCI-001146 - V-40918 - SV-53272r1_rule
RMF Control
SC-13
Severity
M
CCI
CCI-001146
Version
SQL2-00-019800
Vuln IDs
  • V-40918
Rule IDs
  • SV-53272r1_rule
Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for protecting classified information. The Committee on National Security Systems (CNSS) National Information Assurance Glossary (CNSS Instruction No. 4009) defines Type 1 products as: “Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA approved algorithms are used to protect systems requiring the most stringent protection mechanisms.” NSA-approved cryptography is required to be used for classified information system processing.
Checks: C-47573r2_chk

Review system documentation to determine whether cryptography for classified or sensitive information is required by the information owner. If the system documentation does not specify the type of information hosted on SQL Server: classified, sensitive and/or unclassified, this is a finding. If neither classified nor sensitive information exist within SQL Server databases or configuration, this requirement is NA. Note: If the SQL Server is compliant nothing is displayed. If cryptography is being used by SQL Server examine evidence that an audit record is created whenever the asymmetric key is accessed by other than authorized users. In particular, view evidence that access by a SYSADMIN or other system privileged account results in the generation of an audit record. This is required because system privileges allow access to encryption keys and can use them to access sensitive data where they do not have a need-to-know. Note: The list of acceptable algorithms: "AES 128", "AES 192", "AES 256" and "Triple DES". If cryptography is being used by SQL Server, verify that the cryptography is NIST FIPS 140-2 certified by running the following SQL query: EXEC sp_MSforeachdb ' DECLARE @nCount integer SELECT @nCount = Count(*) FROM ?.sys.symmetric_keys WHERE key_algorithm NOT IN (''D3'',''A1'',''A2'',''A3'') IF @nCount &gt; 0 SELECT ''?'' AS ''database ?'' , name , algorithm_desc FROM ?.sys.symmetric_keys WHERE key_algorithm NOT IN (''D3'',''A1'',''A2'',''A3'') ORDER BY name, algorithm_desc If any items list showing an uncertified NIST FIPS 140-2 algorithm type, this is a finding. If an audit record is not generated for unauthorized access to the asymmetric key, this is a finding. Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following website: http://csrc.nist.gov/groups/STM/cmvp/index.html.

Fix: F-46200r2_fix

Document within the system documentation the type of information hosted on SQL Server: classified, sensitive, and/or unclassified. Obtain and utilize native or third-party NIST-validated FIPS 140-2 compliant cryptography solution on SQL Server. Configure cryptographic functions to use FIPS 140-2 compliant algorithms functions. Use DoD code-signing certificates to create asymmetric keys stored in the database and used to encrypt sensitive data stored in the database. Run the following SQL script to create a certificate: USE <'database name'> CREATE CERTIFICATE <'certificate name'> ENCRYPTION BY PASSWORD = '<'password'>' FROM FILE = <'path/file_name'> WITH SUBJECT = 'name of person creating key', EXPIRY_DATE = '<'expiration date: yyyymmdd'>' Run the following SQL script to create a symmetric key and assign an existing certificate: USE <'database name'> CREATE SYMMETRIC KEY <'key name'> WITH ALGORITHM = AES_256 ENCRYPTION BY <'certificate name'> Assign the application object owner account as the owner of the asymmetric key. Create audit events for access to the key by other than the application owner account or approved application objects. Revoke any privileges assigned to the asymmetric key to other than the application object owner account and authorized users. Protect the private key by encrypting it with the database or service master key.

b
SQL Server must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
IA-8 - Medium - CCI-000804 - V-40919 - SV-53273r1_rule
RMF Control
IA-8
Severity
M
CCI
CCI-000804
Version
SQL2-00-018900
Vuln IDs
  • V-40919
Rule IDs
  • SV-53273r1_rule
Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Non-organizational users shall be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access, such as accessing a web server. Accordingly, a risk assessment is used in determining the authentication needs of the organization. Scalability, practicality, and security are simultaneously considered in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk to organizational operations, organizational assets, individuals, and other organizations.
Checks: C-47574r2_chk

Review SQL Server settings to determine if non-organizational users are identified and authenticated when logging onto the system. This may be accomplished by something within the userid. In this case, the requirement is partially fulfilled by the operating system. In any case, the user must be individually identified with SQL Server via a mapping to an individual account and not mapping to a group account. If non-organizational users are not uniquely identified and authenticated, this is a finding.

Fix: F-46201r2_fix

Configure SQL Server to uniquely identify and authenticate all non-organizational users who log onto the system. This likely would be done via a combination of the operating system with unique accounts and the SQL Server by ensuring mapping to individual accounts.

b
SQL Server default account sa must have its password changed.
IA-5 - Medium - CCI-000199 - V-40920 - SV-53274r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000199
Version
SQL2-00-018800
Vuln IDs
  • V-40920
Rule IDs
  • SV-53274r1_rule
SQL Server's default 'sa' account has special privileges required to administer SQL Server. The default 'sa' account is a well-known SQL Server administrator account and is likely to be targeted by attackers and thus more prone to providing unauthorized access to the database. This 'sa' default account is administrative in nature and could lead to catastrophic consequences including the complete loss of control over SQL Server, not to mention a compromise of user data. If the 'sa' default account's password is not changed an attacker might be able to gain access through the account.
Checks: C-47575r2_chk

Check SQL Server settings to determine if the 'sa' (sysadmin) account has had its password changed by running the following script: USE MASTER GO DECLARE @User_id varchar(60) SET @User_id = '&lt;'system administrator id'&gt;' SELECT name AS 'Account' , LOGINPROPERTY(name, 'PasswordLastSetTime') AS 'Time of Last Password Change' FROM sys.sql_logins WHERE @User_id = name If SQL Server default 'sa' account has not had its password changed since installation, this is a finding. Note: If the 'sa' account name has been changed per SQL2-00-010200, replace 'sa' in the query above with the renamed 'sa' account.

Fix: F-46202r2_fix

Modify SQL Server 'sa' (sysadmin) default account password by running the following script: USE master GO ALTER LOGIN [<'system administrator id'>] WITH PASSWORD = N'<'new password'>'

b
SQL Server must enforce password encryption for transmission.
IA-5 - Medium - CCI-000197 - V-40921 - SV-53275r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000197
Version
SQL2-00-018700
Vuln IDs
  • V-40921
Rule IDs
  • SV-53275r1_rule
Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission. DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database.
Checks: C-47576r2_chk

From a command prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager &gt;&gt; SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab. If it is not a DoD certificate, this is a finding.

Fix: F-46203r2_fix

Configure SQL Server to encrypt authentication data for remote connections using organization-defined encryption. Deploy encryption to the SQL Server Network Connections. From a command prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, set Force Encryption to YES, and provide DoD certificate on the Certificate tab.

b
SQL Server must enforce password encryption for storage.
IA-5 - Medium - CCI-000196 - V-40922 - SV-53276r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000196
Version
SQL2-00-018600
Vuln IDs
  • V-40922
Rule IDs
  • SV-53276r1_rule
SQL Server must enforce password encryption when storing passwords. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. Passwords stored in clear text are vulnerable to unauthorized disclosure. Database passwords should always be encoded or encrypted when stored internally or externally to SQL Server.
Checks: C-47577r2_chk

Since Windows security is being leveraged, this check applies to database configuration files, associated scripts, and applications external to SQL Server that access the database. Ask the DBA and/or IAO to determine if any SQL Server database objects, database configuration files, associated scripts, or applications defined as external to SQL Server that access the database/user environment files/settings contain database passwords. If any do, confirm that SQL Server passwords stored externally to the SQL Server are encoded or encrypted. If any passwords are stored in clear text, this is a finding.

Fix: F-46204r2_fix

Develop, document, and maintain a list of SQL Server database objects, database configuration files, associated scripts, and applications defined within or external to SQL Server that access the database/user environment files/settings in the System Security Plan. Record whether they do or do not contain SQL Server passwords. If passwords are present, ensure they are encrypted.

b
SQL Server must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
IA-2 - Medium - CCI-000770 - V-40923 - SV-53277r1_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000770
Version
SQL2-00-018500
Vuln IDs
  • V-40923
Rule IDs
  • SV-53277r1_rule
To ensure individual accountability and prevent unauthorized access, application users (and any processes acting on behalf of users) must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. An example of a group authenticator is the UNIX OS 'root' user account, a Windows 'administrator' account, an 'sa' account, or a 'helpdesk' account.
Checks: C-47578r2_chk

Review SQL Server users to determine whether group accounts exist. Select uid, name, roles from sys.sysusers where uid &gt; 16000 and name not in ('db_owner', 'db_accessadmin', 'db_securityadmin', 'db_ddladmin', 'db_backupoperator', 'db_datareader', 'db_datawriter', 'db_denydatareader','db_denydatawriter') If accounts returned are determined to be group accounts, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the group account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding.

Fix: F-46205r3_fix

Configure SQL Server settings to require individual authentication prior to authentication for group account access. Review SQL Server users to determine whether group accounts exist. Select uid, name, roles from sys.sysusers where uid > 16000 and name not in ('db_owner', 'db_accessadmin', 'db_securityadmin', 'db_ddladmin', 'db_backupoperator', 'db_datareader', 'db_datawriter', 'db_denydatareader', 'db_denydatawriter');Remove group accounts and use individual userids.

b
SQL Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
IA-2 - Medium - CCI-000764 - V-40924 - SV-53278r1_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000764
Version
SQL2-00-018400
Vuln IDs
  • V-40924
Rule IDs
  • SV-53278r1_rule
To ensure accountability and prevent unauthorized SQL Server access, organizational users shall be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on SQL Server without identification or authentication.
Checks: C-47579r2_chk

Review SQL Server settings to determine whether organizational users are uniquely identified and authenticated when logging onto the system. This does not include when SQL Server has a guest or public account that is providing access to publicly available information. Since SQL Server requires unique user accounts, the only way to circumvent this requirement is when shared or group SQL Server user accounts are used. Check the list of SQL Server users for shared or group accounts by running the following query: SELECT name AS 'Account Name' , CASE is_disabled WHEN 1 THEN 'Yes' ELSE '' END AS 'Is Disabled' , create_date AS 'Account Create Date' , LOGINPROPERTY(name, 'PasswordLastSetTime') AS 'Password Last Set on' FROM sys.server_principals WHERE NOT TYPE IN ('C', 'R', 'U') -- ('C', 'G', 'K', 'R', 'S', 'U') AND NOT name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##') AND sid &lt;&gt; CONVERT(VARBINARY(85), 0x01) -- no 'sa' account ORDER BY name If any SQL Server user accounts are identified as shared or group accounts, this is a finding.

Fix: F-46206r1_fix

Remove shared or group accounts by running the following script: DROP LOGIN <'account name'> -- Removes user from system

b
SQL Server software libraries must be periodically backed up.
CP-9 - Medium - CCI-000537 - V-40925 - SV-53279r1_rule
RMF Control
CP-9
Severity
M
CCI
CCI-000537
Version
SQL2-00-018300
Vuln IDs
  • V-40925
Rule IDs
  • SV-53279r1_rule
SQL Server backups are a critical step in maintaining data assurance and availability. System-level information includes system-state information, operating system and application software, and licenses. Backups shall be consistent with organization-defined recovery time and recovery point objectives. SQL Server depends upon the availability and integrity of its software libraries. Without backups, compromise or loss of the software libraries can prevent a successful recovery of SQL Server operations. A mixture of full and incremental server-level backups by a third-party tool that backs up those software library directories would satisfy this requirement.
Checks: C-47580r1_chk

Review evidence of inclusion of SQL Server software libraries in current backup records. If the backup tool does not include SQL Server, this is a finding.

Fix: F-46207r1_fix

Ensure inclusion of all SQL Server software libraries into the backup process.

b
SQL Server backups of system-level information per organization-defined frequency must be performed that is consistent with recovery time and recovery point objectives.
CP-9 - Medium - CCI-000537 - V-40926 - SV-53280r1_rule
RMF Control
CP-9
Severity
M
CCI
CCI-000537
Version
SQL2-00-018200
Vuln IDs
  • V-40926
Rule IDs
  • SV-53280r1_rule
SQL Server backups are a critical step in maintaining data assurance and availability. System-level information includes: system-state information, operating system and application software, and licenses. Backups shall be consistent with organizationally defined recovery time and recovery point objectives. SQL Server depends upon the availability and integrity of its system-level information. Without backups, compromise or loss of system-level information can prevent a successful recovery of SQL Server operations. If SQL Server system-level information is not backed up regularly this risks the loss of SQL Server data in the event of a system failure. A mixture of full and incrementally server level backups that backup the system-level information would satisfy this requirement.
Checks: C-47581r2_chk

Windows Server Backup, or a 3rd Party Backup Tool, can be utilized to perform this function. Determine how SQL Server is being backed up. If there is no scheduled backup or if organizationally defined backup policy and procedures does not exist, this is finding. Check evidence of inclusion of system-level information into current backup records, if the organizationally defined backup policy, procedures, and backup configurations is not including system-level information backups, this is a finding.

Fix: F-46208r1_fix

Deploy a backup solution to perform backups as per organizationally defined Backup Policy.

b
SQL Server backup and restoration files must be protected from unauthorized access.
CP-9 - Medium - CCI-000535 - V-40927 - SV-53281r1_rule
RMF Control
CP-9
Severity
M
CCI
CCI-000535
Version
SQL2-00-018100
Vuln IDs
  • V-40927
Rule IDs
  • SV-53281r1_rule
SQL Server backups are a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. In order to assure availability of this data in the event of a system failure, DoD organizations are required to ensure user generated data is backed up at a defined frequency. This includes data stored on file systems, within databases or within any other storage media. Applications performing backups must be capable of backing up user-level information per the DoD-defined frequency. Lost or compromised SQL Server backup or restoration files may lead to not only the loss of data, but also the unauthorized access to sensitive data. SQL Server can maintain local copies of critical control files to provide transparent or easy recovery from hard disk loss or other interruptions to database operation. Backup files, both local to the SQL Server machine and not local to the machine, need the same protections against unauthorized access when stored on backup media as when online and actively in use by the database system. In addition, the backup media needs to be protected against physical loss.
Checks: C-47582r2_chk

Obtain authorized access list for backup and restoration procedures from system documentation. If documented procedures are insufficient to show or describe authorized personnel, this is a finding. Review file protections assigned to online backup and restoration files. Review access protections and procedures for offline backup and restoration files. If backup or restoration files are subject to unauthorized access, this is a finding. It may be necessary to review backup and restoration procedures to determine ownership and access during all phases of backup and recovery. In addition to physical and host system protections, consider other methods including encryption protection of the files.

Fix: F-46209r1_fix

Develop, document, and implement protection against unauthorized access of backup and restoration files. Document personnel and the level of access authorized for each to the backup and restoration files in the system documentation.

b
SQL Server recovery procedures that are documented must be implemented and periodically tested.
CP-9 - Medium - CCI-000535 - V-40928 - SV-53282r1_rule
RMF Control
CP-9
Severity
M
CCI
CCI-000535
Version
SQL2-00-017900
Vuln IDs
  • V-40928
Rule IDs
  • SV-53282r1_rule
SQL Server backups are a critical step in maintaining data assurance and availability. User-level information is data generated by the information system and/or application users. In order to assure availability of this data in the event of a system failure, DoD organizations are required to ensure user-generated data is backed up at a defined frequency. This includes data stored on file systems, within SQL Server or within any other storage media. Applications performing backups must be capable of backing up user-level information per the DoD-defined frequency. Problems with backup procedures or backup media may not be discovered until after a recovery is needed. Testing and verification of procedures provides the opportunity to discover oversights, conflicts, or other issues in the backup procedures or use of media designed to be used. Part of an overall backup and recovery methodology includes regular recovery testing. This is very important and helps to expose any issue in the recovery process (e.g., hardware, procedures, etc.).
Checks: C-47583r2_chk

Review SQL Server's documented testing and recovery procedures that exist in the system documentation. If the testing or recovery procedures are not documented in the system documentation, this is a finding. If the documented testing or recovery procedures are not sufficient to test or recover SQL Server configuration and databases, this is a finding. Review evidence of implementation of testing and verification procedures by reviewing logs from backup and recovery implementation. Logs may be in electronic form or hardcopy, and may include email or other notification. If the system recovery testing has not been implemented and documented, this is a finding.

Fix: F-46210r2_fix

Develop or update recovery procedures and add the new recovery procedures to the system documentation. Plan for and test system recovery procedures and document the test.

b
SQL Server backup procedures must be defined, documented, and implemented.
CP-9 - Medium - CCI-000535 - V-40929 - SV-53283r1_rule
RMF Control
CP-9
Severity
M
CCI
CCI-000535
Version
SQL2-00-017800
Vuln IDs
  • V-40929
Rule IDs
  • SV-53283r1_rule
SQL Server backup is a critical step in maintaining data assurance and availability. User-level information is data generated by the information system and/or application users. In order to assure availability of this data in the event of a system failure, DoD organizations are required to ensure user-generated data is backed up at a defined frequency. This includes data stored on file systems, within SQL Server or within any other storage media. Applications performing backups must be configured to back up user-level information per the DoD-defined frequency. SQL Server Database backups provide the required means to restore databases after compromise or loss. Backups help reduce the vulnerability to unauthorized access or hardware loss.
Checks: C-47584r2_chk

Review the database backup procedures and implementation evidence. Evidence of implementation includes records of backup events and physical review of backup media. Evidence should match the backup plan as recorded in the system documentation. If backup procedures do not exist or are not implemented in accordance with the procedures, this is a finding.

Fix: F-46211r1_fix

Develop, document, and implement database backup procedures.

b
SQL Server user-level information must be backed up based on a defined frequency.
CP-9 - Medium - CCI-000535 - V-40930 - SV-53284r1_rule
RMF Control
CP-9
Severity
M
CCI
CCI-000535
Version
SQL2-00-017700
Vuln IDs
  • V-40930
Rule IDs
  • SV-53284r1_rule
SQL Server backups are a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. In order to assure availability of this data in the event of a system failure, DoD organizations are required to ensure user generated data is backed up at a defined frequency. This includes data stored on file systems, within SQL Server or within any other storage media. Applications performing backups must be capable of backing up user-level information per the DoD defined frequency. Databases that do not backup information regularly risk the loss of that information in the event of a system failure.
Checks: C-47585r2_chk

Windows Server Backup, or a 3rd Party Backup Tool, can be utilized to perform this function. Determine how SQL Server is being backed up. If there is no scheduled backup or if organizationally defined backup policy and procedures does not exist, this is finding. Check evidence of inclusion user-level information into current backup records, if the organizationally defined backup policy, procedures, and backup configurations is not including user-level information backups, this is a finding.

Fix: F-46212r2_fix

Deploy a backup solution to perform backups as per organizationally defined Backup Policy.

b
SQL Server must have transaction logging enabled.
CP-10 - Medium - CCI-000553 - V-40931 - SV-53285r1_rule
RMF Control
CP-10
Severity
M
CCI
CCI-000553
Version
SQL2-00-017600
Vuln IDs
  • V-40931
Rule IDs
  • SV-53285r1_rule
Application recovery and reconstitution constitutes executing an information system contingency plan that is comprised of activities that restore essential missions and business functions. SQL Server is an example of an information system that is transaction-based. Transaction rollback and transaction journaling are examples of mechanisms supporting transaction recovery. This allows the database to recover data content to a point where the data content and its relationships are known to be intact. This data integrity is maintained when the data is undergoing a change or update event. SQL Server enables transaction rollback or recovery by default and as an automatic feature of database recovery.
Checks: C-47586r2_chk

Check the transaction log files of databases to ensure it is "ONLINE" by running the following SQL Server query: Select * FROM sys.database_files WHERE type_desc = 'LOG' AND state_desc = 'online' If the system transaction log file are not "ONLINE" (enabled), this is a finding.

Fix: F-46213r2_fix

Enable SQL Server's transaction journaling. Modify system log file: Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Databases >> System Databases >> right click on <'system database name'> >> Properties >> Files. Modify user-defined log file: Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Databases >> right click on <'user-defined database name'> >> Properties >> Files. Add database transaction log file if one does not exist.

c
SQL Server must recover to a known state that is verifiable.
CP-10 - High - CCI-000553 - V-40932 - SV-53286r1_rule
RMF Control
CP-10
Severity
H
CCI
CCI-000553
Version
SQL2-00-017500
Vuln IDs
  • V-40932
Rule IDs
  • SV-53286r1_rule
Application recovery and reconstitution constitutes executing an information system contingency plan comprised of activities that restore essential missions and business functions. SQL Server utilizes transaction-based processing and is a good example of information systems that are transaction-based. Transaction rollback and transaction journaling are examples of mechanisms supporting transaction recovery. SQL Server may be vulnerable to use of compromised data or other critical files during recovery. Use of compromised files could introduce maliciously altered application code, relaxed security settings, or loss of data integrity. SQL Server mechanisms must be configured to protect all files that could compromise the system or its data during a SQL Server recovery.
Checks: C-47587r2_chk

Obtain the SQL Server recovery procedures and technical system features to determine if mechanisms exist and are in place to specify use of trusted files during SQL Server recovery. If recovery procedures do not exist or are not sufficient to ensure recovery is done in a secure and verifiable manner, this is a finding. Check the configurations of all transaction log files that are enabled by running the following SQL Server query: EXEC sp_MSforeachdb ' SELECT ''?'' AS ''database name'' , name AS ''log file name'' , physical_name AS ''log file location and name'' , state_desc , size , max_size , growth , is_percent_growth FROM ?.sys.database_files WHERE type_desc = ''LOG'' AND state = 0 ' If any transaction log files are not configured correctly for size, max_size, and growth to log sufficient transaction information, this is a finding.

Fix: F-46214r2_fix

Modify system log file: Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Databases >> System Databases >> right click on <'system database name'> >> Properties >> Files. OR Modify user-defined log file: Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Databases >> right click on <'user-defined database name'> >> Properties >> Files. THEN Add database transaction log file if one does not exist. To modify Initial Size (MB) click on "Initial Size (MB)" then edit value. To modify Autogrowth click on the "Autogrowth / Maxsize" button that is in Log record, choose "In Percent" or "In Megabytes", enter value, and then click OK. To modify Maximum File Size click on the "Autogrowth/Maxsize" button that is in Log record, choose "Limited to (MB)" or "Unlimited", enter value, and then click OK.

b
SQL Server must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
CM-7 - Medium - CCI-000382 - V-40933 - SV-53287r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
SQL2-00-017400
Vuln IDs
  • V-40933
Rule IDs
  • SV-53287r1_rule
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from a single component of an information system (e.g., email and web services) but doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. Database Management Systems using ports, protocols, and services deemed unsafe are open to attack through those ports, protocols, and services. This can allow unauthorized access to the database and, through the database, to other components of the information system.
Checks: C-47588r2_chk

Review the SQL Server configuration and settings for functions, ports, protocols, and services that are not approved or are not used, but are available. If a ports, protocols, and/or services that are not approved or are not used, are available, this is a finding.

Fix: F-46215r1_fix

Disable functions, ports, protocols, and services that are not approved or are not used, but are enabled.

b
SQL Server must specifically prohibit or restrict the use of unauthorized functions and services in each instance.
CM-7 - Medium - CCI-000382 - V-40934 - SV-53288r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
SQL2-00-017300
Vuln IDs
  • V-40934
Rule IDs
  • SV-53288r1_rule
SQL Server is capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from a single component of an information system (e.g., email and web services), but doing so increases risk over limiting the services provided by any one component.
Checks: C-47589r2_chk

Review the list of user-defined Stored Procedures and Functions by running the following SQL query: EXEC sp_MSforeachdb ' DECLARE @nCount integer SELECT @nCount = Count(*) FROM ?.sys.objects WHERE type in (''FN'', ''P'') AND is_ms_shipped &lt;&gt; 1 IF @nCount &gt; 0 SELECT ''?'' AS ''Table Name'', * FROM ?.sys.objects WHERE type in (''FN'', ''P'') AND is_ms_shipped &lt;&gt; 1 ' If any user-defined Stored Procedures and Functions are unauthorized and therefore should be prohibited or restricted and are not, this is a finding.

Fix: F-46216r2_fix

To remove a function from SQL Server, run the following SQL Script: DROP FUNCTION <'function name'> To remove a Stored Procedure from SQL Server, run the following SQL Script: DROP PROCEDURE <'stored procedure name'> If the user-defined Stored Procedures and Functions need to remain available, but access needs to be more restricted, then the user-defined Stored Procedures and Functions should be moved to a separate schema or database that has more restrictive access.

b
Access to xp_cmdshell must be disabled.
CM-7 - Medium - CCI-000381 - V-40935 - SV-53289r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
SQL2-00-017200
Vuln IDs
  • V-40935
Rule IDs
  • SV-53289r1_rule
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plug-ins not related to requirements; or providing a wide array of functionality not required for every mission, but which cannot be disabled. Applications must adhere to the principles of least functionality by providing only essential capabilities. DBMSs may spawn additional external processes to execute procedures that are defined in the DBMS, but stored in external host files (external procedures). The spawned process used to execute the external procedure may operate within a different OS security context than the DBMS and provide unauthorized access to the host system. The xp_cmdshell extended stored procedure allows execution of host executables outside the controls of database access permissions. This access may be exploited by malicious users who have compromised the integrity of the SQL Server database process to control the host operating system to perpetrate additional malicious activity.
Checks: C-47590r2_chk

To determine if xp_cmdshell is enabled, execute the following commands: EXEC SP_CONFIGURE 'show advanced option', '1'; RECONFIGURE WITH OVERRIDE; EXEC SP_CONFIGURE 'xp_cmdshell'; If the value of config_value is 1, this is a finding.

Fix: F-46217r2_fix

To disable the use of xp_cmdshell, from the query prompt: EXEC sp_configure 'show advanced options', 1 GO RECONFIGURE GO EXEC sp_configure 'xp_cmdshell', 0 GO RECONFIGURE GO

b
SQL Server default account sa must be disabled.
CM-7 - Medium - CCI-000381 - V-40936 - SV-53290r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
SQL2-00-017100
Vuln IDs
  • V-40936
Rule IDs
  • SV-53290r1_rule
SQL Server's 'sa' account has special privileges required to administer the database. The 'sa' account is a well-known SQL Server account and is likely to be targeted by attackers and thus more prone to providing unauthorized access to the database. This 'sa' default account is administrative and could lead to catastrophic consequences including the complete loss of control over SQL Server. If the 'sa' default account is not disabled an attacker might be able to gain access through the account. SQL Server by default, at installation, disables the 'sa' account. Some applications that run on SQL Server require the 'sa' account to be enable in order for the application to function properly. These applications that require the 'sa' account to be enabled are usually legacy systems.
Checks: C-47591r2_chk

Check SQL Server settings to determine if the 'sa' (sysadmin) account has been disabled by executing the following query: USE MASTER GO Select * from sys.sql_logins where name = 'sa' If the "is-disabled" column is not set to 1, this is a finding. Note: If the 'sa' account name has been changed per SQL2-00-010200, replace 'sa' in the query above with the renamed 'sa' account.

Fix: F-46218r2_fix

Modify the enabled flag of SQL Server's 'sa' (sysadmin) account by running the following script: USE master GO ALTER LOGIN [sa] DISABLE

b
Unused database components which are integrated in SQL Server and cannot be uninstalled must be disabled.
CM-7 - Medium - CCI-000381 - V-40937 - SV-53291r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
SQL2-00-017000
Vuln IDs
  • V-40937
Rule IDs
  • SV-53291r1_rule
SQL Server is capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software demonstrations, or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors to SQL Server by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. Components of the system that are unused and cannot be uninstalled must be disabled.
Checks: C-47592r3_chk

Review the list of components or optional features installed on SQL Server. If no optional features or components of SQL Server are used, or installed and enabled, this is not a finding. If optional components or features of SQL Server are installed, then review the system documentation to verify that optional components or features are documented and authorized. If any are not documented and authorized, this is a finding.

Fix: F-46219r2_fix

If any components or features of SQL Server are required for operation of applications that will be accessing SQL Server data or configuration, include them in the system documentation. If any unused components or features of SQL Server are installed and cannot be uninstalled or removed, then disable those components or features.

b
SQL Server must have the SQL Server Analysis Service (SSAS) software component removed from SQL Server if SSAS is unused.
CM-7 - Medium - CCI-000381 - V-40938 - SV-53292r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
SQL2-00-016800
Vuln IDs
  • V-40938
Rule IDs
  • SV-53292r1_rule
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is detrimental for applications to provide or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software demonstrations or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, yet cannot be disabled. Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors to SQL Server by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. SQL Server must have the SQL Server Analysis Service (SSAS) software component removed from SQL Server if SSAS is unused.
Checks: C-47593r2_chk

If the SQL Server service "SQL Server Analysis Services (MSSQLSERVER)" is used and the service satisfies functional organizational requirement, this is not a finding. If there is no functional organizational requirement for the "SQL Server Analysis Services (MSSQLSERVER)" service make sure that the service is not installed or is disabled. From command prompt, using an account with System Administrator Privilege, open dcomcnfg. Navigate to Console Root &gt;&gt; Services (Local) &gt;&gt; [sort by name] &gt;&gt; locate: "SQL Server Analysis Services (MSSQLSERVER)". If the "SQL Server Analysis Services (MSSQLSERVER)" service does not exist, this is not a finding. If the "SQL Server Analysis Services (MSSQLSERVER)" status is "Started" or the "Startup Type" is not "Disabled", this is a finding.

Fix: F-46220r1_fix

Remove the SQL Server Analysis Service (SSAS) software component.

b
SQL Server must have the SQL Server Integrated Services (SSIS) software component removed from SQL Server if SSIS is unused.
CM-7 - Medium - CCI-000381 - V-40939 - SV-53293r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
SQL2-00-016700
Vuln IDs
  • V-40939
Rule IDs
  • SV-53293r1_rule
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is detrimental for applications to provide or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software demonstrations or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, yet cannot be disabled. Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors to SQL Server by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. SQL Server must have the SQL Server Integrated Services (SSIS) software component removed from SQL Server if SSIS is unused.
Checks: C-47594r2_chk

If the SQL Server service "SQL Server Integration Services 11.0" is used and the service satisfies functional organizational requirement, this is not a finding. If there is no functional organizational requirement for the "SQL Server Integration Services 11.0" service make sure that the service is not installed or is disabled. From command prompt, using an account with System Administrator Privilege, open dcomcnfg. Navigate to Console Root &gt;&gt; Services (Local) &gt;&gt; [sort by name] &gt;&gt; locate: "SQL Server Integration Services 11.0". If the "SQL Server Integration Services 11.0" service does not exist, this is not a finding. If the "SQL Server Integration Services 11.0" status is "Started" or the "Startup Type" is not "Disabled", this is a finding.

Fix: F-46221r1_fix

Remove the SQL Server Integrated Services (SSIS) software component.

b
SQL Server must have the SQL Server Reporting Service (SSRS) software component removed from SQL Server if SSRS is unused.
CM-7 - Medium - CCI-000381 - V-40940 - SV-53294r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
SQL2-00-016600
Vuln IDs
  • V-40940
Rule IDs
  • SV-53294r1_rule
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is detrimental for applications to provide or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software demonstrations or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, yet cannot be disabled. Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors to SQL Server by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. SQL Server must have the SQL Server Reporting Service (SSRS) software component removed from SQL Server if SSRS is unused.
Checks: C-47595r2_chk

If there is no functional organizational requirement for the "SQL Server Reporting Services (MSSQLSERVER)" service, make sure that the service is not installed or that the service is disabled. If the SQL Server service "SQL Server Reporting Services (MSSQLSERVER)" is used and the service satisfies functional organizational requirement, this is not a finding. From command prompt, using an account with System Administrator Privilege, open dcomcnfg. Navigate to Console Root &gt;&gt; Services (Local) &gt;&gt; [sort by name] &gt;&gt; locate: "SQL Server Reporting Services (MSSQLSERVER)". If the "SQL Server Reporting Services (MSSQLSERVER)" service does not exist, this is not a finding. If the "SQL Server Reporting Services (MSSQLSERVER)" status is "Started" or the "Startup Type" is not set to "Disabled", this is a finding.

Fix: F-46222r1_fix

Remove the SSRS from SQL Server.

c
SQL Server must have the SQL Server Data Tools (SSDT) software component removed from SQL Server if SSDT is unused.
CM-7 - High - CCI-000381 - V-40941 - SV-53295r1_rule
RMF Control
CM-7
Severity
H
CCI
CCI-000381
Version
SQL2-00-016500
Vuln IDs
  • V-40941
Rule IDs
  • SV-53295r1_rule
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, yet cannot be disabled. Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary DBMS components increase the attack vector for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. SQL Server must have the SQL Server Data Tools (SSDT) software component removed from SQL Server if SSDT is unused.
Checks: C-47596r2_chk

Review the list of components and features installed with the database. Using an account with System Administrator privileges, from Command Prompt, open control.exe. Navigate to Programs and Features. Check for the following entries in the 'Uninstall or change a program' window. Microsoft SQL Server Data Tools - Database Projects - Web installer entry point Prerequisites for SSDT If SQL Server Data Tools is not documented as a server requirement, and these entries exist, this is a finding.

Fix: F-46223r2_fix

Document the requirement for SQL Server Data Tools to reside on this server. If it is not required, using an account with System Administrator privileges, from Command Prompt, open control.exe. Navigate to Programs and Features. Remove the following entries in the 'Uninstall or change a program' window. Microsoft SQL Server Data Tools - Database Projects - Web installer entry point Prerequisites for SSDT

b
SQL Server must have the publicly available AdventureWorks sample database removed.
CM-7 - Medium - CCI-000381 - V-40942 - SV-53296r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
SQL2-00-016300
Vuln IDs
  • V-40942
Rule IDs
  • SV-53296r1_rule
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plug-ins not related to requirements and providing a wide array of functionality not required for every mission, but which cannot be disabled. Applications must adhere to the principles of least functionality by providing only essential capabilities. Even though the very popular "AdventureWorks" database is no longer available by default, it introduces a vulnerability to SQL Server and must be removed. Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of coding specific functions and are not developed to prevent vulnerabilities from being introduced to the SQL Server and the OS.
Checks: C-47597r1_chk

Check SQL Server for the existence of the publicly available "AdventureWorks" database by performing the following query: SELECT name from sysdatabases where name like "AdventureWorks%" If the "AdventureWorks" database is present, this is a finding.

Fix: F-46224r1_fix

Remove the publicly available "AdventureWorks" database from SQL Server by running the following query: DROP DATABASE AdventureWorks

b
SQL Server must have the publicly available NorthWind sample database removed.
CM-7 - Medium - CCI-000381 - V-40943 - SV-53297r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
SQL2-00-016200
Vuln IDs
  • V-40943
Rule IDs
  • SV-53297r1_rule
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plug-ins not related to requirements and providing a wide array of functionality not required for every mission, but which cannot be disabled. Applications must adhere to the principles of least functionality by providing only essential capabilities. Even though the very popular "NorthWind" database is no longer available by default, it introduces a vulnerability to SQL Server and must be removed. Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of coding specific functions and are not developed to prevent vulnerabilities from being introduced to the SQL Server and the OS.
Checks: C-47598r1_chk

Check SQL Server for the existence of the publicly available "NorthWind" database by performing the following query: SELECT name from sysdatabases where name like "Northwind%" If the "Northwind" database is present, this is a finding.

Fix: F-46225r1_fix

Remove the publicly available "Northwind" database from SQL Server by running the following query: DROP DATABASE Northwind

b
The OS must limit privileges to change SQL Server software resident within software libraries (including privileged programs).
CM-5 - Medium - CCI-001499 - V-40944 - SV-53298r1_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
SQL2-00-015800
Vuln IDs
  • V-40944
Rule IDs
  • SV-53298r1_rule
When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. If the application were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement is contingent upon the language in which the application is programmed, as many application architectures in use today incorporate their software libraries into, and make them inseparable from, their compiled distributions, rendering them static and version dependant. However, this requirement does apply to applications with software libraries accessible and configurable, as in the case of interpreted languages. Accordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can result in malicious alteration. This may in turn jeopardize data stored in the DBMS and/or operation of the host system.
Checks: C-47599r2_chk

Obtain the SQL Server software library installation directory location. From a command prompt, type regedit.exe, and press [ENTER]. Each instance will have its own registry tree at the following registry location: HKEY_LOCAL_MACHINE &gt;&gt; SOFTWARE &gt;&gt; Microsoft &gt;&gt; Microsoft SQL Server &gt;&gt; [INSTANCE NAME]. An [INSTANCE NAME] is listed as the data component of a key found in one of the above OLAP, RS, or SQL folders. To find the installation location of a particular instance, navigate to the following location in the Windows Registry: HKEY_LOCAL_MACHINE &gt;&gt; SOFTWARE &gt;&gt; Microsoft &gt;&gt; Microsoft SQL Server &gt;&gt; [INSTANCE NAME] &gt;&gt; Setup. Examine the value of the 'SqlProgramDir' key. The value of the 'SqlProgramDir' key is the SQL Server installation directory for that SQL Server instance. Navigate to that folder location using a command prompt or Windows Explorer. Verify that files and folders that are part of the SQL Server 2012 installation have only the following privileges: Right click each folder under the installation folder, click Properties. On the Security tab, verify only the following permissions are present. ...\MSSQL\backup – SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) ...\MSSQL\binn – SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) ...\MSSQL\data– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) ...\MSSQL\FTData– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) ...\MSSQL\Install– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) ...\MSSQL\Log– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) ...\MSSQL\Repldata– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) 110\shared– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) If additional permissions are present, this is a finding.

Fix: F-46226r2_fix

Navigate to the SQL Server software library directory folder location. Right click the file/folder, click Properties On the Security tab, modify the security permissions, verify that files and folders that are part of the SQL Server 2012 installation have only the following privileges: Right click each folder under the installation folder, click Properties. On the Security tab, verify only the following permissions are present. …\MSSQL\backup – SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\binn – SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) …\MSSQL\data– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\FTData– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\Install– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) …\MSSQL\Log– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\Repldata– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) 110\shared– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control)

c
Vendor-supported software and patches must be evaluated and patched against newly found vulnerabilities.
CM-5 - High - CCI-001499 - V-40945 - SV-53299r1_rule
RMF Control
CM-5
Severity
H
CCI
CCI-001499
Version
SQL2-00-015700
Vuln IDs
  • V-40945
Rule IDs
  • SV-53299r1_rule
Security faults with software applications and operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Any time new software code is introduced to a system there is the potential for unintended consequences. There have been documented instances where the application of a patch has caused problems with system integrity or availability. Due to information system integrity and availability concerns, organizations must give careful consideration to the methodology used to carry out automatic updates. If SQL Server were no longer supported, no patches from Microsoft would address newly discovered security vulnerabilities. Unpatched software is vulnerable to attack.
Checks: C-47600r2_chk

Check Microsoft's list of supported SQL Server versions http://www.microsoft.com/sqlserver/en/us/support/support-updates.aspx. To be considered supported, Microsoft must report that the version is supported by security patches to known vulnerabilities. Check SQL Server version by running the following script: print @@version If the security patch support for SQL Server cannot be determined or SQL Server version is not shown as supported, this is a finding. If SQL Server does not contain the latest security patches, this is a finding.

Fix: F-46227r2_fix

Upgrade SQL Server to the Microsoft-supported version. Apply the latest SQL Server patches after evaluation of impact.

a
Database software directories, including SQL Server configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
CM-5 - Low - CCI-001499 - V-40946 - SV-53300r1_rule
RMF Control
CM-5
Severity
L
CCI
CCI-001499
Version
SQL2-00-015500
Vuln IDs
  • V-40946
Rule IDs
  • SV-53300r1_rule
When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit of one application can lead to an exploit of other applications sharing the same security context. For example, an exploit of a web server process that leads to unauthorized administrative access to host system directories can most likely lead to a compromise of all applications hosted by the same system. Database software not installed using dedicated directories both threatens and is threatened by other hosted applications. Access controls defined for one application may by default provide access to other applications’ database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.
Checks: C-47601r2_chk

Verify the SQL Server installations present on the server. From a Command Prompt, type regedit.exe, and press [ENTER]. Navigate to HKEY_LOCAL_MACHINE &gt;&gt; SOFTWARE &gt;&gt; Microsoft &gt;&gt; Microsoft SQL Server &gt;&gt; Instance Names. Each instance installed on the server possesses a key inside a folder under this registry entry. Analysis Services Instances are registered in the OLAP subfolder. Reporting Services Instances are registered in the RS subfolder. Standard SQL Server Instances are registered in the SQL subfolder. Inside each one of these folders, a single key is used to reference an Instance's specific Windows Registry tree. Each key will have its own registry tree at the following registry location: HKEY_LOCAL_MACHINE &gt;&gt; SOFTWARE &gt;&gt; Microsoft &gt;&gt; Microsoft SQL Server &gt;&gt; [INSTANCE NAME]. An [INSTANCE NAME] is listed as the Data component of a key found in one of the above OLAP, RS, or SQL folders. To find the installation location of a particular instance, navigate to the following location in the Windows Registry: HKEY_LOCAL_MACHINE &gt;&gt; SOFTWARE &gt;&gt; Microsoft &gt;&gt; Microsoft SQL Server &gt;&gt; [INSTANCE NAME] &gt;&gt; Setup. Examine the value of the 'SqlProgramDir' key. The value of the 'SqlProgramDir' key is the SQL Server installation directory for that SQL Server Instance. Navigate to that folder location using a Command Prompt or Windows Explorer. Only applications that are required for the functioning and administration, not use, of the SQL Server should be located on the same disk directory as the SQL Server software libraries. If any files or subfolders are not part of the SQL Server installation, this is a finding. For databases located on mainframes, confirm that the database and its configuration files are isolated in their own DASD pools. If database software and database configuration files share DASD with other applications, this is a finding.

Fix: F-46228r1_fix

Separate database files (software, data) into dedicated directories.

b
SQL Server software installation account(s) must be restricted to authorized users.
CM-5 - Medium - CCI-001499 - V-40947 - SV-53301r1_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
SQL2-00-015400
Vuln IDs
  • V-40947
Rule IDs
  • SV-53301r1_rule
When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. If the application were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement is contingent upon the language in which the application is programmed, as many application architectures in use today incorporate their software libraries into, and make them inseparable from, their compiled distributions, rendering them static and version dependant. However, this requirement does apply to applications with software libraries accessible and configurable, as in the case of interpreted languages. Accordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. DBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a greater impact on SQL Server security and operation. It is especially important to grant access to privileged accounts to only those persons who are qualified and authorized to use them.
Checks: C-47602r2_chk

Check system documentation for policy and procedures to restrict use of the SQL Server software installation account. Check OS settings to determine whether users are restricted from accessing SQL Server objects and data they are not authorized to access by checking the local OS user accounts. From a Command Prompt, open lusrmgr.msc. Navigate to Users &gt;&gt; right click individual user &gt;&gt; Properties &gt;&gt; Member Of. If appropriate access controls for all users are not implemented to restrict access to only authorized users and to restrict the access of those users to objects and data they are authorized, this is a finding. Review procedures for controlling and granting access to use of the SQL Server software installation account. If access or use of this account is not restricted to the minimum number of personnel required, or unauthorized access to this account has been granted, this is a finding.

Fix: F-46229r2_fix

From a Command Prompt, open lusrmgr.msc. Navigate to Users >> right click individual user >> Properties >> Member Of. Configure SQL Server & OS settings and access controls, to restrict user access to objects and data that the user is authorized to view or interact with. Develop, document, and implement procedures to restrict use of the DBMS software installation account.

c
Software, applications, and configuration files that are external to SQL Server must be monitored to discover unauthorized changes.
CM-5 - High - CCI-001499 - V-40948 - SV-53302r1_rule
RMF Control
CM-5
Severity
H
CCI
CCI-001499
Version
SQL2-00-015350
Vuln IDs
  • V-40948
Rule IDs
  • SV-53302r1_rule
When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of SQL Server and/or application can potentially have significant effects on the overall security of the system. Only qualified and authorized individuals shall be allowed to obtain access to SQL Server components for purposes of initiating changes, including upgrades and modifications. Unmanaged changes that occur to the SQL Server software libraries or configuration can lead to unauthorized or compromised installations.
Checks: C-47603r2_chk

Verify that files and folders that are part of the SQL Server 2012 installation have only the following privileges: Right click the file/folder, click Properties. On the Security tab, verify only the following permissions are applied: Trusted Installer (Full Control) SYSTEM (FULL CONTROL) Administrators (FULL CONTROL) Users (READ &amp; EXECUTE, READ) Creator Owner (Special Permissions - Full control - Subfolders and files only) If any file or folder permissions are not as stated or more restrictive, this is a finding. Note: Some files also require 'ALL APPLICATION PACKAGES (READ, EXECUTE)' permissions for certain functionality to work appropriately (such as SQLCMD), and this is considered acceptable where those permissions are required. All files that require this access reside by default in the ..\Microsoft SQL Server\110\ directory. Verify that files and folders that are part of the SQL Server 2012 installation have auditing enabled: Right click on the file/folder, click Properties. On the Security tab, click Advanced. On the Auditing tab, verify that the following is set up on at least one audit: Type: All Principal: Everyone Access: Modify Applies to: This Folder, subfolder, and files* *where applicable If the required audit settings are not configured, there is a risk that unauthorized changes to the software will go undetected, and this is a finding. If a third-party security and data integrity tool is not used for monitoring and alerting files and folders based on cryptographic hashes, this is a finding. If the tool does not verify files/folder locations as listed in the documentation, this is a finding.

Fix: F-46230r2_fix

Include locations of all files, libraries, scripts, and executables that are considered to be part of the SQL Server installation in the documentation. Verify that files and folders that are part of the SQL Server 2012 installation have only the following privileges: Right click the file/folder, click Properties. On the Security tab, verify only the following permissions are applied: Trusted Installer (Full Control) SYSTEM (FULL CONTROL) Administrators (FULL CONTROL) Users (READ & EXECUTE, READ) Creator Owner (Special Permissions - Full control - Subfolders and files only) Note: Some files also require 'ALL APPLICATION PACKAGES (READ, EXECUTE)' permissions for certain functionality to work appropriately (such as SQLCMD), and this is considered acceptable where those permissions are required. All files that require this access reside by default in the ..\Microsoft SQL Server\110\ directory. Restrict use of this to only the minimum necessary files/folders.

b
SQL Server must monitor for security-relevant configuration settings to discover unauthorized changes.
CM-5 - Medium - CCI-001499 - V-40949 - SV-53303r1_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
SQL2-00-015300
Vuln IDs
  • V-40949
Rule IDs
  • SV-53303r1_rule
When dealing with change control issues, it should be noted, any changes to security-relevant configuration settings of SQL Server can potentially have significant effects on the overall security of the system. If SQL Server were to allow any user to make changes to configuration settings, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement is contingent upon the configuration of SQL Server's hosted application and the security-relevant configuration settings of SQL Server. Accordingly, only qualified and authorized individuals shall be allowed to obtain access to these security-relevant configuration settings for purposes of initiating changes, including upgrades and modifications. Unmanaged changes that occur to SQL Server software libraries or configuration can lead to unauthorized or compromised installations.
Checks: C-47604r2_chk

Verify within the system documentation that SQL Server is monitoring for security-relevant configuration settings to discover unauthorized changes. This can be done by a third-party tool or a SQL script that does baselining and then comparisons. If the monitoring of security-relevant configuration settings to discover unauthorized changes is not implemented on SQL Server, this is a finding.

Fix: F-46231r2_fix

Document the monitoring of security-relevant configuration settings to discover unauthorized changes within the system documentation. Document the specific users or types of security personnel that are able to monitor security-relevant configuration settings to discover unauthorized changes. Deploy and implement a third-party tool or some other SQL Server method of monitoring security-relevant configuration settings to discover unauthorized changes.

b
SQL Server must support the employment of automated mechanisms supporting the auditing of the enforcement actions.
CM-5 - Medium - CCI-000347 - V-40950 - SV-53304r1_rule
RMF Control
CM-5
Severity
M
CCI
CCI-000347
Version
SQL2-00-014700
Vuln IDs
  • V-40950
Rule IDs
  • SV-53304r1_rule
Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals are allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Access restrictions for change also include software libraries. Examples of access restrictions include: physical and logical access controls, workflow automation, media libraries, abstract layers (e.g., changes are implemented into a third-party interface rather than directly into the information system component), and change windows (e.g., changes occur only during specified times, making unauthorized changes outside the window easy to discover).
Checks: C-47605r2_chk

Verify that Files and Folders that are part of the SQL Server 2012 Installation have auditing enabled. Determine audit file locations: Obtain SQL Server Audit file location(s) by Running the following SQL script: Select * from sys.traces For each audit the path column will give the location of the file. On the Security Tab, click Advanced. On the Auditing Tab, verify that the following is configured on the audits returned from previous query: Type: All Principal: Everyone Access: Modify Applies to: This Folder, subfolder, and files* If auditing is not enabled for each file location found above, this is a finding.

Fix: F-46232r2_fix

For each audit file location, select the Security Tab, click Advanced. On the Auditing Tab, verify that the following is configured on the audits returned from previous query: Type: All Principal: Everyone Access: Modify Applies to: This Folder, subfolder, and files

b
SQL Server must support the organizational requirement to employ automated mechanisms for enforcing access restrictions.
CM-5 - Medium - CCI-000346 - V-40951 - SV-53305r1_rule
RMF Control
CM-5
Severity
M
CCI
CCI-000346
Version
SQL2-00-014600
Vuln IDs
  • V-40951
Rule IDs
  • SV-53305r1_rule
When dealing with access restrictions pertaining to change control, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Only qualified and authorized individuals are allowed to obtain access to information system components for the purposes of initiating changes, upgrades, and modifications. Access restrictions for change also include application software libraries. Examples of access restrictions include: physical and logical access controls, workflow automation, media libraries, abstract layers (i.e., changes are implemented into a third-party interface rather than directly into the information system component), and change windows (i.e., changes occur only during specified times, making unauthorized changes outside the window easy to discover). Multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit of one application can lead to an exploit of other applications sharing the same security context. For example, an exploit of a web server process that leads to unauthorized administrative access to host system directories can most likely lead to a compromise of all applications hosted by the same system. Database software not installed using dedicated directories both threatens, and is threatened by, other hosted applications. Access controls defined for one application may, by default, provide access to other applications’ database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.
Checks: C-47606r2_chk

Obtain the SQL Server software library installation directory location. From a command prompt, type regedit.exe, and press [ENTER]. Navigate to HKEY_LOCAL_MACHINE &gt;&gt; SOFTWARE &gt;&gt; Microsoft &gt;&gt; Microsoft SQL Server &gt;&gt; Instance Names. Each instance installed on the server possesses a key inside a folder under this registry entry. Analysis Services Instances are registered in the OLAP subfolder. Reporting Services Instances are registered in the RS subfolder. Standard SQL Server Instances are registered in the SQL subfolder. Inside each one of these folders, a single key is used to reference an instance's specific Windows Registry tree. Each key will have its own registry tree at the following registry location: HKEY_LOCAL_MACHINE &gt;&gt; SOFTWARE &gt;&gt; Microsoft &gt;&gt; Microsoft SQL Server &gt;&gt; [INSTANCE NAME]. An [INSTANCE NAME] is listed as the data component of a key found in one of the above OLAP, RS, or SQL folders. To find the installation location of a particular instance, navigate to the following location in the Windows Registry: HKEY_LOCAL_MACHINE &gt;&gt; SOFTWARE &gt;&gt; Microsoft &gt;&gt; Microsoft SQL Server &gt;&gt; [INSTANCE NAME] &gt;&gt; Setup. Examine the value of the 'SqlProgramDir' key. The value of the 'SqlProgramDir' key is the SQL Server installation directory for that SQL Server Instance. Navigate to that folder location using a command prompt or Windows Explorer. Note any custom subdirectories within the SQL Server software library directory. Only applications that are required for the functioning and administration of SQL Server should be located in the same disk directory as the SQL Server software libraries. If any directories or files not installed with the SQL Server software exist within the SQL Server software library directory, this is a finding.

Fix: F-46233r2_fix

Install SQL Server software using directories separate from the OS and other application software library directories. Relocate any directories or reinstall other application software that currently shares the DBMS software library directory to separate directories. Recommend dedicating a separate partition for the SQL software libraries.

a
SQL Server must protect audit information from unauthorized deletion.
AU-9 - Low - CCI-000164 - V-40952 - SV-53306r1_rule
RMF Control
AU-9
Severity
L
CCI
CCI-000164
Version
SQL2-00-013800
Vuln IDs
  • V-40952
Rule IDs
  • SV-53306r1_rule
If audit data were to become compromised, competent forensic analysis and discovery of the true source of potentially malicious system activity would be impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files enjoy the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained. Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data, and the corresponding rights the user enjoys in order to make decisions regarding the deletion of audit data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Deletion of database audit data could mask the theft or unauthorized modification of sensitive data stored in the database.
Checks: C-47607r3_chk

Obtain the SQL Server audit file location(s) by running the following SQL script: Select * from sys.traces For each audit, the path column will give the location of the file. Verify that all audit files have the correct permissions by doing the following for each audit file: Navigate to audit folder location(s) using a command prompt or Windows Explorer. Right click the file/folder, click Properties. On the Security tab, verify only the following permissions are applied: Administrator(read), Users (non), Audit Administrator(Full Control)SQLServerServiceAccount (full control). If a permission is not as stated or more restrictive to protect against unauthorized access, this is a finding.

Fix: F-46234r2_fix

Modify audit file permissions to meet the requirement to protect against unauthorized access. Navigate to audit folder location(s) using a command prompt or Windows Explorer. Right click on the file, click Properties. On the Security tab, modify the security permissions to:Administrator(read), Users (none), Audit Administrator(Full Control)SQLServerServiceAccount (full control).

a
SQL Server must protect audit information from unauthorized modification.
AU-9 - Low - CCI-000163 - V-40953 - SV-53307r1_rule
RMF Control
AU-9
Severity
L
CCI
CCI-000163
Version
SQL2-00-013700
Vuln IDs
  • V-40953
Rule IDs
  • SV-53307r1_rule
If audit data were to become compromised, competent forensic analysis and discovery of the true source of potentially malicious system activity would be impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files enjoy the proper file system permissions, and limiting log data locations. Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data, and the corresponding rights that the user enjoys in order to make decisions regarding the modification of audit data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Modification of database audit data could mask the theft or unauthorized modification of sensitive data stored in the database.
Checks: C-47608r2_chk

Obtain the SQL Server audit file location(s) by running the following SQL script: Select * from sys.traces For each audit, the path column will give the location of the file. Verify that all audit files have the correct permissions by doing the following for each audit file: Navigate to audit folder location(s) using a command prompt or Windows Explorer. Right click the file/folder, click Properties. On the Security tab, verify only the following permissions are applied: Administrator(read), Users (non), Audit Administrator(Full Control)SQLServerServiceAccount (full control). If a permission is not as stated or more restrictive to protect against unauthorized access, this is a finding.

Fix: F-46235r2_fix

Modify audit file permissions to meet the requirement to protect against unauthorized access. Navigate to audit folder location(s) using a command prompt or Windows Explorer. Right click on the file, click Properties. On the Security tab, modify the security permissions to:Administrator(read), Users (none), Audit Administrator(Full Control)SQLServerServiceAccount (full control).

b
SQL Server must protect audit information from any type of unauthorized access.
AU-9 - Medium - CCI-000162 - V-41016 - SV-53390r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
SQL2-00-013600
Vuln IDs
  • V-41016
Rule IDs
  • SV-53390r1_rule
If audit data were to become compromised, competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage. To ensure the veracity of audit data, the information system and/or the application must protect audit information from any and all unauthorized access. This includes read, write, copy, etc. SQL Server and third-party tools are examples of applications that are easily able to view and manipulate audit file data. Additionally, applications with user interfaces to audit records should not allow unfettered manipulation of, or access to, those records via any application. If an application provides access to the audit data, the application becomes accountable for ensuring that audit information is protected from unauthorized access. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files enjoy the proper file system permissions utilizing file system protections, and limiting log data location. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
Checks: C-47632r2_chk

Obtain the SQL Server audit file location(s) by running the following SQL script: Select * from sys.traces For each audit, the path column will give the location of the file. Verify that all audit files have the correct permissions by doing the following for each audit file: Navigate to audit folder location(s) using a command prompt or Windows Explorer. Right click the file/folder, click Properties. On the Security tab, verify only the following permissions are applied: Administrator(read), Users (non), Audit Administrator(Full Control)SQLServerServiceAccount (full control). If a permission is not as stated or more restrictive to protect against unauthorized access, this is a finding.

Fix: F-46314r2_fix

Modify audit file permissions to meet the requirement to protect against unauthorized access. Navigate to audit folder location(s) using a command prompt or Windows Explorer. Right click on the file, click Properties. On the Security tab, modify the security permissions to:Administrator(read), Users (none), Audit Administrator(Full Control)SQLServerServiceAccount (full control).

b
SQL Server must protect the audit records generated as a result of remote access to privileged accounts and by the execution of privileged functions.
AU-9 - Medium - CCI-001352 - V-41017 - SV-53391r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001352
Version
SQL2-00-014400
Vuln IDs
  • V-41017
Rule IDs
  • SV-53391r1_rule
Protection of audit records and audit data is of critical importance. Care must be taken to ensure privileged users cannot circumvent audit protections put in place. Auditing might not be reliable when performed by an information system which the user being audited has privileged access to. The privileged user could inhibit auditing or directly modify audit records. To prevent this from occurring, privileged access shall be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges. Reducing the risk of audit compromises by privileged users can also be achieved, for example, by performing audit activity on a separate information system where the user in question has limited access, or by using storage media that cannot be modified (e.g., write-once recording devices). If an attacker were to gain access to audit tools, they could analyze audit logs for system weaknesses or weaknesses in the auditing itself. An attacker could also manipulate logs to hide evidence of malicious activity.
Checks: C-47634r2_chk

Obtain the SQL Server audit file location(s) by running the following SQL script: Select * from sys.traces For each audit, the path column will give the location of the file. Verify that all audit files have the correct permissions by doing the following for each audit file: Navigate to audit folder location(s) using a command prompt or Windows Explorer. Right click the file/folder, click Properties. On the Security tab, verify only the following permissions are applied: Administrator(read), Users (non), Audit Administrator(Full Control)SQLServerServiceAccount (full control). If a permission is not as stated or more restrictive to protect against unauthorized access, this is a finding.

Fix: F-46315r2_fix

Modify audit file permissions to meet the requirement to protect against unauthorized access. Navigate to audit folder location(s) using a command prompt or Windows Explorer. Right click on the file, click Properties. On the Security tab, modify the security permissions to:Administrator(read), Users (none), Audit Administrator(Full Control)SQLServerServiceAccount (full control).

b
SQL Server must protect the SQL Server audit tool or any other third-party audit tools from unauthorized deletion.
AU-9 - Medium - CCI-001495 - V-41018 - SV-53393r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001495
Version
SQL2-00-014100
Vuln IDs
  • V-41018
Rule IDs
  • SV-53393r1_rule
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized access. Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys in order to make decisions regarding access to audit tools. Audit tools include, but are not limited to, OS-provided audit tools, vendor-provided audit tools, and open-source audit tools needed to successfully view and manipulate audit information system activity and records. If an attacker were to gain access to audit tools, they could analyze audit logs for system weaknesses or weaknesses in the auditing itself. An attacker could also manipulate logs to hide evidence of malicious activity.
Checks: C-47635r2_chk

Obtain the SQL Server software library installation directory location. From a command prompt, type regedit.exe, and press [ENTER]. Each instance will have its own registry tree at the following registry location: HKEY_LOCAL_MACHINE &gt;&gt; SOFTWARE &gt;&gt; Microsoft &gt;&gt; Microsoft SQL Server &gt;&gt; [INSTANCE NAME]. An [INSTANCE NAME] is listed as the data component of a key found in one of the above OLAP, RS, or SQL folders. To find the installation location of a particular instance, navigate to the following location in the Windows Registry: HKEY_LOCAL_MACHINE &gt;&gt; SOFTWARE &gt;&gt; Microsoft &gt;&gt; Microsoft SQL Server &gt;&gt; [INSTANCE NAME] &gt;&gt; Setup. Examine the value of the 'SqlProgramDir' key. The value of the 'SqlProgramDir' key is the SQL Server installation directory for that SQL Server instance. Navigate to that folder location using a command prompt or Windows Explorer. Verify that files and folders that are part of the SQL Server 2012 installation have only the following privileges: Right click each folder under the installation folder, click Properties. On the Security tab, verify only the following permissions are present. ...\MSSQL\backup – SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) ...\MSSQL\binn – SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) ...\MSSQL\data– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) ...\MSSQL\FTData– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) ...\MSSQL\Install– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) ...\MSSQL\Log– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) ...\MSSQL\Repldata– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) 110\shared– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) If additional permissions are present, this is a finding.

Fix: F-46317r2_fix

Navigate to the SQL Server software library directory folder location. Right click the file/folder, click Properties On the Security tab, modify the security permissions, verify that files and folders that are part of the SQL Server 2012 installation have only the following privileges: Right click each folder under the installation folder, click Properties. On the Security tab, verify only the following permissions are present. …\MSSQL\backup – SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\binn – SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) …\MSSQL\data– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\FTData– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\Install– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) …\MSSQL\Log– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\Repldata– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) 110\shared– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control)

b
SQL Server must protect the SQL Server audit tool or any other third-party audit tools from unauthorized modification.
AU-9 - Medium - CCI-001494 - V-41019 - SV-53394r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001494
Version
SQL2-00-014000
Vuln IDs
  • V-41019
Rule IDs
  • SV-53394r1_rule
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. If the tools are compromised, it could provide attackers with the capability to manipulate log data. It is, therefore, imperative that audit tools be controlled and protected from unauthorized modification. Audit tools include, but are not limited to, OS-provided audit tools, vendor-provided audit tools, and open-source audit tools needed to successfully view and manipulate audit information system activity and records. If an attacker were to gain access to audit tools, they could analyze audit logs for system weaknesses or weaknesses in the auditing itself. An attacker could also manipulate logs to hide evidence of malicious activity.
Checks: C-47636r2_chk

Obtain the SQL Server software library installation directory location. From a command prompt, type regedit.exe, and press [ENTER]. Each instance will have its own registry tree at the following registry location: HKEY_LOCAL_MACHINE &gt;&gt; SOFTWARE &gt;&gt; Microsoft &gt;&gt; Microsoft SQL Server &gt;&gt; [INSTANCE NAME]. An [INSTANCE NAME] is listed as the data component of a key found in one of the above OLAP, RS, or SQL folders. To find the installation location of a particular instance, navigate to the following location in the Windows Registry: HKEY_LOCAL_MACHINE &gt;&gt; SOFTWARE &gt;&gt; Microsoft &gt;&gt; Microsoft SQL Server &gt;&gt; [INSTANCE NAME] &gt;&gt; Setup. Examine the value of the 'SqlProgramDir' key. The value of the 'SqlProgramDir' key is the SQL Server installation directory for that SQL Server instance. Navigate to that folder location using a command prompt or Windows Explorer. Verify that files and folders that are part of the SQL Server 2012 installation have only the following privileges: Right click each folder under the installation folder, click Properties. On the Security tab, verify only the following permissions are present. ...\MSSQL\backup – SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) ...\MSSQL\binn – SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) ...\MSSQL\data– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) ...\MSSQL\FTData– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) ...\MSSQL\Install– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) ...\MSSQL\Log– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) ...\MSSQL\Repldata– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) 110\shared– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) If additional permissions are present, this is a finding.

Fix: F-46318r2_fix

Navigate to the SQL Server software library directory folder location. Right click the file/folder, click Properties On the Security tab, modify the security permissions, verify that files and folders that are part of the SQL Server 2012 installation have only the following privileges: Right click each folder under the installation folder, click Properties. On the Security tab, verify only the following permissions are present. …\MSSQL\backup – SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\binn – SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) …\MSSQL\data– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\FTData– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\Install– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) …\MSSQL\Log– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\Repldata– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) 110\shared– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control)

b
SQL Server must protect the SQL Server audit tool or any other third-party audit tools from unauthorized access.
AU-9 - Medium - CCI-001493 - V-41020 - SV-53395r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001493
Version
SQL2-00-013900
Vuln IDs
  • V-41020
Rule IDs
  • SV-53395r1_rule
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized access. Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys in order to make decisions regarding access to audit tools. Audit tools include, but are not limited to, OS-provided audit tools, vendor-provided audit tools, and open-source audit tools needed to successfully view and manipulate audit information system activity and records. If an attacker were to gain access to audit tools they could analyze audit logs for system weaknesses or weaknesses in the auditing itself. An attacker could also manipulate logs to hide evidence of malicious activity.
Checks: C-47637r2_chk

Obtain the SQL Server software library installation directory location. From a command prompt, type regedit.exe, and press [ENTER]. Each instance will have its own registry tree at the following registry location: HKEY_LOCAL_MACHINE &gt;&gt; SOFTWARE &gt;&gt; Microsoft &gt;&gt; Microsoft SQL Server &gt;&gt; [INSTANCE NAME]. An [INSTANCE NAME] is listed as the data component of a key found in one of the above OLAP, RS, or SQL folders. To find the installation location of a particular instance, navigate to the following location in the Windows Registry: HKEY_LOCAL_MACHINE &gt;&gt; SOFTWARE &gt;&gt; Microsoft &gt;&gt; Microsoft SQL Server &gt;&gt; [INSTANCE NAME] &gt;&gt; Setup. Examine the value of the 'SqlProgramDir' key. The value of the 'SqlProgramDir' key is the SQL Server installation directory for that SQL Server instance. Navigate to that folder location using a command prompt or Windows Explorer. Verify that files and folders that are part of the SQL Server 2012 installation have only the following privileges: Right click each folder under the installation folder, click Properties. On the Security tab, verify only the following permissions are present. …\MSSQL\backup – SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\binn – SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) …\MSSQL\data– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\FTData– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\Install– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) …\MSSQL\Log– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\Repldata– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) 110\shared– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) If additional permissions are present, this is a finding.

Fix: F-46319r5_fix

Navigate to the SQL Server software library directory folder location. Right click the file/folder, click Properties On the Security tab, modify the security permissions,verify that files and folders that are part of the SQL Server 2012 installation have only the following privileges: Right click each folder under the installation folder, click Properties. On the Security tab,verify only the following permissions are present. …\MSSQL\backup – SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\binn – SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) …\MSSQL\data– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\FTData– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\Install– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) …\MSSQL\Log– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\Repldata– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) 110\shared– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control)

b
SQL Server must audit attempts to bypass access controls.
AU-7 - Medium - CCI-000158 - V-41021 - SV-53396r2_rule
RMF Control
AU-7
Severity
M
CCI
CCI-000158
Version
SQL2-00-013400
Vuln IDs
  • V-41021
Rule IDs
  • SV-53396r2_rule
Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. Detection of suspicious activity, including access attempts and successful access from unexpected places, during unexpected times, or other unusual indicators, can support decisions to apply countermeasures to deter an attack. Without detection, malicious activity may proceed without hindrance. In SQL Server's case, this is a combination of the standard audit trace, as well as the operating system logs. Only the SQL Server logs are validated for this check, as the other part is dependent upon the operating system.
Checks: C-47638r4_chk

Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.

Fix: F-46320r3_fix

-- Run this script to create and start an audit trace that audits required events. -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances. -- The database server must be restarted for the trace to take effect. USE master; GO BEGIN TRY DROP PROCEDURE fso_audit END TRY BEGIN CATCH END CATCH; GO CREATE PROCEDURE fso_audit AS -- Create a Queue DECLARE @rc INT; DECLARE @TraceID INT; DECLARE @options INT = 6; -- 6 specifies TRACE_FILE_ROLLOVER (2) and SHUTDOWN_ON_ERROR (4) DECLARE @tracefile NVARCHAR(128) = 'D:<path>\<filename>'; -- Trace file location and beginning of file name (SQL Server adds a suffix) DECLARE @maxfilesize BIGINT = 500; -- Trace file size limit in megabytes DECLARE @stoptime datetime = null; -- do not stop DECLARE @filecount INT = 10; -- Number of trace files in the rollover set EXEC @rc = SP_TRACE_CREATE @TraceID output, @options, @tracefile, @maxfilesize, @stoptime, @filecount ; IF (@rc != 0) GOTO Error; -- Set the events: DECLARE @on BIT = 1; -- Logins are audited based on SQL Server instance -- setting Audit Level stored in registry -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.[#]\MSSQLServer\AuditLevel -- Audit Login -- Occurs when a user successfully logs in to SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 14, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 14, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 14, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 14, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 14, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 14, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 14, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 14, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 14, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 14, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 14, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 14, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 14, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 14, 64, @on; -- SessionLoginName -- Audit Logout -- Occurs when a user logs out of SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 15, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 15, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 15, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 15, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 15, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 15, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 15, 13, @on; -- Duration EXEC SP_TRACE_SETEVENT @TraceID, 15, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 15, @on; -- EndTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 15, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 15, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 15, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 15, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 15, 64, @on; -- SessionLoginName -- Audit Server Starts and Stops -- Occurs when the SQL Server service state is modified. EXEC SP_TRACE_SETEVENT @TraceID, 18, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 18, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 18, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 18, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 18, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 18, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 18, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 18, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 18, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 18, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 18, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 18, 64, @on; -- SessionLoginName -- Audit Login Failed -- Indicates that a login attempt to SQL Server from a client failed. EXEC SP_TRACE_SETEVENT @TraceID, 20, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 20, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 20, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 20, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 20, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 20, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 20, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 20, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 20, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 20, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 20, 31, @on; -- Error EXEC SP_TRACE_SETEVENT @TraceID, 20, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 20, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 20, 64, @on; -- SessionLoginName -- Audit Statement GDR Event -- Occurs every time a GRANT, DENY, REVOKE for a statement -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 102, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 102, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 102, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 102, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 102, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 102, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 102, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 102, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 102, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 102, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 102, 64, @on; -- SessionLoginName -- Audit Object GDR Event -- Occurs every time a GRANT, DENY, REVOKE for an object -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 103, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 103, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 103, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 103, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 103, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 103, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 103, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 103, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 103, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 103, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 44, @on; -- ColumnPermissions EXEC SP_TRACE_SETEVENT @TraceID, 103, 59, @on; -- ParentName EXEC SP_TRACE_SETEVENT @TraceID, 103, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 103, 64, @on; -- SessionLoginName -- Audit AddLogin Event -- Occurs when a SQL Server login is added or removed; -- for sp_addlogin and sp_droplogin. EXEC SP_TRACE_SETEVENT @TraceID, 104, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 104, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 104, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 104, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 104, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 104, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 104, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 104, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 104, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 104, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 104, 64, @on; -- SessionLoginName -- Audit Login GDR Event -- Occurs when a Windows login right is added or removed; -- for sp_grantlogin, sp_revokelogin, and sp_denylogin. EXEC SP_TRACE_SETEVENT @TraceID, 105, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 105, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 105, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 105, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 105, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 105, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 105, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 105, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 105, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 105, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 105, 64, @on; -- SessionLoginName -- Audit Login Change Property Event -- Occurs when a property of a login, except passwords, -- is modified; for sp_defaultdb and sp_defaultlanguage. EXEC SP_TRACE_SETEVENT @TraceID, 106, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 64, @on; -- Audit Login Change Password Event -- Occurs when a SQL Server login password is changed. -- Passwords are not recorded. EXEC SP_TRACE_SETEVENT @TraceID, 107, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 64, @on; -- Audit Add Login to Server Role Event -- Occurs when a login is added or removed from a fixed server role; -- for sp_addsrvrolemember, and sp_dropsrvrolemember. EXEC SP_TRACE_SETEVENT @TraceID, 108, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 64, @on; -- Audit Add DB User Event -- Occurs when a login is added or removed as a database user -- (Windows or SQL Server) to a database; for sp_grantdbaccess, -- sp_revokedbaccess, sp_adduser, and sp_dropuser. EXEC SP_TRACE_SETEVENT @TraceID, 109, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 21, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 51, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 64, @on; -- Audit Add Member to DB Role Event -- Occurs when a login is added or removed as a database user -- (fixed or user-defined) to a database; for sp_addrolemember, -- sp_droprolemember, and sp_changegroup. EXEC SP_TRACE_SETEVENT @TraceID, 110, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 64, @on; -- Audit Add Role Event -- Occurs when a login is added or removed as a database user to a -- database; for sp_addrole and sp_droprole. EXEC SP_TRACE_SETEVENT @TraceID, 111, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 64, @on; -- Audit App Role Change Password Event -- Occurs when a password of an application role is changed. EXEC SP_TRACE_SETEVENT @TraceID, 112, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 64, @on; -- Audit Statement Permission Event -- Occurs when a statement permission (such as CREATE TABLE) is used. EXEC SP_TRACE_SETEVENT @TraceID, 113, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 64, @on; -- Audit Backup/Restore Event -- Occurs when a BACKUP or RESTORE command is issued. EXEC SP_TRACE_SETEVENT @TraceID, 115, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 64, @on; -- Audit DBCC Event -- Occurs when DBCC commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 116, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 64, @on; -- Audit Change Audit Event -- Occurs when audit trace modifications are made. EXEC SP_TRACE_SETEVENT @TraceID, 117, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 64, @on; -- Audit Object Derived Permission Event -- Occurs when a CREATE, ALTER, and DROP object commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 118, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 64, @on; -- Audit Database Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 128, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 64, @on; -- Audit Database Object Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 129, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 64, @on; -- Audit Database Principal Management Event -- Occurs when principals, such as users, are created, altered, or -- dropped from a database. EXEC SP_TRACE_SETEVENT @TraceID, 130, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 64, @on; -- Audit Schema Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 131, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 64, @on; -- Audit Server Principal Impersonation Event -- Occurs when there is an impersonation within server scope, such -- as EXECUTE AS LOGIN. EXEC SP_TRACE_SETEVENT @TraceID, 132, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 64, @on; -- Audit Database Principal Impersonation Event -- Occurs when an impersonation occurs within the database scope, -- such as EXECUTE AS USER or SETUSER. EXEC SP_TRACE_SETEVENT @TraceID, 133, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 64, @on; -- Audit Server Object Take Ownership Event -- Occurs when the owner is changed for objects in server scope. EXEC SP_TRACE_SETEVENT @TraceID, 134, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 64, @on; -- Audit Database Object Take Ownership Event -- Occurs when a change of owner for objects within database scope -- occurs. EXEC SP_TRACE_SETEVENT @TraceID, 135, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 64, @on; -- Audit Change Database Owner -- Occurs when ALTER AUTHORIZATION is used to change the owner of a -- database and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 152, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 64, @on; -- Audit Schema Object Take Ownership Event -- Occurs when ALTER AUTHORIZATION is used to assign an owner to an -- object and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 153, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 64, @on; -- Audit Server Scope GDR Event -- Indicates that a grant, deny, or revoke event for permissions in -- server scope occurred, such as creating a login. EXEC SP_TRACE_SETEVENT @TraceID, 170, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 64, @on; -- Audit Server Object GDR Event -- Indicates that a grant, deny, or revoke event for a schema object, -- such as a table or function, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 171, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 64, @on; -- Audit Database Object GDR Event -- Indicates that a grant, deny, or revoke event for database -- objects, such as assemblies and schemas, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 172, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 64, @on; -- Audit Server Operation Event -- Occurs when Security Audit operations such as altering settings, -- resources, external access, or authorization are used. EXEC SP_TRACE_SETEVENT @TraceID, 173, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 64, @on; -- Audit Server Alter Trace Event -- Occurs when a statement checks for the ALTER TRACE permission. EXEC SP_TRACE_SETEVENT @TraceID, 175, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 64, @on; -- Audit Server Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 176, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 46, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 64, @on; -- Audit Server Principal Management Event -- Occurs when server principals are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 177, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 64, @on; -- Audit Database Operation Event -- Occurs when database operations occur, such as checkpoint or -- subscribe query notification. EXEC SP_TRACE_SETEVENT @TraceID, 178, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 64, @on; -- Set the trace status to start. EXEC SP_TRACE_SETSTATUS @TraceID, 1; -- Display trace ID for future reference. SELECT @TraceID AS TraceID; GOTO Finish; Error: SELECT @rc AS ErrorCode; Finish: GO EXEC SP_PROCOPTION 'fso_audit', 'startup', 'true'; GO -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances.

b
SQL Server must shutdown immediately in the event of an audit failure, unless an alternative audit capability exists.
AU-5 - Medium - CCI-001343 - V-41022 - SV-53397r1_rule
RMF Control
AU-5
Severity
M
CCI
CCI-001343
Version
SQL2-00-012800
Vuln IDs
  • V-41022
Rule IDs
  • SV-53397r1_rule
It is critical that, when SQL Server is at risk of failing to process audit logs as required, it takes action to mitigate the failure. If the system were to continue processing without auditing enabled, actions can be taken on the system that cannot be tracked and recorded for later forensic analysis. In many system configurations, the disk space allocated to the auditing system is separate from the disks allocated for the operating system; therefore, this may not result in a system outage. This forces the application to detect and take actions. A failure of SQL Server auditing will result in either the database continuing to function without auditing, or halt of SQL Server operations. In this case, the database must cease processing immediately in order to not allow unlogged transaction to occur.
Checks: C-47639r2_chk

From the query prompt: SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0') All currently defined traces for the SQL Server instance will be listed. If no traces are returned, this is a finding. Determine the trace being used for the auditing requirement. Replace # with a traceid being used for the auditing requirements. From the query prompt: SELECT CAST(value AS INT) FROM ::FN_TRACE_GETINFO('#') where property = 1 and (cast(value as int) &amp; 4 = 4) If the traces are not set to 4, this is a finding.

Fix: F-46321r2_fix

Modify the SQL Server audit setting to immediately shutdown the database in the event of an audit failure by setting property 1 to a value of 4 for the audit.

a
SQL Server itself, or the logging or alerting mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.
AU-5 - Low - CCI-000143 - V-41023 - SV-53398r1_rule
RMF Control
AU-5
Severity
L
CCI
CCI-000143
Version
SQL2-00-012600
Vuln IDs
  • V-41023
Rule IDs
  • SV-53398r1_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include: software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. If audit log capacity were to be exceeded, then events subsequently occurring will not be recorded. Organizations shall define a maximum allowable percentage of storage capacity serving as an alarming threshold (e.g., application has exceeded 80% of log storage capacity allocated) at which time the application or the logging mechanism the application utilizes will provide a warning to the appropriate personnel. A failure of database auditing will result in either the database continuing to function without auditing, or in a complete halt to database operations. When audit processing fails, appropriate personnel must be alerted immediately to avoid further downtime or unaudited transactions. This can be an alert provided by a log repository or the OS when a designated log directory is nearing capacity.
Checks: C-47640r2_chk

Since SQL Server does not support the monitoring of the available audit log file space, utilize Windows File Server Resource Manager or a third-party application to perform this activity. From a Command Prompt, open fsrm.msc. If fsrm.msc is not installed, the File Server Resource Manager is not installed, File and Folder Quota Management is not enabled. If File Server Resource Manager or a third-party tool capable of sending alert notifications based on audit log store requirements is not installed, this is a finding. If fsrm.msc is installed, expand File Server Resource Manager in the left pane. Expand Quota Management. Select Quotas. If Quotas have not been created for defined Audit Log storage locations that meet organizationally defined requirements, this is a finding. In the center pane, select each quota to determine its Path, Limit, Type, and Description. Right click the appropriate quota or quotas, and click Edit Quota Properties. Examine the Notification thresholds panel. If there are no Notification thresholds applied to this Quota, this is a finding. If a Notification Threshold is applied, and it does not send an email alert, or provide an Event Log entry which is handled by an automated Log Alert reporting application, this is a finding. If a third-party application is utilized to fulfill this requirement, and it is not configured to provide a notification, this is a finding.

Fix: F-46322r2_fix

From File Server Resource Manager: Choose the From Server Selection, Select a server from the server pool, and select the server from the lower menu. Expand the File and Storage Services Role. Then Expand the File and iSCSI Services subtree. Select File Server Resource Manager. Click Add Features. Return to Add Roles and Features Wizard. Click Next. On the Features Tab, Click Next. Click Install to install and enable the FSRM.msc Microsoft Management Console Snap-in tool. From a Command Prompt, open fsrm.msc. Enable File and Folder Quota Management. Create Quotas for previously identified Audit storage locations based on organizationally defined requirements. Right click the appropriate quota or quotas, and click Edit Quota Properties. From the Notification thresholds pane, create a Notification threshold for this Quota utilizing a generate email alert, or a generated Event Log entry.

b
SQL Server auditing configuration maximum number of files must be configured to reduce the likelihood of storage capacity being exceeded, while meeting organization-defined auditing requirements.
AU-4 - Medium - CCI-000138 - V-41024 - SV-53399r1_rule
RMF Control
AU-4
Severity
M
CCI
CCI-000138
Version
SQL2-00-010500
Vuln IDs
  • V-41024
Rule IDs
  • SV-53399r1_rule
Configure SQL Server during the installation and/or configuration process to determine if adequate storage capacity has been allocated for audit logs. If SQL Server audit logs that are being generated exceed the amount of space reserved for those logs, the system may shutdown or take other measures to stop processing in order to protect transactions from continuing unlogged. After the initial setup of SQL Server audit log configuration, it is best to check the available space frequently until the maximum number of files has been reached. Checking the available space can help determine the balance of online audit data with space required.
Checks: C-47641r2_chk

Check the SQL Server audit setting on the maximum number of files of the trace used for the auditing requirement. Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. The amount of space determined for logging by SQL Server is calculated by multiplying the maximum number of files by the maximum file size. If auditing will outgrow the space reserved for logging before being overwritten, this is a finding.

Fix: F-46323r2_fix

Configure the maximum number of audit log files that are to be generated, staying within the number of logs the system was sized to support. Update the max_files parameter of the audits to ensure the correct number of files is defined.

b
SQL Server auditing configuration maximum file size must be configured to reduce the likelihood of storage capacity being exceeded, while meeting organization-defined auditing requirements.
AU-4 - Medium - CCI-000138 - V-41025 - SV-53400r1_rule
RMF Control
AU-4
Severity
M
CCI
CCI-000138
Version
SQL2-00-010400
Vuln IDs
  • V-41025
Rule IDs
  • SV-53400r1_rule
Configure SQL Server during the installation and/or configuration process to determine if adequate storage capacity has been allocated for audit logs. If SQL Server audit logs that are being generated exceed the amount of space reserved for those logs, the system may shutdown or take other measures to stop processing in order to protect transactions from continuing unlogged. After the initial setup of SQL Server audit log configuration, it is best to check the available space until the maximum number of files has been reached. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. Therefore, the combination of max_size and max_files must be monitored to ensure that overwriting does not occur. This must also coincide with the backup process of off-loading the files.
Checks: C-47642r2_chk

Check the SQL Server audit setting on the maximum file size of the trace used for the auditing requirement. Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. The amount of space determined for logging by SQL Server is calculated by multiplying the maximum number of files by the maximum file size. If auditing will outgrow the space reserved for logging before being overwritten, this is a finding.

Fix: F-46324r2_fix

Configure the maximum file size of each audit log file that is to be generated, staying within the file size the system was sized to support. Modify the audit in question to be placed on drives with adequate space or reconfigure to ensure the audit will not fill the space allocated.

b
SQL Server must have allocated audit record storage capacity to meet the organization-defined requirements for saving audit record information.
AU-4 - Medium - CCI-000137 - V-41026 - SV-53401r1_rule
RMF Control
AU-4
Severity
M
CCI
CCI-000137
Version
SQL2-00-010600
Vuln IDs
  • V-41026
Rule IDs
  • SV-53401r1_rule
SQL Server does not have the ability to be cognizant of potential audit log storage capacity issues. During the installation and/or configuration process, SQL Server should detect and determine if adequate storage capacity has been allocated for audit logs. During the installation process, a notification may be provided to the installer indicating, based on the auditing configuration chosen and the amount of storage space allocated for audit logs, the amount of storage capacity available is not sufficient to meet storage requirements. SQL Server is not able to send out notice based on adequate storage capacity allocated for the audit logs.
Checks: C-47643r2_chk

From a Command Prompt, open fsrm.msc. If fsrm.msc is not installed, the File Server Resource Manager is not installed; File and Folder Quota Management is not enabled. If File Server Resource Manager or a third-party tool capable of sending alert notifications based on audit log store requirements is not installed, this is a finding. If fsrm.msc is installed, expand File Server Resource Manager in the left pane. Expand Quota Management. Expand Quotas. If Quotas have not been created for defined Audit Log storage locations, this is a finding.

Fix: F-46325r1_fix

Use File Server Resource Manager (FSRM.msc) to enable File and Folder Quota Management and create quotas for identified Audit storage locations.

b
SQL Server must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
AU-3 - Medium - CCI-000135 - V-41027 - SV-53402r2_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000135
Version
SQL2-00-012400
Vuln IDs
  • V-41027
Rule IDs
  • SV-53402r2_rule
SQL Server auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server does have a means available to add organizationally defined additional, more detailed information in the audit event records. These events may be identified by type, location, or subject. An example of more detailed information the organization may require in audit records could be the name of the application where the request is coming from. Some organizations may determine that more detailed information is required for specific database event types. If this information is not available, it could negatively impact forensic investigations into user actions or other malicious events.
Checks: C-47644r4_chk

Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.

Fix: F-46326r3_fix

-- Run this script to create and start an audit trace that audits required events. -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances. -- The database server must be restarted for the trace to take effect. USE master; GO BEGIN TRY DROP PROCEDURE fso_audit END TRY BEGIN CATCH END CATCH; GO CREATE PROCEDURE fso_audit AS -- Create a Queue DECLARE @rc INT; DECLARE @TraceID INT; DECLARE @options INT = 6; -- 6 specifies TRACE_FILE_ROLLOVER (2) and SHUTDOWN_ON_ERROR (4) DECLARE @tracefile NVARCHAR(128) = 'D:<path>\<filename>'; -- Trace file location and beginning of file name (SQL Server adds a suffix) DECLARE @maxfilesize BIGINT = 500; -- Trace file size limit in megabytes DECLARE @stoptime datetime = null; -- do not stop DECLARE @filecount INT = 10; -- Number of trace files in the rollover set EXEC @rc = SP_TRACE_CREATE @TraceID output, @options, @tracefile, @maxfilesize, @stoptime, @filecount ; IF (@rc != 0) GOTO Error; -- Set the events: DECLARE @on BIT = 1; -- Logins are audited based on SQL Server instance -- setting Audit Level stored in registry -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.[#]\MSSQLServer\AuditLevel -- Audit Login -- Occurs when a user successfully logs in to SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 14, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 14, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 14, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 14, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 14, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 14, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 14, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 14, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 14, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 14, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 14, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 14, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 14, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 14, 64, @on; -- SessionLoginName -- Audit Logout -- Occurs when a user logs out of SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 15, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 15, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 15, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 15, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 15, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 15, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 15, 13, @on; -- Duration EXEC SP_TRACE_SETEVENT @TraceID, 15, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 15, @on; -- EndTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 15, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 15, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 15, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 15, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 15, 64, @on; -- SessionLoginName -- Audit Server Starts and Stops -- Occurs when the SQL Server service state is modified. EXEC SP_TRACE_SETEVENT @TraceID, 18, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 18, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 18, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 18, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 18, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 18, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 18, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 18, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 18, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 18, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 18, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 18, 64, @on; -- SessionLoginName -- Audit Login Failed -- Indicates that a login attempt to SQL Server from a client failed. EXEC SP_TRACE_SETEVENT @TraceID, 20, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 20, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 20, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 20, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 20, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 20, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 20, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 20, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 20, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 20, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 20, 31, @on; -- Error EXEC SP_TRACE_SETEVENT @TraceID, 20, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 20, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 20, 64, @on; -- SessionLoginName -- Audit Statement GDR Event -- Occurs every time a GRANT, DENY, REVOKE for a statement -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 102, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 102, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 102, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 102, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 102, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 102, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 102, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 102, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 102, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 102, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 102, 64, @on; -- SessionLoginName -- Audit Object GDR Event -- Occurs every time a GRANT, DENY, REVOKE for an object -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 103, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 103, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 103, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 103, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 103, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 103, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 103, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 103, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 103, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 103, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 44, @on; -- ColumnPermissions EXEC SP_TRACE_SETEVENT @TraceID, 103, 59, @on; -- ParentName EXEC SP_TRACE_SETEVENT @TraceID, 103, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 103, 64, @on; -- SessionLoginName -- Audit AddLogin Event -- Occurs when a SQL Server login is added or removed; -- for sp_addlogin and sp_droplogin. EXEC SP_TRACE_SETEVENT @TraceID, 104, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 104, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 104, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 104, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 104, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 104, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 104, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 104, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 104, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 104, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 104, 64, @on; -- SessionLoginName -- Audit Login GDR Event -- Occurs when a Windows login right is added or removed; -- for sp_grantlogin, sp_revokelogin, and sp_denylogin. EXEC SP_TRACE_SETEVENT @TraceID, 105, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 105, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 105, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 105, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 105, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 105, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 105, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 105, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 105, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 105, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 105, 64, @on; -- SessionLoginName -- Audit Login Change Property Event -- Occurs when a property of a login, except passwords, -- is modified; for sp_defaultdb and sp_defaultlanguage. EXEC SP_TRACE_SETEVENT @TraceID, 106, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 64, @on; -- Audit Login Change Password Event -- Occurs when a SQL Server login password is changed. -- Passwords are not recorded. EXEC SP_TRACE_SETEVENT @TraceID, 107, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 64, @on; -- Audit Add Login to Server Role Event -- Occurs when a login is added or removed from a fixed server role; -- for sp_addsrvrolemember, and sp_dropsrvrolemember. EXEC SP_TRACE_SETEVENT @TraceID, 108, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 64, @on; -- Audit Add DB User Event -- Occurs when a login is added or removed as a database user -- (Windows or SQL Server) to a database; for sp_grantdbaccess, -- sp_revokedbaccess, sp_adduser, and sp_dropuser. EXEC SP_TRACE_SETEVENT @TraceID, 109, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 21, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 51, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 64, @on; -- Audit Add Member to DB Role Event -- Occurs when a login is added or removed as a database user -- (fixed or user-defined) to a database; for sp_addrolemember, -- sp_droprolemember, and sp_changegroup. EXEC SP_TRACE_SETEVENT @TraceID, 110, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 64, @on; -- Audit Add Role Event -- Occurs when a login is added or removed as a database user to a -- database; for sp_addrole and sp_droprole. EXEC SP_TRACE_SETEVENT @TraceID, 111, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 64, @on; -- Audit App Role Change Password Event -- Occurs when a password of an application role is changed. EXEC SP_TRACE_SETEVENT @TraceID, 112, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 64, @on; -- Audit Statement Permission Event -- Occurs when a statement permission (such as CREATE TABLE) is used. EXEC SP_TRACE_SETEVENT @TraceID, 113, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 64, @on; -- Audit Backup/Restore Event -- Occurs when a BACKUP or RESTORE command is issued. EXEC SP_TRACE_SETEVENT @TraceID, 115, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 64, @on; -- Audit DBCC Event -- Occurs when DBCC commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 116, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 64, @on; -- Audit Change Audit Event -- Occurs when audit trace modifications are made. EXEC SP_TRACE_SETEVENT @TraceID, 117, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 64, @on; -- Audit Object Derived Permission Event -- Occurs when a CREATE, ALTER, and DROP object commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 118, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 64, @on; -- Audit Database Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 128, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 64, @on; -- Audit Database Object Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 129, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 64, @on; -- Audit Database Principal Management Event -- Occurs when principals, such as users, are created, altered, or -- dropped from a database. EXEC SP_TRACE_SETEVENT @TraceID, 130, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 64, @on; -- Audit Schema Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 131, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 64, @on; -- Audit Server Principal Impersonation Event -- Occurs when there is an impersonation within server scope, such -- as EXECUTE AS LOGIN. EXEC SP_TRACE_SETEVENT @TraceID, 132, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 64, @on; -- Audit Database Principal Impersonation Event -- Occurs when an impersonation occurs within the database scope, -- such as EXECUTE AS USER or SETUSER. EXEC SP_TRACE_SETEVENT @TraceID, 133, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 64, @on; -- Audit Server Object Take Ownership Event -- Occurs when the owner is changed for objects in server scope. EXEC SP_TRACE_SETEVENT @TraceID, 134, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 64, @on; -- Audit Database Object Take Ownership Event -- Occurs when a change of owner for objects within database scope -- occurs. EXEC SP_TRACE_SETEVENT @TraceID, 135, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 64, @on; -- Audit Change Database Owner -- Occurs when ALTER AUTHORIZATION is used to change the owner of a -- database and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 152, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 64, @on; -- Audit Schema Object Take Ownership Event -- Occurs when ALTER AUTHORIZATION is used to assign an owner to an -- object and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 153, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 64, @on; -- Audit Server Scope GDR Event -- Indicates that a grant, deny, or revoke event for permissions in -- server scope occurred, such as creating a login. EXEC SP_TRACE_SETEVENT @TraceID, 170, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 64, @on; -- Audit Server Object GDR Event -- Indicates that a grant, deny, or revoke event for a schema object, -- such as a table or function, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 171, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 64, @on; -- Audit Database Object GDR Event -- Indicates that a grant, deny, or revoke event for database -- objects, such as assemblies and schemas, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 172, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 64, @on; -- Audit Server Operation Event -- Occurs when Security Audit operations such as altering settings, -- resources, external access, or authorization are used. EXEC SP_TRACE_SETEVENT @TraceID, 173, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 64, @on; -- Audit Server Alter Trace Event -- Occurs when a statement checks for the ALTER TRACE permission. EXEC SP_TRACE_SETEVENT @TraceID, 175, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 64, @on; -- Audit Server Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 176, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 46, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 64, @on; -- Audit Server Principal Management Event -- Occurs when server principals are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 177, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 64, @on; -- Audit Database Operation Event -- Occurs when database operations occur, such as checkpoint or -- subscribe query notification. EXEC SP_TRACE_SETEVENT @TraceID, 178, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 64, @on; -- Set the trace status to start. EXEC SP_TRACE_SETSTATUS @TraceID, 1; -- Display trace ID for future reference. SELECT @TraceID AS TraceID; GOTO Finish; Error: SELECT @rc AS ErrorCode; Finish: GO EXEC SP_PROCOPTION 'fso_audit', 'startup', 'true'; GO -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances.

b
SQL Server must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.
AU-3 - Medium - CCI-001487 - V-41028 - SV-53403r2_rule
RMF Control
AU-3
Severity
M
CCI
CCI-001487
Version
SQL2-00-012300
Vuln IDs
  • V-41028
Rule IDs
  • SV-53403r2_rule
Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. Database software is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed a given action. If user identification information is not recorded and stored with the audit record, the record itself is of very limited use.
Checks: C-47645r4_chk

Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.

Fix: F-46327r3_fix

-- Run this script to create and start an audit trace that audits required events. -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances. -- The database server must be restarted for the trace to take effect. USE master; GO BEGIN TRY DROP PROCEDURE fso_audit END TRY BEGIN CATCH END CATCH; GO CREATE PROCEDURE fso_audit AS -- Create a Queue DECLARE @rc INT; DECLARE @TraceID INT; DECLARE @options INT = 6; -- 6 specifies TRACE_FILE_ROLLOVER (2) and SHUTDOWN_ON_ERROR (4) DECLARE @tracefile NVARCHAR(128) = 'D:<path>\<filename>'; -- Trace file location and beginning of file name (SQL Server adds a suffix) DECLARE @maxfilesize BIGINT = 500; -- Trace file size limit in megabytes DECLARE @stoptime datetime = null; -- do not stop DECLARE @filecount INT = 10; -- Number of trace files in the rollover set EXEC @rc = SP_TRACE_CREATE @TraceID output, @options, @tracefile, @maxfilesize, @stoptime, @filecount ; IF (@rc != 0) GOTO Error; -- Set the events: DECLARE @on BIT = 1; -- Logins are audited based on SQL Server instance -- setting Audit Level stored in registry -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.[#]\MSSQLServer\AuditLevel -- Audit Login -- Occurs when a user successfully logs in to SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 14, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 14, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 14, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 14, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 14, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 14, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 14, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 14, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 14, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 14, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 14, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 14, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 14, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 14, 64, @on; -- SessionLoginName -- Audit Logout -- Occurs when a user logs out of SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 15, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 15, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 15, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 15, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 15, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 15, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 15, 13, @on; -- Duration EXEC SP_TRACE_SETEVENT @TraceID, 15, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 15, @on; -- EndTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 15, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 15, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 15, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 15, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 15, 64, @on; -- SessionLoginName -- Audit Server Starts and Stops -- Occurs when the SQL Server service state is modified. EXEC SP_TRACE_SETEVENT @TraceID, 18, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 18, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 18, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 18, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 18, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 18, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 18, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 18, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 18, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 18, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 18, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 18, 64, @on; -- SessionLoginName -- Audit Login Failed -- Indicates that a login attempt to SQL Server from a client failed. EXEC SP_TRACE_SETEVENT @TraceID, 20, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 20, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 20, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 20, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 20, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 20, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 20, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 20, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 20, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 20, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 20, 31, @on; -- Error EXEC SP_TRACE_SETEVENT @TraceID, 20, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 20, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 20, 64, @on; -- SessionLoginName -- Audit Statement GDR Event -- Occurs every time a GRANT, DENY, REVOKE for a statement -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 102, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 102, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 102, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 102, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 102, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 102, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 102, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 102, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 102, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 102, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 102, 64, @on; -- SessionLoginName -- Audit Object GDR Event -- Occurs every time a GRANT, DENY, REVOKE for an object -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 103, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 103, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 103, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 103, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 103, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 103, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 103, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 103, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 103, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 103, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 44, @on; -- ColumnPermissions EXEC SP_TRACE_SETEVENT @TraceID, 103, 59, @on; -- ParentName EXEC SP_TRACE_SETEVENT @TraceID, 103, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 103, 64, @on; -- SessionLoginName -- Audit AddLogin Event -- Occurs when a SQL Server login is added or removed; -- for sp_addlogin and sp_droplogin. EXEC SP_TRACE_SETEVENT @TraceID, 104, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 104, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 104, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 104, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 104, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 104, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 104, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 104, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 104, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 104, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 104, 64, @on; -- SessionLoginName -- Audit Login GDR Event -- Occurs when a Windows login right is added or removed; -- for sp_grantlogin, sp_revokelogin, and sp_denylogin. EXEC SP_TRACE_SETEVENT @TraceID, 105, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 105, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 105, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 105, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 105, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 105, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 105, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 105, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 105, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 105, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 105, 64, @on; -- SessionLoginName -- Audit Login Change Property Event -- Occurs when a property of a login, except passwords, -- is modified; for sp_defaultdb and sp_defaultlanguage. EXEC SP_TRACE_SETEVENT @TraceID, 106, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 64, @on; -- Audit Login Change Password Event -- Occurs when a SQL Server login password is changed. -- Passwords are not recorded. EXEC SP_TRACE_SETEVENT @TraceID, 107, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 64, @on; -- Audit Add Login to Server Role Event -- Occurs when a login is added or removed from a fixed server role; -- for sp_addsrvrolemember, and sp_dropsrvrolemember. EXEC SP_TRACE_SETEVENT @TraceID, 108, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 64, @on; -- Audit Add DB User Event -- Occurs when a login is added or removed as a database user -- (Windows or SQL Server) to a database; for sp_grantdbaccess, -- sp_revokedbaccess, sp_adduser, and sp_dropuser. EXEC SP_TRACE_SETEVENT @TraceID, 109, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 21, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 51, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 64, @on; -- Audit Add Member to DB Role Event -- Occurs when a login is added or removed as a database user -- (fixed or user-defined) to a database; for sp_addrolemember, -- sp_droprolemember, and sp_changegroup. EXEC SP_TRACE_SETEVENT @TraceID, 110, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 64, @on; -- Audit Add Role Event -- Occurs when a login is added or removed as a database user to a -- database; for sp_addrole and sp_droprole. EXEC SP_TRACE_SETEVENT @TraceID, 111, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 64, @on; -- Audit App Role Change Password Event -- Occurs when a password of an application role is changed. EXEC SP_TRACE_SETEVENT @TraceID, 112, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 64, @on; -- Audit Statement Permission Event -- Occurs when a statement permission (such as CREATE TABLE) is used. EXEC SP_TRACE_SETEVENT @TraceID, 113, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 64, @on; -- Audit Backup/Restore Event -- Occurs when a BACKUP or RESTORE command is issued. EXEC SP_TRACE_SETEVENT @TraceID, 115, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 64, @on; -- Audit DBCC Event -- Occurs when DBCC commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 116, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 64, @on; -- Audit Change Audit Event -- Occurs when audit trace modifications are made. EXEC SP_TRACE_SETEVENT @TraceID, 117, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 64, @on; -- Audit Object Derived Permission Event -- Occurs when a CREATE, ALTER, and DROP object commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 118, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 64, @on; -- Audit Database Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 128, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 64, @on; -- Audit Database Object Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 129, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 64, @on; -- Audit Database Principal Management Event -- Occurs when principals, such as users, are created, altered, or -- dropped from a database. EXEC SP_TRACE_SETEVENT @TraceID, 130, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 64, @on; -- Audit Schema Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 131, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 64, @on; -- Audit Server Principal Impersonation Event -- Occurs when there is an impersonation within server scope, such -- as EXECUTE AS LOGIN. EXEC SP_TRACE_SETEVENT @TraceID, 132, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 64, @on; -- Audit Database Principal Impersonation Event -- Occurs when an impersonation occurs within the database scope, -- such as EXECUTE AS USER or SETUSER. EXEC SP_TRACE_SETEVENT @TraceID, 133, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 64, @on; -- Audit Server Object Take Ownership Event -- Occurs when the owner is changed for objects in server scope. EXEC SP_TRACE_SETEVENT @TraceID, 134, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 64, @on; -- Audit Database Object Take Ownership Event -- Occurs when a change of owner for objects within database scope -- occurs. EXEC SP_TRACE_SETEVENT @TraceID, 135, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 64, @on; -- Audit Change Database Owner -- Occurs when ALTER AUTHORIZATION is used to change the owner of a -- database and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 152, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 64, @on; -- Audit Schema Object Take Ownership Event -- Occurs when ALTER AUTHORIZATION is used to assign an owner to an -- object and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 153, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 64, @on; -- Audit Server Scope GDR Event -- Indicates that a grant, deny, or revoke event for permissions in -- server scope occurred, such as creating a login. EXEC SP_TRACE_SETEVENT @TraceID, 170, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 64, @on; -- Audit Server Object GDR Event -- Indicates that a grant, deny, or revoke event for a schema object, -- such as a table or function, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 171, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 64, @on; -- Audit Database Object GDR Event -- Indicates that a grant, deny, or revoke event for database -- objects, such as assemblies and schemas, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 172, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 64, @on; -- Audit Server Operation Event -- Occurs when Security Audit operations such as altering settings, -- resources, external access, or authorization are used. EXEC SP_TRACE_SETEVENT @TraceID, 173, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 64, @on; -- Audit Server Alter Trace Event -- Occurs when a statement checks for the ALTER TRACE permission. EXEC SP_TRACE_SETEVENT @TraceID, 175, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 64, @on; -- Audit Server Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 176, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 46, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 64, @on; -- Audit Server Principal Management Event -- Occurs when server principals are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 177, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 64, @on; -- Audit Database Operation Event -- Occurs when database operations occur, such as checkpoint or -- subscribe query notification. EXEC SP_TRACE_SETEVENT @TraceID, 178, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 64, @on; -- Set the trace status to start. EXEC SP_TRACE_SETSTATUS @TraceID, 1; -- Display trace ID for future reference. SELECT @TraceID AS TraceID; GOTO Finish; Error: SELECT @rc AS ErrorCode; Finish: GO EXEC SP_PROCOPTION 'fso_audit', 'startup', 'true'; GO -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances.

b
SQL Server must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
AU-3 - Medium - CCI-000134 - V-41029 - SV-53404r2_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000134
Version
SQL2-00-012200
Vuln IDs
  • V-41029
Rule IDs
  • SV-53404r2_rule
Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know the outcome of attempted actions. This requires specific information regarding the outcome of the action or event that the audit record is referring to. If outcome status information is not recorded and stored with the audit record, the record itself is of very limited use. Success and failure indicators ascertain the outcome of a particular event. As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Without knowing the outcome of audit events, it is very difficult to accurately recreate the series of events during forensic analysis. If auditing is enabled, SQL Server does capture the outcome status-specific information in all audit records.
Checks: C-47646r4_chk

Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.

Fix: F-46328r3_fix

-- Run this script to create and start an audit trace that audits required events. -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances. -- The database server must be restarted for the trace to take effect. USE master; GO BEGIN TRY DROP PROCEDURE fso_audit END TRY BEGIN CATCH END CATCH; GO CREATE PROCEDURE fso_audit AS -- Create a Queue DECLARE @rc INT; DECLARE @TraceID INT; DECLARE @options INT = 6; -- 6 specifies TRACE_FILE_ROLLOVER (2) and SHUTDOWN_ON_ERROR (4) DECLARE @tracefile NVARCHAR(128) = 'D:<path>\<filename>'; -- Trace file location and beginning of file name (SQL Server adds a suffix) DECLARE @maxfilesize BIGINT = 500; -- Trace file size limit in megabytes DECLARE @stoptime datetime = null; -- do not stop DECLARE @filecount INT = 10; -- Number of trace files in the rollover set EXEC @rc = SP_TRACE_CREATE @TraceID output, @options, @tracefile, @maxfilesize, @stoptime, @filecount ; IF (@rc != 0) GOTO Error; -- Set the events: DECLARE @on BIT = 1; -- Logins are audited based on SQL Server instance -- setting Audit Level stored in registry -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.[#]\MSSQLServer\AuditLevel -- Audit Login -- Occurs when a user successfully logs in to SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 14, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 14, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 14, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 14, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 14, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 14, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 14, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 14, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 14, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 14, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 14, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 14, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 14, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 14, 64, @on; -- SessionLoginName -- Audit Logout -- Occurs when a user logs out of SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 15, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 15, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 15, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 15, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 15, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 15, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 15, 13, @on; -- Duration EXEC SP_TRACE_SETEVENT @TraceID, 15, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 15, @on; -- EndTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 15, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 15, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 15, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 15, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 15, 64, @on; -- SessionLoginName -- Audit Server Starts and Stops -- Occurs when the SQL Server service state is modified. EXEC SP_TRACE_SETEVENT @TraceID, 18, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 18, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 18, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 18, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 18, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 18, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 18, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 18, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 18, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 18, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 18, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 18, 64, @on; -- SessionLoginName -- Audit Login Failed -- Indicates that a login attempt to SQL Server from a client failed. EXEC SP_TRACE_SETEVENT @TraceID, 20, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 20, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 20, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 20, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 20, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 20, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 20, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 20, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 20, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 20, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 20, 31, @on; -- Error EXEC SP_TRACE_SETEVENT @TraceID, 20, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 20, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 20, 64, @on; -- SessionLoginName -- Audit Statement GDR Event -- Occurs every time a GRANT, DENY, REVOKE for a statement -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 102, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 102, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 102, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 102, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 102, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 102, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 102, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 102, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 102, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 102, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 102, 64, @on; -- SessionLoginName -- Audit Object GDR Event -- Occurs every time a GRANT, DENY, REVOKE for an object -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 103, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 103, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 103, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 103, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 103, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 103, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 103, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 103, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 103, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 103, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 44, @on; -- ColumnPermissions EXEC SP_TRACE_SETEVENT @TraceID, 103, 59, @on; -- ParentName EXEC SP_TRACE_SETEVENT @TraceID, 103, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 103, 64, @on; -- SessionLoginName -- Audit AddLogin Event -- Occurs when a SQL Server login is added or removed; -- for sp_addlogin and sp_droplogin. EXEC SP_TRACE_SETEVENT @TraceID, 104, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 104, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 104, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 104, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 104, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 104, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 104, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 104, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 104, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 104, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 104, 64, @on; -- SessionLoginName -- Audit Login GDR Event -- Occurs when a Windows login right is added or removed; -- for sp_grantlogin, sp_revokelogin, and sp_denylogin. EXEC SP_TRACE_SETEVENT @TraceID, 105, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 105, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 105, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 105, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 105, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 105, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 105, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 105, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 105, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 105, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 105, 64, @on; -- SessionLoginName -- Audit Login Change Property Event -- Occurs when a property of a login, except passwords, -- is modified; for sp_defaultdb and sp_defaultlanguage. EXEC SP_TRACE_SETEVENT @TraceID, 106, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 64, @on; -- Audit Login Change Password Event -- Occurs when a SQL Server login password is changed. -- Passwords are not recorded. EXEC SP_TRACE_SETEVENT @TraceID, 107, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 64, @on; -- Audit Add Login to Server Role Event -- Occurs when a login is added or removed from a fixed server role; -- for sp_addsrvrolemember, and sp_dropsrvrolemember. EXEC SP_TRACE_SETEVENT @TraceID, 108, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 64, @on; -- Audit Add DB User Event -- Occurs when a login is added or removed as a database user -- (Windows or SQL Server) to a database; for sp_grantdbaccess, -- sp_revokedbaccess, sp_adduser, and sp_dropuser. EXEC SP_TRACE_SETEVENT @TraceID, 109, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 21, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 51, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 64, @on; -- Audit Add Member to DB Role Event -- Occurs when a login is added or removed as a database user -- (fixed or user-defined) to a database; for sp_addrolemember, -- sp_droprolemember, and sp_changegroup. EXEC SP_TRACE_SETEVENT @TraceID, 110, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 64, @on; -- Audit Add Role Event -- Occurs when a login is added or removed as a database user to a -- database; for sp_addrole and sp_droprole. EXEC SP_TRACE_SETEVENT @TraceID, 111, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 64, @on; -- Audit App Role Change Password Event -- Occurs when a password of an application role is changed. EXEC SP_TRACE_SETEVENT @TraceID, 112, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 64, @on; -- Audit Statement Permission Event -- Occurs when a statement permission (such as CREATE TABLE) is used. EXEC SP_TRACE_SETEVENT @TraceID, 113, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 64, @on; -- Audit Backup/Restore Event -- Occurs when a BACKUP or RESTORE command is issued. EXEC SP_TRACE_SETEVENT @TraceID, 115, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 64, @on; -- Audit DBCC Event -- Occurs when DBCC commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 116, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 64, @on; -- Audit Change Audit Event -- Occurs when audit trace modifications are made. EXEC SP_TRACE_SETEVENT @TraceID, 117, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 64, @on; -- Audit Object Derived Permission Event -- Occurs when a CREATE, ALTER, and DROP object commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 118, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 64, @on; -- Audit Database Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 128, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 64, @on; -- Audit Database Object Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 129, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 64, @on; -- Audit Database Principal Management Event -- Occurs when principals, such as users, are created, altered, or -- dropped from a database. EXEC SP_TRACE_SETEVENT @TraceID, 130, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 64, @on; -- Audit Schema Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 131, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 64, @on; -- Audit Server Principal Impersonation Event -- Occurs when there is an impersonation within server scope, such -- as EXECUTE AS LOGIN. EXEC SP_TRACE_SETEVENT @TraceID, 132, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 64, @on; -- Audit Database Principal Impersonation Event -- Occurs when an impersonation occurs within the database scope, -- such as EXECUTE AS USER or SETUSER. EXEC SP_TRACE_SETEVENT @TraceID, 133, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 64, @on; -- Audit Server Object Take Ownership Event -- Occurs when the owner is changed for objects in server scope. EXEC SP_TRACE_SETEVENT @TraceID, 134, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 64, @on; -- Audit Database Object Take Ownership Event -- Occurs when a change of owner for objects within database scope -- occurs. EXEC SP_TRACE_SETEVENT @TraceID, 135, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 64, @on; -- Audit Change Database Owner -- Occurs when ALTER AUTHORIZATION is used to change the owner of a -- database and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 152, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 64, @on; -- Audit Schema Object Take Ownership Event -- Occurs when ALTER AUTHORIZATION is used to assign an owner to an -- object and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 153, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 64, @on; -- Audit Server Scope GDR Event -- Indicates that a grant, deny, or revoke event for permissions in -- server scope occurred, such as creating a login. EXEC SP_TRACE_SETEVENT @TraceID, 170, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 64, @on; -- Audit Server Object GDR Event -- Indicates that a grant, deny, or revoke event for a schema object, -- such as a table or function, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 171, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 64, @on; -- Audit Database Object GDR Event -- Indicates that a grant, deny, or revoke event for database -- objects, such as assemblies and schemas, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 172, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 64, @on; -- Audit Server Operation Event -- Occurs when Security Audit operations such as altering settings, -- resources, external access, or authorization are used. EXEC SP_TRACE_SETEVENT @TraceID, 173, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 64, @on; -- Audit Server Alter Trace Event -- Occurs when a statement checks for the ALTER TRACE permission. EXEC SP_TRACE_SETEVENT @TraceID, 175, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 64, @on; -- Audit Server Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 176, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 46, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 64, @on; -- Audit Server Principal Management Event -- Occurs when server principals are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 177, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 64, @on; -- Audit Database Operation Event -- Occurs when database operations occur, such as checkpoint or -- subscribe query notification. EXEC SP_TRACE_SETEVENT @TraceID, 178, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 64, @on; -- Set the trace status to start. EXEC SP_TRACE_SETSTATUS @TraceID, 1; -- Display trace ID for future reference. SELECT @TraceID AS TraceID; GOTO Finish; Error: SELECT @rc AS ErrorCode; Finish: GO EXEC SP_PROCOPTION 'fso_audit', 'startup', 'true'; GO -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances.

b
SQL Server must produce audit records containing sufficient information to establish the sources (origins) of the events.
AU-3 - Medium - CCI-000133 - V-41030 - SV-53405r2_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000133
Version
SQL2-00-012100
Vuln IDs
  • V-41030
Rule IDs
  • SV-53405r2_rule
Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed what actions. This requires specific information regarding the source of the event an audit record is referring to. If the source of the event information is not recorded and stored with the audit record, the record itself is of very limited use. The source of the event can be a user account and sometimes a system account when timed jobs are run. Without information establishing the source of activity, the value of audit records from a forensics perspective is questionable. If auditing is enabled, SQL Server does capture the source of the event-specific information in all audit records.
Checks: C-47647r4_chk

Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.

Fix: F-46329r3_fix

-- Run this script to create and start an audit trace that audits required events. -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances. -- The database server must be restarted for the trace to take effect. USE master; GO BEGIN TRY DROP PROCEDURE fso_audit END TRY BEGIN CATCH END CATCH; GO CREATE PROCEDURE fso_audit AS -- Create a Queue DECLARE @rc INT; DECLARE @TraceID INT; DECLARE @options INT = 6; -- 6 specifies TRACE_FILE_ROLLOVER (2) and SHUTDOWN_ON_ERROR (4) DECLARE @tracefile NVARCHAR(128) = 'D:<path>\<filename>'; -- Trace file location and beginning of file name (SQL Server adds a suffix) DECLARE @maxfilesize BIGINT = 500; -- Trace file size limit in megabytes DECLARE @stoptime datetime = null; -- do not stop DECLARE @filecount INT = 10; -- Number of trace files in the rollover set EXEC @rc = SP_TRACE_CREATE @TraceID output, @options, @tracefile, @maxfilesize, @stoptime, @filecount ; IF (@rc != 0) GOTO Error; -- Set the events: DECLARE @on BIT = 1; -- Logins are audited based on SQL Server instance -- setting Audit Level stored in registry -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.[#]\MSSQLServer\AuditLevel -- Audit Login -- Occurs when a user successfully logs in to SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 14, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 14, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 14, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 14, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 14, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 14, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 14, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 14, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 14, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 14, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 14, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 14, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 14, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 14, 64, @on; -- SessionLoginName -- Audit Logout -- Occurs when a user logs out of SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 15, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 15, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 15, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 15, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 15, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 15, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 15, 13, @on; -- Duration EXEC SP_TRACE_SETEVENT @TraceID, 15, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 15, @on; -- EndTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 15, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 15, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 15, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 15, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 15, 64, @on; -- SessionLoginName -- Audit Server Starts and Stops -- Occurs when the SQL Server service state is modified. EXEC SP_TRACE_SETEVENT @TraceID, 18, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 18, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 18, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 18, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 18, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 18, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 18, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 18, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 18, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 18, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 18, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 18, 64, @on; -- SessionLoginName -- Audit Login Failed -- Indicates that a login attempt to SQL Server from a client failed. EXEC SP_TRACE_SETEVENT @TraceID, 20, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 20, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 20, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 20, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 20, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 20, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 20, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 20, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 20, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 20, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 20, 31, @on; -- Error EXEC SP_TRACE_SETEVENT @TraceID, 20, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 20, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 20, 64, @on; -- SessionLoginName -- Audit Statement GDR Event -- Occurs every time a GRANT, DENY, REVOKE for a statement -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 102, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 102, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 102, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 102, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 102, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 102, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 102, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 102, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 102, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 102, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 102, 64, @on; -- SessionLoginName -- Audit Object GDR Event -- Occurs every time a GRANT, DENY, REVOKE for an object -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 103, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 103, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 103, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 103, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 103, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 103, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 103, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 103, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 103, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 103, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 44, @on; -- ColumnPermissions EXEC SP_TRACE_SETEVENT @TraceID, 103, 59, @on; -- ParentName EXEC SP_TRACE_SETEVENT @TraceID, 103, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 103, 64, @on; -- SessionLoginName -- Audit AddLogin Event -- Occurs when a SQL Server login is added or removed; -- for sp_addlogin and sp_droplogin. EXEC SP_TRACE_SETEVENT @TraceID, 104, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 104, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 104, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 104, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 104, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 104, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 104, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 104, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 104, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 104, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 104, 64, @on; -- SessionLoginName -- Audit Login GDR Event -- Occurs when a Windows login right is added or removed; -- for sp_grantlogin, sp_revokelogin, and sp_denylogin. EXEC SP_TRACE_SETEVENT @TraceID, 105, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 105, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 105, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 105, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 105, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 105, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 105, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 105, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 105, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 105, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 105, 64, @on; -- SessionLoginName -- Audit Login Change Property Event -- Occurs when a property of a login, except passwords, -- is modified; for sp_defaultdb and sp_defaultlanguage. EXEC SP_TRACE_SETEVENT @TraceID, 106, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 64, @on; -- Audit Login Change Password Event -- Occurs when a SQL Server login password is changed. -- Passwords are not recorded. EXEC SP_TRACE_SETEVENT @TraceID, 107, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 64, @on; -- Audit Add Login to Server Role Event -- Occurs when a login is added or removed from a fixed server role; -- for sp_addsrvrolemember, and sp_dropsrvrolemember. EXEC SP_TRACE_SETEVENT @TraceID, 108, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 64, @on; -- Audit Add DB User Event -- Occurs when a login is added or removed as a database user -- (Windows or SQL Server) to a database; for sp_grantdbaccess, -- sp_revokedbaccess, sp_adduser, and sp_dropuser. EXEC SP_TRACE_SETEVENT @TraceID, 109, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 21, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 51, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 64, @on; -- Audit Add Member to DB Role Event -- Occurs when a login is added or removed as a database user -- (fixed or user-defined) to a database; for sp_addrolemember, -- sp_droprolemember, and sp_changegroup. EXEC SP_TRACE_SETEVENT @TraceID, 110, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 64, @on; -- Audit Add Role Event -- Occurs when a login is added or removed as a database user to a -- database; for sp_addrole and sp_droprole. EXEC SP_TRACE_SETEVENT @TraceID, 111, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 64, @on; -- Audit App Role Change Password Event -- Occurs when a password of an application role is changed. EXEC SP_TRACE_SETEVENT @TraceID, 112, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 64, @on; -- Audit Statement Permission Event -- Occurs when a statement permission (such as CREATE TABLE) is used. EXEC SP_TRACE_SETEVENT @TraceID, 113, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 64, @on; -- Audit Backup/Restore Event -- Occurs when a BACKUP or RESTORE command is issued. EXEC SP_TRACE_SETEVENT @TraceID, 115, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 64, @on; -- Audit DBCC Event -- Occurs when DBCC commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 116, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 64, @on; -- Audit Change Audit Event -- Occurs when audit trace modifications are made. EXEC SP_TRACE_SETEVENT @TraceID, 117, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 64, @on; -- Audit Object Derived Permission Event -- Occurs when a CREATE, ALTER, and DROP object commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 118, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 64, @on; -- Audit Database Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 128, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 64, @on; -- Audit Database Object Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 129, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 64, @on; -- Audit Database Principal Management Event -- Occurs when principals, such as users, are created, altered, or -- dropped from a database. EXEC SP_TRACE_SETEVENT @TraceID, 130, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 64, @on; -- Audit Schema Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 131, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 64, @on; -- Audit Server Principal Impersonation Event -- Occurs when there is an impersonation within server scope, such -- as EXECUTE AS LOGIN. EXEC SP_TRACE_SETEVENT @TraceID, 132, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 64, @on; -- Audit Database Principal Impersonation Event -- Occurs when an impersonation occurs within the database scope, -- such as EXECUTE AS USER or SETUSER. EXEC SP_TRACE_SETEVENT @TraceID, 133, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 64, @on; -- Audit Server Object Take Ownership Event -- Occurs when the owner is changed for objects in server scope. EXEC SP_TRACE_SETEVENT @TraceID, 134, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 64, @on; -- Audit Database Object Take Ownership Event -- Occurs when a change of owner for objects within database scope -- occurs. EXEC SP_TRACE_SETEVENT @TraceID, 135, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 64, @on; -- Audit Change Database Owner -- Occurs when ALTER AUTHORIZATION is used to change the owner of a -- database and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 152, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 64, @on; -- Audit Schema Object Take Ownership Event -- Occurs when ALTER AUTHORIZATION is used to assign an owner to an -- object and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 153, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 64, @on; -- Audit Server Scope GDR Event -- Indicates that a grant, deny, or revoke event for permissions in -- server scope occurred, such as creating a login. EXEC SP_TRACE_SETEVENT @TraceID, 170, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 64, @on; -- Audit Server Object GDR Event -- Indicates that a grant, deny, or revoke event for a schema object, -- such as a table or function, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 171, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 64, @on; -- Audit Database Object GDR Event -- Indicates that a grant, deny, or revoke event for database -- objects, such as assemblies and schemas, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 172, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 64, @on; -- Audit Server Operation Event -- Occurs when Security Audit operations such as altering settings, -- resources, external access, or authorization are used. EXEC SP_TRACE_SETEVENT @TraceID, 173, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 64, @on; -- Audit Server Alter Trace Event -- Occurs when a statement checks for the ALTER TRACE permission. EXEC SP_TRACE_SETEVENT @TraceID, 175, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 64, @on; -- Audit Server Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 176, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 46, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 64, @on; -- Audit Server Principal Management Event -- Occurs when server principals are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 177, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 64, @on; -- Audit Database Operation Event -- Occurs when database operations occur, such as checkpoint or -- subscribe query notification. EXEC SP_TRACE_SETEVENT @TraceID, 178, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 64, @on; -- Set the trace status to start. EXEC SP_TRACE_SETSTATUS @TraceID, 1; -- Display trace ID for future reference. SELECT @TraceID AS TraceID; GOTO Finish; Error: SELECT @rc AS ErrorCode; Finish: GO EXEC SP_PROCOPTION 'fso_audit', 'startup', 'true'; GO -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances.

b
SQL Server must produce audit records containing sufficient information to establish where the events occurred.
AU-3 - Medium - CCI-000132 - V-41031 - SV-53406r2_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000132
Version
SQL2-00-012000
Vuln IDs
  • V-41031
Rule IDs
  • SV-53406r2_rule
Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly where actions were performed. This requires specific information regarding the event location an audit record is referring to. If event location information is not recorded and stored with the audit record, the record itself is of very limited use. An event location can be a database instance, table, column, row, etc. Without sufficient information establishing where the audit events occurred, investigation into the cause of events is severely hindered. If auditing is enabled, SQL Server does capture the event location-specific information in all audit records.
Checks: C-47648r5_chk

Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.

Fix: F-46330r3_fix

-- Run this script to create and start an audit trace that audits required events. -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances. -- The database server must be restarted for the trace to take effect. USE master; GO BEGIN TRY DROP PROCEDURE fso_audit END TRY BEGIN CATCH END CATCH; GO CREATE PROCEDURE fso_audit AS -- Create a Queue DECLARE @rc INT; DECLARE @TraceID INT; DECLARE @options INT = 6; -- 6 specifies TRACE_FILE_ROLLOVER (2) and SHUTDOWN_ON_ERROR (4) DECLARE @tracefile NVARCHAR(128) = 'D:<path>\<filename>'; -- Trace file location and beginning of file name (SQL Server adds a suffix) DECLARE @maxfilesize BIGINT = 500; -- Trace file size limit in megabytes DECLARE @stoptime datetime = null; -- do not stop DECLARE @filecount INT = 10; -- Number of trace files in the rollover set EXEC @rc = SP_TRACE_CREATE @TraceID output, @options, @tracefile, @maxfilesize, @stoptime, @filecount ; IF (@rc != 0) GOTO Error; -- Set the events: DECLARE @on BIT = 1; -- Logins are audited based on SQL Server instance -- setting Audit Level stored in registry -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.[#]\MSSQLServer\AuditLevel -- Audit Login -- Occurs when a user successfully logs in to SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 14, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 14, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 14, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 14, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 14, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 14, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 14, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 14, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 14, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 14, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 14, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 14, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 14, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 14, 64, @on; -- SessionLoginName -- Audit Logout -- Occurs when a user logs out of SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 15, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 15, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 15, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 15, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 15, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 15, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 15, 13, @on; -- Duration EXEC SP_TRACE_SETEVENT @TraceID, 15, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 15, @on; -- EndTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 15, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 15, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 15, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 15, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 15, 64, @on; -- SessionLoginName -- Audit Server Starts and Stops -- Occurs when the SQL Server service state is modified. EXEC SP_TRACE_SETEVENT @TraceID, 18, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 18, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 18, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 18, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 18, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 18, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 18, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 18, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 18, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 18, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 18, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 18, 64, @on; -- SessionLoginName -- Audit Login Failed -- Indicates that a login attempt to SQL Server from a client failed. EXEC SP_TRACE_SETEVENT @TraceID, 20, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 20, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 20, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 20, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 20, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 20, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 20, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 20, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 20, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 20, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 20, 31, @on; -- Error EXEC SP_TRACE_SETEVENT @TraceID, 20, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 20, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 20, 64, @on; -- SessionLoginName -- Audit Statement GDR Event -- Occurs every time a GRANT, DENY, REVOKE for a statement -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 102, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 102, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 102, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 102, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 102, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 102, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 102, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 102, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 102, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 102, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 102, 64, @on; -- SessionLoginName -- Audit Object GDR Event -- Occurs every time a GRANT, DENY, REVOKE for an object -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 103, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 103, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 103, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 103, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 103, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 103, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 103, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 103, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 103, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 103, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 44, @on; -- ColumnPermissions EXEC SP_TRACE_SETEVENT @TraceID, 103, 59, @on; -- ParentName EXEC SP_TRACE_SETEVENT @TraceID, 103, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 103, 64, @on; -- SessionLoginName -- Audit AddLogin Event -- Occurs when a SQL Server login is added or removed; -- for sp_addlogin and sp_droplogin. EXEC SP_TRACE_SETEVENT @TraceID, 104, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 104, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 104, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 104, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 104, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 104, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 104, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 104, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 104, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 104, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 104, 64, @on; -- SessionLoginName -- Audit Login GDR Event -- Occurs when a Windows login right is added or removed; -- for sp_grantlogin, sp_revokelogin, and sp_denylogin. EXEC SP_TRACE_SETEVENT @TraceID, 105, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 105, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 105, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 105, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 105, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 105, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 105, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 105, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 105, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 105, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 105, 64, @on; -- SessionLoginName -- Audit Login Change Property Event -- Occurs when a property of a login, except passwords, -- is modified; for sp_defaultdb and sp_defaultlanguage. EXEC SP_TRACE_SETEVENT @TraceID, 106, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 64, @on; -- Audit Login Change Password Event -- Occurs when a SQL Server login password is changed. -- Passwords are not recorded. EXEC SP_TRACE_SETEVENT @TraceID, 107, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 64, @on; -- Audit Add Login to Server Role Event -- Occurs when a login is added or removed from a fixed server role; -- for sp_addsrvrolemember, and sp_dropsrvrolemember. EXEC SP_TRACE_SETEVENT @TraceID, 108, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 64, @on; -- Audit Add DB User Event -- Occurs when a login is added or removed as a database user -- (Windows or SQL Server) to a database; for sp_grantdbaccess, -- sp_revokedbaccess, sp_adduser, and sp_dropuser. EXEC SP_TRACE_SETEVENT @TraceID, 109, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 21, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 51, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 64, @on; -- Audit Add Member to DB Role Event -- Occurs when a login is added or removed as a database user -- (fixed or user-defined) to a database; for sp_addrolemember, -- sp_droprolemember, and sp_changegroup. EXEC SP_TRACE_SETEVENT @TraceID, 110, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 64, @on; -- Audit Add Role Event -- Occurs when a login is added or removed as a database user to a -- database; for sp_addrole and sp_droprole. EXEC SP_TRACE_SETEVENT @TraceID, 111, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 64, @on; -- Audit App Role Change Password Event -- Occurs when a password of an application role is changed. EXEC SP_TRACE_SETEVENT @TraceID, 112, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 64, @on; -- Audit Statement Permission Event -- Occurs when a statement permission (such as CREATE TABLE) is used. EXEC SP_TRACE_SETEVENT @TraceID, 113, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 64, @on; -- Audit Backup/Restore Event -- Occurs when a BACKUP or RESTORE command is issued. EXEC SP_TRACE_SETEVENT @TraceID, 115, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 64, @on; -- Audit DBCC Event -- Occurs when DBCC commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 116, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 64, @on; -- Audit Change Audit Event -- Occurs when audit trace modifications are made. EXEC SP_TRACE_SETEVENT @TraceID, 117, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 64, @on; -- Audit Object Derived Permission Event -- Occurs when a CREATE, ALTER, and DROP object commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 118, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 64, @on; -- Audit Database Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 128, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 64, @on; -- Audit Database Object Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 129, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 64, @on; -- Audit Database Principal Management Event -- Occurs when principals, such as users, are created, altered, or -- dropped from a database. EXEC SP_TRACE_SETEVENT @TraceID, 130, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 64, @on; -- Audit Schema Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 131, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 64, @on; -- Audit Server Principal Impersonation Event -- Occurs when there is an impersonation within server scope, such -- as EXECUTE AS LOGIN. EXEC SP_TRACE_SETEVENT @TraceID, 132, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 64, @on; -- Audit Database Principal Impersonation Event -- Occurs when an impersonation occurs within the database scope, -- such as EXECUTE AS USER or SETUSER. EXEC SP_TRACE_SETEVENT @TraceID, 133, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 64, @on; -- Audit Server Object Take Ownership Event -- Occurs when the owner is changed for objects in server scope. EXEC SP_TRACE_SETEVENT @TraceID, 134, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 64, @on; -- Audit Database Object Take Ownership Event -- Occurs when a change of owner for objects within database scope -- occurs. EXEC SP_TRACE_SETEVENT @TraceID, 135, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 64, @on; -- Audit Change Database Owner -- Occurs when ALTER AUTHORIZATION is used to change the owner of a -- database and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 152, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 64, @on; -- Audit Schema Object Take Ownership Event -- Occurs when ALTER AUTHORIZATION is used to assign an owner to an -- object and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 153, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 64, @on; -- Audit Server Scope GDR Event -- Indicates that a grant, deny, or revoke event for permissions in -- server scope occurred, such as creating a login. EXEC SP_TRACE_SETEVENT @TraceID, 170, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 64, @on; -- Audit Server Object GDR Event -- Indicates that a grant, deny, or revoke event for a schema object, -- such as a table or function, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 171, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 64, @on; -- Audit Database Object GDR Event -- Indicates that a grant, deny, or revoke event for database -- objects, such as assemblies and schemas, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 172, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 64, @on; -- Audit Server Operation Event -- Occurs when Security Audit operations such as altering settings, -- resources, external access, or authorization are used. EXEC SP_TRACE_SETEVENT @TraceID, 173, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 64, @on; -- Audit Server Alter Trace Event -- Occurs when a statement checks for the ALTER TRACE permission. EXEC SP_TRACE_SETEVENT @TraceID, 175, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 64, @on; -- Audit Server Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 176, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 46, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 64, @on; -- Audit Server Principal Management Event -- Occurs when server principals are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 177, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 64, @on; -- Audit Database Operation Event -- Occurs when database operations occur, such as checkpoint or -- subscribe query notification. EXEC SP_TRACE_SETEVENT @TraceID, 178, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 64, @on; -- Set the trace status to start. EXEC SP_TRACE_SETSTATUS @TraceID, 1; -- Display trace ID for future reference. SELECT @TraceID AS TraceID; GOTO Finish; Error: SELECT @rc AS ErrorCode; Finish: GO EXEC SP_PROCOPTION 'fso_audit', 'startup', 'true'; GO -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances.

b
SQL Server must produce audit records containing sufficient information to establish when (date and time) the events occurred.
AU-3 - Medium - CCI-000131 - V-41032 - SV-53407r2_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000131
Version
SQL2-00-011900
Vuln IDs
  • V-41032
Rule IDs
  • SV-53407r2_rule
Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly when actions were performed. This requires specific information regarding the date and time an audit record is referring to. If date and time information is not recorded and stored with the audit record, the record itself is of very limited use. If auditing is enabled, SQL Server does capture the date and time-specific information in all audit records.
Checks: C-47649r4_chk

Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.

Fix: F-46331r3_fix

-- Run this script to create and start an audit trace that audits required events. -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances. -- The database server must be restarted for the trace to take effect. USE master; GO BEGIN TRY DROP PROCEDURE fso_audit END TRY BEGIN CATCH END CATCH; GO CREATE PROCEDURE fso_audit AS -- Create a Queue DECLARE @rc INT; DECLARE @TraceID INT; DECLARE @options INT = 6; -- 6 specifies TRACE_FILE_ROLLOVER (2) and SHUTDOWN_ON_ERROR (4) DECLARE @tracefile NVARCHAR(128) = 'D:<path>\<filename>'; -- Trace file location and beginning of file name (SQL Server adds a suffix) DECLARE @maxfilesize BIGINT = 500; -- Trace file size limit in megabytes DECLARE @stoptime datetime = null; -- do not stop DECLARE @filecount INT = 10; -- Number of trace files in the rollover set EXEC @rc = SP_TRACE_CREATE @TraceID output, @options, @tracefile, @maxfilesize, @stoptime, @filecount ; IF (@rc != 0) GOTO Error; -- Set the events: DECLARE @on BIT = 1; -- Logins are audited based on SQL Server instance -- setting Audit Level stored in registry -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.[#]\MSSQLServer\AuditLevel -- Audit Login -- Occurs when a user successfully logs in to SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 14, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 14, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 14, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 14, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 14, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 14, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 14, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 14, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 14, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 14, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 14, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 14, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 14, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 14, 64, @on; -- SessionLoginName -- Audit Logout -- Occurs when a user logs out of SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 15, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 15, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 15, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 15, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 15, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 15, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 15, 13, @on; -- Duration EXEC SP_TRACE_SETEVENT @TraceID, 15, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 15, @on; -- EndTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 15, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 15, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 15, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 15, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 15, 64, @on; -- SessionLoginName -- Audit Server Starts and Stops -- Occurs when the SQL Server service state is modified. EXEC SP_TRACE_SETEVENT @TraceID, 18, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 18, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 18, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 18, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 18, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 18, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 18, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 18, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 18, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 18, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 18, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 18, 64, @on; -- SessionLoginName -- Audit Login Failed -- Indicates that a login attempt to SQL Server from a client failed. EXEC SP_TRACE_SETEVENT @TraceID, 20, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 20, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 20, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 20, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 20, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 20, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 20, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 20, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 20, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 20, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 20, 31, @on; -- Error EXEC SP_TRACE_SETEVENT @TraceID, 20, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 20, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 20, 64, @on; -- SessionLoginName -- Audit Statement GDR Event -- Occurs every time a GRANT, DENY, REVOKE for a statement -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 102, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 102, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 102, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 102, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 102, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 102, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 102, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 102, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 102, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 102, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 102, 64, @on; -- SessionLoginName -- Audit Object GDR Event -- Occurs every time a GRANT, DENY, REVOKE for an object -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 103, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 103, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 103, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 103, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 103, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 103, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 103, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 103, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 103, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 103, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 44, @on; -- ColumnPermissions EXEC SP_TRACE_SETEVENT @TraceID, 103, 59, @on; -- ParentName EXEC SP_TRACE_SETEVENT @TraceID, 103, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 103, 64, @on; -- SessionLoginName -- Audit AddLogin Event -- Occurs when a SQL Server login is added or removed; -- for sp_addlogin and sp_droplogin. EXEC SP_TRACE_SETEVENT @TraceID, 104, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 104, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 104, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 104, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 104, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 104, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 104, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 104, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 104, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 104, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 104, 64, @on; -- SessionLoginName -- Audit Login GDR Event -- Occurs when a Windows login right is added or removed; -- for sp_grantlogin, sp_revokelogin, and sp_denylogin. EXEC SP_TRACE_SETEVENT @TraceID, 105, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 105, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 105, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 105, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 105, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 105, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 105, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 105, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 105, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 105, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 105, 64, @on; -- SessionLoginName -- Audit Login Change Property Event -- Occurs when a property of a login, except passwords, -- is modified; for sp_defaultdb and sp_defaultlanguage. EXEC SP_TRACE_SETEVENT @TraceID, 106, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 64, @on; -- Audit Login Change Password Event -- Occurs when a SQL Server login password is changed. -- Passwords are not recorded. EXEC SP_TRACE_SETEVENT @TraceID, 107, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 64, @on; -- Audit Add Login to Server Role Event -- Occurs when a login is added or removed from a fixed server role; -- for sp_addsrvrolemember, and sp_dropsrvrolemember. EXEC SP_TRACE_SETEVENT @TraceID, 108, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 64, @on; -- Audit Add DB User Event -- Occurs when a login is added or removed as a database user -- (Windows or SQL Server) to a database; for sp_grantdbaccess, -- sp_revokedbaccess, sp_adduser, and sp_dropuser. EXEC SP_TRACE_SETEVENT @TraceID, 109, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 21, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 51, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 64, @on; -- Audit Add Member to DB Role Event -- Occurs when a login is added or removed as a database user -- (fixed or user-defined) to a database; for sp_addrolemember, -- sp_droprolemember, and sp_changegroup. EXEC SP_TRACE_SETEVENT @TraceID, 110, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 64, @on; -- Audit Add Role Event -- Occurs when a login is added or removed as a database user to a -- database; for sp_addrole and sp_droprole. EXEC SP_TRACE_SETEVENT @TraceID, 111, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 64, @on; -- Audit App Role Change Password Event -- Occurs when a password of an application role is changed. EXEC SP_TRACE_SETEVENT @TraceID, 112, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 64, @on; -- Audit Statement Permission Event -- Occurs when a statement permission (such as CREATE TABLE) is used. EXEC SP_TRACE_SETEVENT @TraceID, 113, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 64, @on; -- Audit Backup/Restore Event -- Occurs when a BACKUP or RESTORE command is issued. EXEC SP_TRACE_SETEVENT @TraceID, 115, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 64, @on; -- Audit DBCC Event -- Occurs when DBCC commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 116, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 64, @on; -- Audit Change Audit Event -- Occurs when audit trace modifications are made. EXEC SP_TRACE_SETEVENT @TraceID, 117, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 64, @on; -- Audit Object Derived Permission Event -- Occurs when a CREATE, ALTER, and DROP object commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 118, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 64, @on; -- Audit Database Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 128, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 64, @on; -- Audit Database Object Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 129, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 64, @on; -- Audit Database Principal Management Event -- Occurs when principals, such as users, are created, altered, or -- dropped from a database. EXEC SP_TRACE_SETEVENT @TraceID, 130, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 64, @on; -- Audit Schema Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 131, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 64, @on; -- Audit Server Principal Impersonation Event -- Occurs when there is an impersonation within server scope, such -- as EXECUTE AS LOGIN. EXEC SP_TRACE_SETEVENT @TraceID, 132, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 64, @on; -- Audit Database Principal Impersonation Event -- Occurs when an impersonation occurs within the database scope, -- such as EXECUTE AS USER or SETUSER. EXEC SP_TRACE_SETEVENT @TraceID, 133, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 64, @on; -- Audit Server Object Take Ownership Event -- Occurs when the owner is changed for objects in server scope. EXEC SP_TRACE_SETEVENT @TraceID, 134, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 64, @on; -- Audit Database Object Take Ownership Event -- Occurs when a change of owner for objects within database scope -- occurs. EXEC SP_TRACE_SETEVENT @TraceID, 135, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 64, @on; -- Audit Change Database Owner -- Occurs when ALTER AUTHORIZATION is used to change the owner of a -- database and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 152, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 64, @on; -- Audit Schema Object Take Ownership Event -- Occurs when ALTER AUTHORIZATION is used to assign an owner to an -- object and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 153, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 64, @on; -- Audit Server Scope GDR Event -- Indicates that a grant, deny, or revoke event for permissions in -- server scope occurred, such as creating a login. EXEC SP_TRACE_SETEVENT @TraceID, 170, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 64, @on; -- Audit Server Object GDR Event -- Indicates that a grant, deny, or revoke event for a schema object, -- such as a table or function, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 171, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 64, @on; -- Audit Database Object GDR Event -- Indicates that a grant, deny, or revoke event for database -- objects, such as assemblies and schemas, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 172, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 64, @on; -- Audit Server Operation Event -- Occurs when Security Audit operations such as altering settings, -- resources, external access, or authorization are used. EXEC SP_TRACE_SETEVENT @TraceID, 173, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 64, @on; -- Audit Server Alter Trace Event -- Occurs when a statement checks for the ALTER TRACE permission. EXEC SP_TRACE_SETEVENT @TraceID, 175, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 64, @on; -- Audit Server Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 176, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 46, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 64, @on; -- Audit Server Principal Management Event -- Occurs when server principals are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 177, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 64, @on; -- Audit Database Operation Event -- Occurs when database operations occur, such as checkpoint or -- subscribe query notification. EXEC SP_TRACE_SETEVENT @TraceID, 178, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 64, @on; -- Set the trace status to start. EXEC SP_TRACE_SETSTATUS @TraceID, 1; -- Display trace ID for future reference. SELECT @TraceID AS TraceID; GOTO Finish; Error: SELECT @rc AS ErrorCode; Finish: GO EXEC SP_PROCOPTION 'fso_audit', 'startup', 'true'; GO -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances.

b
SQL Server must produce audit records containing sufficient information to establish what type of events occurred.
AU-3 - Medium - CCI-000130 - V-41033 - SV-53408r2_rule
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SQL2-00-011800
Vuln IDs
  • V-41033
Rule IDs
  • SV-53408r2_rule
Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly what actions were performed. This requires specific information regarding the event type an audit record is referring to. If event type information is not recorded and stored with the audit record, the record itself is of very limited use. If auditing is enabled, SQL Server does capture the event type-specific information in all audit records.
Checks: C-47650r4_chk

Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.

Fix: F-46332r3_fix

-- Run this script to create and start an audit trace that audits required events. -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances. -- The database server must be restarted for the trace to take effect. USE master; GO BEGIN TRY DROP PROCEDURE fso_audit END TRY BEGIN CATCH END CATCH; GO CREATE PROCEDURE fso_audit AS -- Create a Queue DECLARE @rc INT; DECLARE @TraceID INT; DECLARE @options INT = 6; -- 6 specifies TRACE_FILE_ROLLOVER (2) and SHUTDOWN_ON_ERROR (4) DECLARE @tracefile NVARCHAR(128) = 'D:<path>\<filename>'; -- Trace file location and beginning of file name (SQL Server adds a suffix) DECLARE @maxfilesize BIGINT = 500; -- Trace file size limit in megabytes DECLARE @stoptime datetime = null; -- do not stop DECLARE @filecount INT = 10; -- Number of trace files in the rollover set EXEC @rc = SP_TRACE_CREATE @TraceID output, @options, @tracefile, @maxfilesize, @stoptime, @filecount ; IF (@rc != 0) GOTO Error; -- Set the events: DECLARE @on BIT = 1; -- Logins are audited based on SQL Server instance -- setting Audit Level stored in registry -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.[#]\MSSQLServer\AuditLevel -- Audit Login -- Occurs when a user successfully logs in to SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 14, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 14, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 14, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 14, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 14, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 14, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 14, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 14, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 14, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 14, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 14, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 14, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 14, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 14, 64, @on; -- SessionLoginName -- Audit Logout -- Occurs when a user logs out of SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 15, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 15, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 15, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 15, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 15, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 15, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 15, 13, @on; -- Duration EXEC SP_TRACE_SETEVENT @TraceID, 15, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 15, @on; -- EndTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 15, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 15, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 15, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 15, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 15, 64, @on; -- SessionLoginName -- Audit Server Starts and Stops -- Occurs when the SQL Server service state is modified. EXEC SP_TRACE_SETEVENT @TraceID, 18, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 18, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 18, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 18, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 18, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 18, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 18, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 18, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 18, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 18, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 18, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 18, 64, @on; -- SessionLoginName -- Audit Login Failed -- Indicates that a login attempt to SQL Server from a client failed. EXEC SP_TRACE_SETEVENT @TraceID, 20, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 20, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 20, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 20, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 20, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 20, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 20, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 20, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 20, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 20, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 20, 31, @on; -- Error EXEC SP_TRACE_SETEVENT @TraceID, 20, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 20, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 20, 64, @on; -- SessionLoginName -- Audit Statement GDR Event -- Occurs every time a GRANT, DENY, REVOKE for a statement -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 102, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 102, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 102, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 102, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 102, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 102, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 102, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 102, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 102, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 102, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 102, 64, @on; -- SessionLoginName -- Audit Object GDR Event -- Occurs every time a GRANT, DENY, REVOKE for an object -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 103, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 103, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 103, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 103, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 103, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 103, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 103, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 103, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 103, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 103, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 44, @on; -- ColumnPermissions EXEC SP_TRACE_SETEVENT @TraceID, 103, 59, @on; -- ParentName EXEC SP_TRACE_SETEVENT @TraceID, 103, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 103, 64, @on; -- SessionLoginName -- Audit AddLogin Event -- Occurs when a SQL Server login is added or removed; -- for sp_addlogin and sp_droplogin. EXEC SP_TRACE_SETEVENT @TraceID, 104, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 104, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 104, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 104, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 104, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 104, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 104, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 104, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 104, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 104, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 104, 64, @on; -- SessionLoginName -- Audit Login GDR Event -- Occurs when a Windows login right is added or removed; -- for sp_grantlogin, sp_revokelogin, and sp_denylogin. EXEC SP_TRACE_SETEVENT @TraceID, 105, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 105, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 105, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 105, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 105, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 105, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 105, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 105, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 105, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 105, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 105, 64, @on; -- SessionLoginName -- Audit Login Change Property Event -- Occurs when a property of a login, except passwords, -- is modified; for sp_defaultdb and sp_defaultlanguage. EXEC SP_TRACE_SETEVENT @TraceID, 106, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 64, @on; -- Audit Login Change Password Event -- Occurs when a SQL Server login password is changed. -- Passwords are not recorded. EXEC SP_TRACE_SETEVENT @TraceID, 107, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 64, @on; -- Audit Add Login to Server Role Event -- Occurs when a login is added or removed from a fixed server role; -- for sp_addsrvrolemember, and sp_dropsrvrolemember. EXEC SP_TRACE_SETEVENT @TraceID, 108, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 64, @on; -- Audit Add DB User Event -- Occurs when a login is added or removed as a database user -- (Windows or SQL Server) to a database; for sp_grantdbaccess, -- sp_revokedbaccess, sp_adduser, and sp_dropuser. EXEC SP_TRACE_SETEVENT @TraceID, 109, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 21, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 51, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 64, @on; -- Audit Add Member to DB Role Event -- Occurs when a login is added or removed as a database user -- (fixed or user-defined) to a database; for sp_addrolemember, -- sp_droprolemember, and sp_changegroup. EXEC SP_TRACE_SETEVENT @TraceID, 110, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 64, @on; -- Audit Add Role Event -- Occurs when a login is added or removed as a database user to a -- database; for sp_addrole and sp_droprole. EXEC SP_TRACE_SETEVENT @TraceID, 111, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 64, @on; -- Audit App Role Change Password Event -- Occurs when a password of an application role is changed. EXEC SP_TRACE_SETEVENT @TraceID, 112, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 64, @on; -- Audit Statement Permission Event -- Occurs when a statement permission (such as CREATE TABLE) is used. EXEC SP_TRACE_SETEVENT @TraceID, 113, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 64, @on; -- Audit Backup/Restore Event -- Occurs when a BACKUP or RESTORE command is issued. EXEC SP_TRACE_SETEVENT @TraceID, 115, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 64, @on; -- Audit DBCC Event -- Occurs when DBCC commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 116, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 64, @on; -- Audit Change Audit Event -- Occurs when audit trace modifications are made. EXEC SP_TRACE_SETEVENT @TraceID, 117, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 64, @on; -- Audit Object Derived Permission Event -- Occurs when a CREATE, ALTER, and DROP object commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 118, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 64, @on; -- Audit Database Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 128, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 64, @on; -- Audit Database Object Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 129, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 64, @on; -- Audit Database Principal Management Event -- Occurs when principals, such as users, are created, altered, or -- dropped from a database. EXEC SP_TRACE_SETEVENT @TraceID, 130, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 64, @on; -- Audit Schema Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 131, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 64, @on; -- Audit Server Principal Impersonation Event -- Occurs when there is an impersonation within server scope, such -- as EXECUTE AS LOGIN. EXEC SP_TRACE_SETEVENT @TraceID, 132, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 64, @on; -- Audit Database Principal Impersonation Event -- Occurs when an impersonation occurs within the database scope, -- such as EXECUTE AS USER or SETUSER. EXEC SP_TRACE_SETEVENT @TraceID, 133, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 64, @on; -- Audit Server Object Take Ownership Event -- Occurs when the owner is changed for objects in server scope. EXEC SP_TRACE_SETEVENT @TraceID, 134, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 64, @on; -- Audit Database Object Take Ownership Event -- Occurs when a change of owner for objects within database scope -- occurs. EXEC SP_TRACE_SETEVENT @TraceID, 135, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 64, @on; -- Audit Change Database Owner -- Occurs when ALTER AUTHORIZATION is used to change the owner of a -- database and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 152, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 64, @on; -- Audit Schema Object Take Ownership Event -- Occurs when ALTER AUTHORIZATION is used to assign an owner to an -- object and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 153, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 64, @on; -- Audit Server Scope GDR Event -- Indicates that a grant, deny, or revoke event for permissions in -- server scope occurred, such as creating a login. EXEC SP_TRACE_SETEVENT @TraceID, 170, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 64, @on; -- Audit Server Object GDR Event -- Indicates that a grant, deny, or revoke event for a schema object, -- such as a table or function, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 171, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 64, @on; -- Audit Database Object GDR Event -- Indicates that a grant, deny, or revoke event for database -- objects, such as assemblies and schemas, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 172, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 64, @on; -- Audit Server Operation Event -- Occurs when Security Audit operations such as altering settings, -- resources, external access, or authorization are used. EXEC SP_TRACE_SETEVENT @TraceID, 173, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 64, @on; -- Audit Server Alter Trace Event -- Occurs when a statement checks for the ALTER TRACE permission. EXEC SP_TRACE_SETEVENT @TraceID, 175, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 64, @on; -- Audit Server Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 176, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 46, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 64, @on; -- Audit Server Principal Management Event -- Occurs when server principals are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 177, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 64, @on; -- Audit Database Operation Event -- Occurs when database operations occur, such as checkpoint or -- subscribe query notification. EXEC SP_TRACE_SETEVENT @TraceID, 178, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 64, @on; -- Set the trace status to start. EXEC SP_TRACE_SETSTATUS @TraceID, 1; -- Display trace ID for future reference. SELECT @TraceID AS TraceID; GOTO Finish; Error: SELECT @rc AS ErrorCode; Finish: GO EXEC SP_PROCOPTION 'fso_audit', 'startup', 'true'; GO -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances.

a
SQL Server must protect against an individual using a group account from falsely denying having performed a particular action.
AU-10 - Low - CCI-000166 - V-41034 - SV-53409r1_rule
RMF Control
AU-10
Severity
L
CCI
CCI-000166
Version
SQL2-00-023700
Vuln IDs
  • V-41034
Rule IDs
  • SV-53409r1_rule
Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. SQL Server group authentication does not provide individual accountability for actions taken on the DBMS or data. Whenever a single database account is used to connect to the database, a secondary authentication method that provides individual accountability is required. This scenario most frequently occurs when an externally hosted application authenticates individual users to the application and the application uses a single account to retrieve or update database information on behalf of the individual users. When group accounts are utilized without another means of identifying individual users, users may deny having performed a particular action.
Checks: C-47651r2_chk

Obtain the list of authorized SQL Server accounts in the system documentation. Get the list of SQL Server user accounts that are in SQL Server by executing: Select * from sys.server_principals If any accounts indicate use by multiple persons that are not mapped to a specific person in the system documentation, this is a finding. (The key is individual accountability. If this can be traced, this is not a finding.) If any applications or processes share an account that could be assigned to an individual account or are not specified as requiring a shared account, this is a finding. Note: Privileged installation accounts may be required to be accessed by the DBA or other administrators for system maintenance. In these cases, each use of the account must be logged in some manner to assign accountability for any actions taken during the use of the account.

Fix: F-46333r2_fix

Use organizational methods for creating individual accounts for each user, application, or other process that requires a database connection. Document any accounts that are shared where separation is not supported by the application or for maintenance support. Design, develop, and implement a method to log use of any account to which more than one person has access. Restrict interactive access to shared accounts to the fewest persons possible.

b
SQL Server must generate audit records for the DoD-selected list of auditable events.
AU-12 - Medium - CCI-000172 - V-41035 - SV-53410r2_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SQL2-00-011400
Vuln IDs
  • V-41035
Rule IDs
  • SV-53410r2_rule
Audit records can be generated from various components within the information system, such as network interfaces, hard disks, modems, etc. From an application perspective, certain specific application functionalities may be audited, as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked). Organizations may define the organizational personnel accountable for determining which application components shall provide auditable events. Auditing provides accountability for changes made to the SQL Server configuration or its objects and data. It provides a means to discover suspicious activity and unauthorized changes. Without auditing, a compromise may go undetected and without a means to determine accountability.
Checks: C-47652r4_chk

Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.

Fix: F-46334r3_fix

-- Run this script to create and start an audit trace that audits required events. -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances. -- The database server must be restarted for the trace to take effect. USE master; GO BEGIN TRY DROP PROCEDURE fso_audit END TRY BEGIN CATCH END CATCH; GO CREATE PROCEDURE fso_audit AS -- Create a Queue DECLARE @rc INT; DECLARE @TraceID INT; DECLARE @options INT = 6; -- 6 specifies TRACE_FILE_ROLLOVER (2) and SHUTDOWN_ON_ERROR (4) DECLARE @tracefile NVARCHAR(128) = 'D:<path>\<filename>'; -- Trace file location and beginning of file name (SQL Server adds a suffix) DECLARE @maxfilesize BIGINT = 500; -- Trace file size limit in megabytes DECLARE @stoptime datetime = null; -- do not stop DECLARE @filecount INT = 10; -- Number of trace files in the rollover set EXEC @rc = SP_TRACE_CREATE @TraceID output, @options, @tracefile, @maxfilesize, @stoptime, @filecount ; IF (@rc != 0) GOTO Error; -- Set the events: DECLARE @on BIT = 1; -- Logins are audited based on SQL Server instance -- setting Audit Level stored in registry -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.[#]\MSSQLServer\AuditLevel -- Audit Login -- Occurs when a user successfully logs in to SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 14, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 14, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 14, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 14, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 14, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 14, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 14, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 14, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 14, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 14, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 14, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 14, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 14, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 14, 64, @on; -- SessionLoginName -- Audit Logout -- Occurs when a user logs out of SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 15, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 15, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 15, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 15, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 15, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 15, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 15, 13, @on; -- Duration EXEC SP_TRACE_SETEVENT @TraceID, 15, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 15, @on; -- EndTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 15, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 15, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 15, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 15, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 15, 64, @on; -- SessionLoginName -- Audit Server Starts and Stops -- Occurs when the SQL Server service state is modified. EXEC SP_TRACE_SETEVENT @TraceID, 18, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 18, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 18, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 18, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 18, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 18, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 18, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 18, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 18, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 18, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 18, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 18, 64, @on; -- SessionLoginName -- Audit Login Failed -- Indicates that a login attempt to SQL Server from a client failed. EXEC SP_TRACE_SETEVENT @TraceID, 20, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 20, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 20, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 20, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 20, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 20, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 20, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 20, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 20, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 20, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 20, 31, @on; -- Error EXEC SP_TRACE_SETEVENT @TraceID, 20, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 20, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 20, 64, @on; -- SessionLoginName -- Audit Statement GDR Event -- Occurs every time a GRANT, DENY, REVOKE for a statement -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 102, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 102, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 102, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 102, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 102, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 102, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 102, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 102, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 102, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 102, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 102, 64, @on; -- SessionLoginName -- Audit Object GDR Event -- Occurs every time a GRANT, DENY, REVOKE for an object -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 103, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 103, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 103, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 103, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 103, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 103, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 103, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 103, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 103, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 103, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 44, @on; -- ColumnPermissions EXEC SP_TRACE_SETEVENT @TraceID, 103, 59, @on; -- ParentName EXEC SP_TRACE_SETEVENT @TraceID, 103, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 103, 64, @on; -- SessionLoginName -- Audit AddLogin Event -- Occurs when a SQL Server login is added or removed; -- for sp_addlogin and sp_droplogin. EXEC SP_TRACE_SETEVENT @TraceID, 104, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 104, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 104, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 104, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 104, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 104, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 104, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 104, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 104, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 104, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 104, 64, @on; -- SessionLoginName -- Audit Login GDR Event -- Occurs when a Windows login right is added or removed; -- for sp_grantlogin, sp_revokelogin, and sp_denylogin. EXEC SP_TRACE_SETEVENT @TraceID, 105, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 105, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 105, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 105, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 105, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 105, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 105, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 105, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 105, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 105, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 105, 64, @on; -- SessionLoginName -- Audit Login Change Property Event -- Occurs when a property of a login, except passwords, -- is modified; for sp_defaultdb and sp_defaultlanguage. EXEC SP_TRACE_SETEVENT @TraceID, 106, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 64, @on; -- Audit Login Change Password Event -- Occurs when a SQL Server login password is changed. -- Passwords are not recorded. EXEC SP_TRACE_SETEVENT @TraceID, 107, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 64, @on; -- Audit Add Login to Server Role Event -- Occurs when a login is added or removed from a fixed server role; -- for sp_addsrvrolemember, and sp_dropsrvrolemember. EXEC SP_TRACE_SETEVENT @TraceID, 108, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 64, @on; -- Audit Add DB User Event -- Occurs when a login is added or removed as a database user -- (Windows or SQL Server) to a database; for sp_grantdbaccess, -- sp_revokedbaccess, sp_adduser, and sp_dropuser. EXEC SP_TRACE_SETEVENT @TraceID, 109, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 21, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 51, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 64, @on; -- Audit Add Member to DB Role Event -- Occurs when a login is added or removed as a database user -- (fixed or user-defined) to a database; for sp_addrolemember, -- sp_droprolemember, and sp_changegroup. EXEC SP_TRACE_SETEVENT @TraceID, 110, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 64, @on; -- Audit Add Role Event -- Occurs when a login is added or removed as a database user to a -- database; for sp_addrole and sp_droprole. EXEC SP_TRACE_SETEVENT @TraceID, 111, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 64, @on; -- Audit App Role Change Password Event -- Occurs when a password of an application role is changed. EXEC SP_TRACE_SETEVENT @TraceID, 112, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 64, @on; -- Audit Statement Permission Event -- Occurs when a statement permission (such as CREATE TABLE) is used. EXEC SP_TRACE_SETEVENT @TraceID, 113, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 64, @on; -- Audit Backup/Restore Event -- Occurs when a BACKUP or RESTORE command is issued. EXEC SP_TRACE_SETEVENT @TraceID, 115, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 64, @on; -- Audit DBCC Event -- Occurs when DBCC commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 116, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 64, @on; -- Audit Change Audit Event -- Occurs when audit trace modifications are made. EXEC SP_TRACE_SETEVENT @TraceID, 117, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 64, @on; -- Audit Object Derived Permission Event -- Occurs when a CREATE, ALTER, and DROP object commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 118, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 64, @on; -- Audit Database Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 128, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 64, @on; -- Audit Database Object Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 129, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 64, @on; -- Audit Database Principal Management Event -- Occurs when principals, such as users, are created, altered, or -- dropped from a database. EXEC SP_TRACE_SETEVENT @TraceID, 130, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 64, @on; -- Audit Schema Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 131, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 64, @on; -- Audit Server Principal Impersonation Event -- Occurs when there is an impersonation within server scope, such -- as EXECUTE AS LOGIN. EXEC SP_TRACE_SETEVENT @TraceID, 132, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 64, @on; -- Audit Database Principal Impersonation Event -- Occurs when an impersonation occurs within the database scope, -- such as EXECUTE AS USER or SETUSER. EXEC SP_TRACE_SETEVENT @TraceID, 133, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 64, @on; -- Audit Server Object Take Ownership Event -- Occurs when the owner is changed for objects in server scope. EXEC SP_TRACE_SETEVENT @TraceID, 134, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 64, @on; -- Audit Database Object Take Ownership Event -- Occurs when a change of owner for objects within database scope -- occurs. EXEC SP_TRACE_SETEVENT @TraceID, 135, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 64, @on; -- Audit Change Database Owner -- Occurs when ALTER AUTHORIZATION is used to change the owner of a -- database and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 152, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 64, @on; -- Audit Schema Object Take Ownership Event -- Occurs when ALTER AUTHORIZATION is used to assign an owner to an -- object and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 153, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 64, @on; -- Audit Server Scope GDR Event -- Indicates that a grant, deny, or revoke event for permissions in -- server scope occurred, such as creating a login. EXEC SP_TRACE_SETEVENT @TraceID, 170, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 64, @on; -- Audit Server Object GDR Event -- Indicates that a grant, deny, or revoke event for a schema object, -- such as a table or function, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 171, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 64, @on; -- Audit Database Object GDR Event -- Indicates that a grant, deny, or revoke event for database -- objects, such as assemblies and schemas, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 172, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 64, @on; -- Audit Server Operation Event -- Occurs when Security Audit operations such as altering settings, -- resources, external access, or authorization are used. EXEC SP_TRACE_SETEVENT @TraceID, 173, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 64, @on; -- Audit Server Alter Trace Event -- Occurs when a statement checks for the ALTER TRACE permission. EXEC SP_TRACE_SETEVENT @TraceID, 175, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 64, @on; -- Audit Server Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 176, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 46, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 64, @on; -- Audit Server Principal Management Event -- Occurs when server principals are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 177, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 64, @on; -- Audit Database Operation Event -- Occurs when database operations occur, such as checkpoint or -- subscribe query notification. EXEC SP_TRACE_SETEVENT @TraceID, 178, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 64, @on; -- Set the trace status to start. EXEC SP_TRACE_SETSTATUS @TraceID, 1; -- Display trace ID for future reference. SELECT @TraceID AS TraceID; GOTO Finish; Error: SELECT @rc AS ErrorCode; Finish: GO EXEC SP_PROCOPTION 'fso_audit', 'startup', 'true'; GO -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances.

b
SQL Server must be configured to use Windows Integrated Security.
CM-6 - Medium - CCI-000366 - V-41036 - SV-53411r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SQL2-00-023600
Vuln IDs
  • V-41036
Rule IDs
  • SV-53411r1_rule
SQL Server Authentication does not provide for many of the authentication requirements required in the DoD. In some cases workarounds are present, but the authentication is not as robust and does not provide needed functionality. Without that functionality SQL Server is vulnerable to authentication attacks. Consideration must be given to the placement of SQL server inside a forest to ensure evaluation of risk within the environment is considered. Risk includes introduction of risk to SQL Server from other applications or workstations as well as risk from introduction of SQL server itself into an established environment.
Checks: C-47653r2_chk

To determine the Server Authentication Mode, execute the following: EXEC XP_LOGINCONFIG 'login mode' If the config_value is set to 'Mixed', this is a finding.

Fix: F-46335r2_fix

From the SQL Server Management Studio, right click the server, and then click Properties. Select the Security page, under Server authentication, select Windows Authentication Mode, and then click OK.

a
SQL Server default account sa must have its name changed.
AC-6 - Low - CCI-000040 - V-41037 - SV-53412r1_rule
RMF Control
AC-6
Severity
L
CCI
CCI-000040
Version
SQL2-00-010200
Vuln IDs
  • V-41037
Rule IDs
  • SV-53412r1_rule
SQL Server's 'sa' account has special privileges required to administer the database. The 'sa' account is a well-known SQL Server account name and is likely to be targeted by attackers, and is thus more prone to providing unauthorized access to the database. Since the SQL Server 'sa' is administrative in nature, the compromise of a default account can have catastrophic consequences, including the complete loss of control over SQL Server. Since SQL Server needs for this account to exist and it should not be removed, one way to mitigate this risk is to change the 'sa' account name.
Checks: C-47654r2_chk

Verify the SQL Server default 'sa' account name has been changed. Navigate to SQL Server Management Studio &gt;&gt; Object Explorer &gt;&gt; &lt;'SQL Server name'&gt; &gt;&gt; Security &gt;&gt; Logins. If SQL Server default 'sa' account name is in the 'Logins' list, this is a finding.

Fix: F-46336r1_fix

Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> click 'sa' account name. Hit <F2> while the name is highlighted in order to edit the name. Rename the 'sa' account.

b
Use of the SQL Server software installation account must be restricted to SQL Server software installation.
AC-6 - Medium - CCI-000040 - V-41038 - SV-53413r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000040
Version
SQL2-00-010100
Vuln IDs
  • V-41038
Rule IDs
  • SV-53413r1_rule
This requirement is intended to limit exposure due to operating from within a privileged account. SQL Server does support the organizational requirement that users of information system accounts with access to an organization-defined list of security functions or security-relevant information use non-privileged accounts and roles, when accessing other (non-security) system functions. Use of privileged accounts for non-administrative purposes puts data at risk of unintended or unauthorized loss, modification, or exposure. In particular, DBA accounts if used for non-administration application development or application maintenance can lead to miss-assignment of privileges where privileges are inherited by object owners. It may also lead to loss or compromise of application data where the elevated privileges bypass controls designed in, and provided by, applications. The SQL Server installation account requires privileges not required for SQL Server administration or other functions. Use of accounts configured with excess privileges may result in the loss or compromise of data or system settings due to elevated privileges that bypass controls designed to protect them.
Checks: C-47655r2_chk

Review system documentation to identify the installation account. Verify whether the account is used for anything beyond SQL Server software installation, upgrade, and maintenance actions. If the account is used for anything beyond SQL Server installation, upgrade, and maintenance actions, this is a finding.

Fix: F-46337r1_fix

Restrict usage of the SQL Server installation account to SQL Server installation, upgrade, and maintenance actions only. Disable installation accounts when authorized actions are not being performed.

b
DBA OS accounts must be granted only those host system privileges necessary for the administration of SQL Server.
AC-6 - Medium - CCI-000040 - V-41039 - SV-53414r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000040
Version
SQL2-00-010000
Vuln IDs
  • V-41039
Rule IDs
  • SV-53414r1_rule
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role-Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. SQL Server DBAs, if assigned excessive OS privileges, could perform actions that could endanger the information system or hide evidence of malicious activity.
Checks: C-47656r2_chk

Obtain the list of SQL Server DBA and privileged user accounts that have OS permissions. Using an account with administrator privileges, from a Command Prompt, type lusrmgr.msc, and press [ENTER]. Navigate to Groups. Right click the 'Administrators' group. Click Properties. Click the 'Members' tab. If any accounts are listed as members of the 'Administrators' group and are not in the list of designated OS privileged user accounts, this is a finding. Perform similar checks on the following groups: Backup Operators Certificate Service DCOM Access Cryptographic Operators Distributed COM Users Event Log Readers Guests IIS_IUSRS Network Configuration Operators Performance Log Users Power Users Print Operators Remote Desktop Users Replicator Users HelpLibraryUpdaters WSS_ADMIN_WPG WSS_WPG Any Groups that are SQL Server User or Service Groups. If any accounts are listed as Members in above groups and are not in the list of designated OS privileged, service, or user accounts, this is a finding.

Fix: F-46338r2_fix

Using an account with administrator privileges, from a Command Prompt, type lusrmgr.msc, and press [ENTER]. Navigate to Groups. Right click on 'Administrators.' Click Properties. Click the 'Members' tab. Remove all undocumented or unapproved accounts by clicking on each account and then hitting the 'Remove' button. Repeat the removal process for the following groups: Backup Operators Certificate Service DCOM Access Cryptographic Operators Distributed COM Users Event Log Readers Guests IIS_IUSRS Network Configuration Operators Performance Log Users Power Users Print Operators Remote Desktop Users Replicator Users HelpLibraryUpdaters WSS_ADMIN_WPG WSS_WPG Any Groups that look like SQL Server User or Service Groupsaccounts

b
OS accounts utilized to run external procedures called by SQL Server must have limited privileges.
AC-6 - Medium - CCI-000040 - V-41040 - SV-53415r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000040
Version
SQL2-00-009900
Vuln IDs
  • V-41040
Rule IDs
  • SV-53415r1_rule
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role-Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. To limit exposure when operating from within a privileged account or role, the application must support organizational requirements that users of information system accounts, or roles, with access to an organization-defined list of security functions or security-relevant information, use non-privileged accounts, or roles, when accessing other (non-security) system functions. Use of privileged accounts for non-administrative purposes puts data at risk of unintended or unauthorized loss, modification, or exposure. In particular, DBA accounts, if used for non-administration application development or application maintenance, can lead to misassignment of privileges where privileges are inherited by object owners. It may also lead to loss or compromise of application data where the elevated privileges bypass controls designed in, and provided by, applications. External applications called by SQL Server may be executed under OS accounts with unnecessary privileges. This can lead to unauthorized access to OS resources and compromise of the OS, SQL Server, or any other services provided by the host platform.
Checks: C-47657r2_chk

Determine which OS accounts are used by SQL Server to run external procedures. Validate that these OS accounts have only the privileges necessary to perform the required functionality. If any OS accounts utilized by SQL Server are running external procedures and have privileges beyond those required for running the external procedures, this is a finding.

Fix: F-46339r1_fix

Limit privileges to SQL Server-related OS accounts to those required privileges needed to perform their SQL Server-specific functionality.

b
SQL Server DBA roles must not be assigned excessive or unauthorized privileges.
AC-6 - Medium - CCI-000040 - V-41041 - SV-53416r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000040
Version
SQL2-00-009800
Vuln IDs
  • V-41041
Rule IDs
  • SV-53416r1_rule
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role-Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. Audit of privileged activity may require physical separation, employing information systems on which the user does not have privileged access. To limit exposure and provide forensic history of activity when operating from within a privileged account or role, SQL Server does support organizational requirements that users of information system accounts, or roles, with access to an organization-defined list of security functions or security-relevant information, use non-privileged accounts, or roles, when accessing other (non-security) system functions. SQL Server provides access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged. DBAs, if assigned excessive privileges, could perform actions that endanger the information system or hide evidence of malicious activity.
Checks: C-47658r2_chk

Obtain the list of all DBAs. Obtain documented role assignments for each DBA. Obtain from system documentation or use SQL Server to determine privilege assignment of user-defined roles. Navigate to SQL Server Management Studio &gt;&gt; Object Explorer &gt;&gt; &lt;'SQL Server name'&gt; &gt;&gt; Security &gt;&gt; Logins &gt;&gt; right click &lt;'administrator account name'&gt; &gt;&gt; Properties &gt;&gt; User &gt;&gt; Securables. If any item in the 'Permission' listing, for each highlighted item that exists in the 'Securables' listing, has excessive privileges, this is a finding. Navigate from 'Securables' to 'Server Roles'. If any checked 'Server roles' are determined to be excessive privileges, this is a finding. Navigate from 'Server Roles' to 'Users mapped to the login'. If any checked 'Database role membership' of each highlighted and checked 'Database' are determined to be excessive privileges, this is a finding.

Fix: F-46340r2_fix

Remove permissions from DBAs and other administrative users beyond those required for administrative functions. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'administrator account name'> >> Properties >> User >> Securables. Remove 'Securables' permissions from DBAs and other administrative users that are beyond what is required. Navigate from 'Securables' to 'Server Roles'. Remove 'Server Roles' permissions from DBAs and other administrative users that are beyond what is required. Navigate from 'Server Roles' to 'Users mapped to the login'. Remove 'Users mapped to the login' permissions from DBAs and other administrative users that are beyond what is required.

b
Non-privileged accounts must be utilized when accessing non-administrative functions.
AC-6 - Medium - CCI-000040 - V-41042 - SV-53417r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000040
Version
SQL2-00-009700
Vuln IDs
  • V-41042
Rule IDs
  • SV-53417r1_rule
This requirement is intended to limit exposure due to operating from within a privileged account or role. To limit exposure and provide forensic history of activity when operating from within a privileged account or role, the application must support organizational requirements that users of information system accounts, or roles, with access to an organization-defined list of security functions or security-relevant information, use non-privileged accounts, or roles, when accessing other (non-security) system functions. If feasible, applications should provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged. Use of privileged accounts for non-administrative purposes puts data at risk of unintended or unauthorized loss, modification, or exposure. In particular, DBA accounts, if used for non-administration application development or application maintenance, can lead to excessive privileges where privileges are inherited by object owners. It may also lead to loss or compromise of application data where the elevated privileges bypass controls designed in, and provided by, applications.
Checks: C-47659r1_chk

Review logs for objects owned by application owners or other non-administrative users. If any objects owned by an application owner have been accessed by DBA/administrative users, either directly or indirectly, this is a finding.

Fix: F-46341r1_fix

Require DBAs and other administrative users to perform non-administrative functions using non-administrative accounts.

b
Administrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information within SQL Server.
AC-6 - Medium - CCI-000040 - V-41043 - SV-53418r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000040
Version
SQL2-00-009600
Vuln IDs
  • V-41043
Rule IDs
  • SV-53418r1_rule
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role-Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. To limit exposure when operating from within a privileged account or role, SQL Server does support organizational requirements that users of information system accounts, or roles, with access to an organization-defined list of security functions or security-relevant information, use non-privileged accounts, or roles, when accessing other (non-security) system functions. When privileged activities are not separated from non-privileged activities, SQL Server could be subject to unauthorized changes of settings or data, which a standard user would not normally have access to outside of an authorized maintenance session. Often, administrator accounts have a unique prefix to help with identification. These accounts are located within SQL Server and may only provide access to one database instance or a limited number of database objects.
Checks: C-47660r2_chk

Obtain a list of SQL Server DBAs or other administrative accounts. Run the following SQL script to check all users’ permissions: SELECT SP1.[name] AS 'Login', 'Role: ' + SP2.[name] COLLATE DATABASE_DEFAULT AS 'ServerPermission' FROM sys.server_principals SP1 JOIN sys.server_role_members SRM ON SP1.principal_id = SRM.member_principal_id JOIN sys.server_principals SP2 ON SRM.role_principal_id = SP2.principal_id UNION ALL SELECT SP.[name] AS 'Login' , SPerm.state_desc + ' ' + SPerm.permission_name COLLATE DATABASE_DEFAULT AS 'ServerPermission' FROM sys.server_principals SP JOIN sys.server_permissions SPerm ON SP.principal_id = SPerm.grantee_principal_id ORDER BY [Login], [ServerPermission] If any DBA or administrative objects are owned by non-DBA or non-administrative accounts, this is a finding. If any DBA or administrator has authorization for non- administrative access to the system for which they are the administrator and they do not have a non-administrator account, this is a finding.

Fix: F-46342r2_fix

Remove DBA privileges and privileges to administer owned objects that are assigned to the administrator's non-DBA account. Remove the permission access from the account that has direct access by running the following script: USE master REVOKE <'server privilege name'> TO <'account name'> GO Remove the user account from the role's Member list where the account is not authorized for specified permission by running the following script: USE master ALTER SERVER ROLE [<'server role name'>] DROP MEMBER <'user name'> GO Provide administrators with separate accounts for administration and regular accounts for non-administrator activity.

b
SQL Server must restrict access to system tables, other configuration information, and metadata to DBAs and other authorized users.
AC-5 - Medium - CCI-000037 - V-41044 - SV-53419r1_rule
RMF Control
AC-5
Severity
M
CCI
CCI-000037
Version
SQL2-00-009400
Vuln IDs
  • V-41044
Rule IDs
  • SV-53419r1_rule
Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of information systems. Administrative data includes SQL Server metadata and other configuration and management data. Unauthorized access to this data could result in unauthorized changes to database objects, access controls, or SQL Server configuration.
Checks: C-47661r2_chk

Obtain from system documentation or use SQL Server to determine privilege assignment of user-defined roles. Determine which user-defined roles grant privileges to system tables and configuration data stored in SQL Server. For each user: Navigate to SQL Server Management Studio &gt;&gt; Object Explorer &gt;&gt; &lt;'SQL Server name'&gt; &gt;&gt; Security &gt;&gt; Logins &gt;&gt; right click &lt;'user account name'&gt; &gt;&gt; Properties &gt;&gt; User &gt;&gt; Securables. If any item in the 'Permission' listing, for each highlighted item that exists in the 'Securables' listing, indicates direct permission access, this is a finding. Navigate from 'Securables' to 'Server Roles'. If any 'Server roles' are checked from the following listing, indicating direct permission access, this is a finding. System administrator Server roles: "bulkadmin", "dbcreator", "diskadmin", "processadmin", "securityadmin", "serveradmin", "setupadmin", "sysadmin". If any user-defined 'Server roles' with system table or configuration data privileges are checked that the user is not authorized to have, this is a finding. Navigate from 'Server Roles' to 'Users mapped to the login'. If any checked/highlighted 'Database role membership' shows any "Database role membership for:" indicating direct permission access, this is a finding.

Fix: F-46343r2_fix

Remove all direct access permissions and unauthorized permissions as required using the below instructions: Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account name'> >> Properties >> User >> Securables. Remove 'Securables' permissions from user account. Navigate from 'Securables' to 'Server Roles'. Remove 'Server Roles' permissions from user account. Navigate from 'Server Roles' to 'Users mapped to the login'. Remove 'Users mapped to the login' permissions from user account.

b
A single SQL Server database connection configuration file (or a single set of credentials) must not be used to configure all database clients.
AC-5 - Medium - CCI-000037 - V-41045 - SV-53420r1_rule
RMF Control
AC-5
Severity
M
CCI
CCI-000037
Version
SQL2-00-009100
Vuln IDs
  • V-41045
Rule IDs
  • SV-53420r1_rule
Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of information systems. Many sites distribute a single SQL Server connection configuration file to all site database users that contains network access information for all databases on the site. Such a file provides information to access SQL Server databases not required by all users that may assist in unauthorized access attempts.
Checks: C-47662r2_chk

Check procedures for providing SQL Server database connection information to users/applications. If procedures do not indicate or implement restrictions to connections required by the particular user/application which indicate process of least privilege and specific authorization was employed, this is a finding.

Fix: F-46344r1_fix

Implement procedures to supply SQL Server database connection information to only those databases authorized for the user.

b
SQL Server must restrict access to sensitive information to authorized user roles.
AC-5 - Medium - CCI-000037 - V-41046 - SV-53421r1_rule
RMF Control
AC-5
Severity
M
CCI
CCI-000037
Version
SQL2-00-009000
Vuln IDs
  • V-41046
Rule IDs
  • SV-53421r1_rule
Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of information systems. Unauthorized access to sensitive data may compromise the confidentiality of personnel privacy, threaten national security or compromise a variety of other sensitive operations. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user.
Checks: C-47663r2_chk

Obtain the list of available user-defined server roles from system documentation. Obtain the list of available user-defined server roles from the SQL Server system by running the following script: /********************************************************************************** LIST ALL INDIRECT (via ROLES) ACCESS TO THE SERVER PERMISSION. ***********************************************************************************/ DECLARE @admin_Account_name sysname SET @admin_Account_name = 'NO admin ACCOUNT found' DECLARE @server_name sysname SET @server_name = 'NO Server found' SELECT @server_name = name FROM sys.servers WHERE server_id = 0 SET @admin_Account_name = @server_name + '\Administrator' SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('R') AND pe.grantee_principal_id &gt; 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pe.state WHEN 'D' THEN 1 WHEN 'W' THEN 2 WHEN 'G' THEN 3 ELSE 4 END If any listed user-defined roles are not found in the system documentation, this is a finding. Obtain the list assigned privileges for all user-defined roles in the system documentation. Check all SQL Server user-defined server roles for access rights as it relates to the separation of duties. Repeat steps for each user-defined server role. Navigate to SQL Server Management Studio &gt;&gt; Object Explorer &gt;&gt; &lt;'SQL Server name'&gt; &gt;&gt; Security &gt;&gt; Server Roles &gt;&gt; right click &lt;'user-defined server role name'&gt; &gt;&gt; Properties &gt;&gt; General &gt;&gt; Securables. If any user-defined role is assigned privileges that are not documented in the system documentation, this is a finding. If any user-defined role contains permissions that are inconsistent with separation sensitive information assignment, this is a finding. If system access requires more than one level of sensitive information access and the user-defined role names do not clearly differentiate between the different levels of sensitive information, this is a finding.

Fix: F-46345r2_fix

Add the user-defined server role to the system documentation. Add the assigned privileges of the user-defined server role to the system documentation. Remove the user from direct access to server permission by running the following script: USE master REVOKE <'server permission name'> TO <'account name'> CASCADE Remove server role permission from the user-defined server role by running the following script: USE master REVOKE <'server role name'> TO [<'server role name'>] Rename the user-defined role by running the following script: USE master ALTER SERVER ROLE [<'old role name'>] WITH NAME = [<'new role name'>]

b
SQL Server processes or services must run under custom, dedicated OS accounts.
AC-5 - Medium - CCI-000037 - V-41047 - SV-53422r1_rule
RMF Control
AC-5
Severity
M
CCI
CCI-000037
Version
SQL2-00-008900
Vuln IDs
  • V-41047
Rule IDs
  • SV-53422r1_rule
Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system, including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out that action. The DBMS must run under a custom, dedicated OS account. When the DBMS is running under a shared account, users with access to that account could inadvertently or maliciously make changes to the DBMS’s settings, files, or permissions.
Checks: C-47664r2_chk

Check OS settings to determine whether SQL Server processes are running under a dedicated OS account. If the SQL Server processes are running under shared accounts, this is a finding. From a Command Prompt, type services.msc, and press [ENTER]. Scroll down to the SQL Server Services. SQL Server Services begin with SQL. The following services, when present, should be listed as follows: Service Name: Log On As: SQL Full-text Filter Daemon Launcher NT Service\UNIQUE CUSTOM ACCOUNT SQL Server NT Service\UNIQUE CUSTOM ACCOUNT SQL Server Agent NT Service\UNIQUE CUSTOM ACCOUNT SQL Server Analysis Services NT Service\UNIQUE CUSTOM ACCOUNT SQL Server Browser Local Service SQL Server Distributed Replay Client NT Service\UNIQUE CUSTOM ACCOUNT SQL Server Distributed Replay Controller NT Service\UNIQUE CUSTOM ACCOUNT SQL Server Integration Services 11.0 NT Service\UNIQUE CUSTOM ACCOUNT SQL Server Reporting Services NT Service\UNIQUE CUSTOM ACCOUNT SQL Server VSS Writer NT Service\UNIQUE CUSTOM ACCOUNT UNIQUE CUSTOM ACCOUNT refers to an account with which no other service listed in the services.msc window is assigned. If any account requiring a unique custom account uses an account that any other service utilizes (regardless of service status), this is a finding.

Fix: F-46346r1_fix

Configure the SQL Server services to use a custom, dedicated OS account.

b
SQL Server must enforce separation of duties through assigned information access authorizations.
AC-5 - Medium - CCI-000037 - V-41202 - SV-53669r1_rule
RMF Control
AC-5
Severity
M
CCI
CCI-000037
Version
SQL2-00-008800
Vuln IDs
  • V-41202
Rule IDs
  • SV-53669r1_rule
Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system, including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out that action. Additionally, the person or entity accountable for monitoring the activity must be separate as well. To meet this requirement, applications, when applicable, shall be divided where functionality is based on roles and duties. Examples of separation of duties include: (i) mission functions and distinct information system support functions are divided among different individuals/roles; (ii) different individuals perform information system support functions (e.g., system management, systems programming, configuration management, quality assurance and testing, network security); (iii) security personnel who administer access control functions do not administer audit functions; and (iv) different administrator accounts for different roles. Privileges granted outside the role of the application user job function are more likely to go unmanaged or without oversight for authorization. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment.
Checks: C-47792r2_chk

Check for direct user assignment to server permissions by running the following script: /********************************************************************************** LIST ALL DIRECT SERVER PERMISSIONS TO ANY ACCOUNT EXCEPT SYSTEM ADMINISTRATOR accounts. DO NOT LIST ROLES. ***********************************************************************************/ DECLARE @admin_Account_name sysname SET @admin_Account_name = 'NO admin ACCOUNT found' DECLARE @server_name sysname SET @server_name = 'NO Server found' SELECT @server_name = name FROM sys.servers WHERE server_id = 0 SET @admin_Account_name = @server_name + '\Administrator' SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('K', 'S', 'U') AND pe.grantee_principal_id &gt; 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pr.type WHEN 'K' THEN 1 WHEN 'S' THEN 2 WHEN 'U' THEN 3 ELSE 4 END If any user account list indicates direct access to any server permission, this is a finding. Obtain the list of available user-defined server roles from system documentation. Obtain the list of available user-defined server roles from the SQL Server system by running the following script: /********************************************************************************** LIST ALL INDIRECT (via ROLES) ACCESS TO THE SERVER PERMISSION. ***********************************************************************************/ DECLARE @admin_Account_name sysname SET @admin_Account_name = 'NO admin ACCOUNT found' DECLARE @server_name sysname SET @server_name = 'NO Server found' SELECT @server_name = name FROM sys.servers WHERE server_id = 0 SET @admin_Account_name = @server_name + '\Administrator' SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('R') AND pe.grantee_principal_id &gt; 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pe.state WHEN 'D' THEN 1 WHEN 'W' THEN 2 WHEN 'G' THEN 3 ELSE 4 END If any listed user-defined roles are not found in the system documentation, this is a finding. Obtain the list assigned privileges for all user-defined roles in the system documentation. Check all SQL Server user-defined server roles for access rights as it relates to the separation of duties. Repeat steps for each user-defined server role. Navigate to SQL Server Management Studio &gt;&gt; Object Explorer &gt;&gt; &lt;'SQL Server name'&gt; &gt;&gt; Security &gt;&gt; Server Roles &gt;&gt; right click &lt;'user-defined server role name'&gt; &gt;&gt; Properties &gt;&gt; General &gt;&gt; Securables. If any roles are found that do not enforce separation of duties, this is a finding.

Fix: F-46594r2_fix

Add the user-defined server role to the system documentation. Add the assigned privileges of the user-defined server role to the system documentation. Remove the user from direct access to server permission by running the following script: USE master REVOKE <'server permission name'> TO <'account name'> CASCADE Remove server role permission from the user-defined server role by running the following script: USE master REVOKE <'server role name'> TO [<'server role name'>]

b
SQL Server utilizing Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user.
AC-3 - Medium - CCI-001694 - V-41203 - SV-53670r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-001694
Version
SQL2-00-011100
Vuln IDs
  • V-41203
Rule IDs
  • SV-53670r1_rule
DAC is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object, and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. Including or excluding access to the granularity of a single user means providing the capability to either allow or deny access to objects (e.g., files, folders) on a per single-user basis. Databases using DAC must have the ability for the owner of an object or information to assign or revoke rights to view or modify the object or information. If the owner of an object or information does not have rights to exclude access to an object or information at a user level, users may gain access to objects and information they are not authorized to view/modify.
Checks: C-47793r2_chk

Check for direct user assignment to server permissions by running the following script: /********************************************************************************** LIST ALL DIRECT SERVER PERMISSIONS TO ANY ACCOUNT EXCEPT SYSTEM ADMINISTRATOR accounts. DO NOT LIST ROLES. ***********************************************************************************/ DECLARE @admin_Account_name sysname SET @admin_Account_name = 'NO admin ACCOUNT found' DECLARE @server_name sysname SET @server_name = 'NO Server found' SELECT @server_name = name FROM sys.servers WHERE server_id = 0 SET @admin_Account_name = @server_name + '\Administrator' SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('K', 'S', 'U') AND pe.grantee_principal_id &gt; 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pr.type WHEN 'K' THEN 1 WHEN 'S' THEN 2 WHEN 'U' THEN 3 ELSE 4 END If any user account list indicates direct access to any server permission, this is a finding. Obtain the list of available user-defined server roles from system documentation. Obtain the list of available user-defined server roles from the SQL Server system by running the following script: /********************************************************************************** LIST ALL INDIRECT (via ROLES) ACCESS TO THE SERVER PERMISSION. ***********************************************************************************/ DECLARE @admin_Account_name sysname SET @admin_Account_name = 'NO admin ACCOUNT found' DECLARE @server_name sysname SET @server_name = 'NO Server found' SELECT @server_name = name FROM sys.servers WHERE server_id = 0 SET @admin_Account_name = @server_name + '\Administrator' SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('R') AND pe.grantee_principal_id &gt; 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pe.state WHEN 'D' THEN 1 WHEN 'W' THEN 2 WHEN 'G' THEN 3 ELSE 4 END If any listed user-defined roles are not found in the system documentation, this is a finding. Determine from system documentation if SQL Server has DAC policies implemented. If not, this is not a finding. Obtain the list of DAC system owners/users from the system documentation. Check all SQL Server user-defined server roles from the listing that assign DAC system owners permissions to exclude a single user from the DAC owners system. Repeat steps for each user-defined server role. Navigate to SQL Server Management Studio &gt;&gt; Object Explorer &gt;&gt; &lt;'SQL Server name'. If any roles are found that aren't enforcing access at the single user level, this is a finding.

Fix: F-46595r2_fix

Add the user-defined server role to the system documentation. Add the user as a member of the user-defined server role within the system documentation. Remove the user from direct access to server permission by running the following script: USE master REVOKE <'server permission name'> TO <'account name'> CASCADE Remove the user from user-defined role access by running the following script: USE master ALTER SERVER ROLE [<'server role name'>] DROP MEMBER <'user name'> Remove server role permission from the user-defined server role by running the following script: USE master REVOKE <'server role name'> TO [<'server role name'>]

b
SQL Server utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
AC-3 - Medium - CCI-001693 - V-41204 - SV-53671r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-001693
Version
SQL2-00-011000
Vuln IDs
  • V-41204
Rule IDs
  • SV-53671r1_rule
Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. DAC models have the potential for the access controls to propagate without limit, resulting in unauthorized access to said objects. When applications provide a discretionary access control mechanism, the application must be able to limit the propagation of those access rights. The DBMS must ensure the recipient of permissions possesses only the access intended. The database must enforce the ability to limit rights propagation if that is the intent of the grantor. If the propagation of access rights is not limited, users with rights to objects they do not own can continue to grant rights to those objects to other users without limit.
Checks: C-47794r1_chk

Check for rights propagation assignment to server permissions by running the following query: Select * from sys.server_permissions If any of the records returned have the Grant with Grant in the state_desc column, this is a finding.

Fix: F-46596r1_fix

Revoke the Grant with Grant state and replace with Grant.

b
SQL Server must enforce DAC policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both; limiting propagation of access rights; and including or excluding access to the granularity of a single user.
AC-3 - Medium - CCI-001362 - V-41205 - SV-53672r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-001362
Version
SQL2-00-008500
Vuln IDs
  • V-41205
Rule IDs
  • SV-53672r1_rule
Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed by organizations to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains). DAC is a type of access control methodology serving as a means of restricting access to objects and data based on the identity of subjects and/or groups to which they belong. It is discretionary in the sense that application users with the appropriate permissions to access an application resource or data have the discretion to pass that permission on to another user either directly or indirectly. Data protection requirements may result in a DAC policy being specified as part of the application design. Discretionary access controls would be employed at the application level to restrict and control access to application objects and data, thereby providing increased information security for the organization. When DAC controls are employed, those controls must limit sharing to named application users, groups of users, or both. The application DAC controls must also limit the propagation of access rights and have the ability to exclude access to data down to the granularity of a single user. Databases using DAC must have the ability for the owner of an object or information to assign or revoke rights to view or modify the object or information. If the owner of an object or information does not have rights to exclude access to an object or information at a user level, users may gain access to objects and information they are not authorized to view/modify.
Checks: C-47795r3_chk

Check for direct user assignment to server permissions by running the following script: /********************************************************************************** LIST ALL DIRECT SERVER PERMISSIONS TO ANY ACCOUNT EXCEPT SYSTEM ADMINISTRATOR accounts. DO NOT LIST ROLES. ***********************************************************************************/ DECLARE @admin_Account_name sysname SET @admin_Account_name = 'NO admin ACCOUNT found' DECLARE @server_name sysname SET @server_name = 'NO Server found' SELECT @server_name = name FROM sys.servers WHERE server_id = 0 SET @admin_Account_name = @server_name + '\Administrator' SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('K', 'S', 'U') AND pe.grantee_principal_id &gt; 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pr.type WHEN 'K' THEN 1 WHEN 'S' THEN 2 WHEN 'U' THEN 3 ELSE 4 END If any user account list indicates direct access to any server permission, this is a finding. Obtain the list of available user-defined server roles from system documentation. Obtain the list of available user-defined server roles from the SQL Server system by running the following script: /********************************************************************************** LIST ALL INDIRECT (via ROLES) ACCESS TO THE SERVER PERMISSION. ***********************************************************************************/ DECLARE @admin_Account_name sysname SET @admin_Account_name = 'NO admin ACCOUNT found' DECLARE @server_name sysname SET @server_name = 'NO Server found' SELECT @server_name = name FROM sys.servers WHERE server_id = 0 SET @admin_Account_name = @server_name + '\Administrator' SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('R') AND pe.grantee_principal_id &gt; 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pe.state WHEN 'D' THEN 1 WHEN 'W' THEN 2 WHEN 'G' THEN 3 ELSE 4 END If any listed user-defined roles are not found in the system documentation, this is a finding. Obtain the list of user role assignments in the system documentation. Check all SQL Server user-defined server roles for authorized and documented permission assignments. Repeat steps for each user-defined server role. Navigate to SQL Server Management Studio &gt;&gt; Object Explorer &gt;&gt; &lt;'SQL Server name'&gt; &gt;&gt; Security &gt;&gt; Server Roles &gt;&gt; right click &lt;'user-defined server role name'&gt; &gt;&gt; Properties &gt;&gt; Members. If any roles are found that are not authorized and documented, this is a finding.

Fix: F-46597r2_fix

Add the user-defined server role to the system documentation. Add the user as a member of the user-defined server role within the system documentation. Remove the user from direct access to server permission by running the following script: USE master REVOKE <'server permission name'> TO <'account name'> CASCADE Remove the user from user-defined role access by running the following script: USE master ALTER SERVER ROLE [<'server role name'>] DROP MEMBER <'user name'> Add the user-defined role access to the user by running the following script: USE master ALTER SERVER ROLE [<'server role name'>] ADD MEMBER <'user name'>

b
SQL Server must enforce access control policies to restrict the Unsafe assembly permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41206 - SV-53673r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-008400
Vuln IDs
  • V-41206
Rule IDs
  • SV-53673r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Unsafe assembly' permission is a high server-level privilege that must only be granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. If the 'Unsafe assembly' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47796r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Unsafe assembly' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Unsafe assembly' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'Unsafe assembly' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46598r1_fix

Remove the 'Unsafe assembly' permission access from the role that is not authorized by executing the following query: REVOKE Unsafe assembly TO <'role name'>

b
SQL Server must not grant users direct access control to the Alter any endpoint permission.
AC-3 - Medium - CCI-000022 - V-41207 - SV-53674r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-008300
Vuln IDs
  • V-41207
Rule IDs
  • SV-53674r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Alter any endpoint' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47798r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Alter any endpoint' by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any endpoint' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Alter any endpoint' permission, this is a finding.

Fix: F-46599r1_fix

Remove the 'Alter any endpoint' permission access from the account that has direct access by running the following script: USE master REVOKE ALTER ANY ENDPOINT TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Alter any database permission.
AC-3 - Medium - CCI-000022 - V-41208 - SV-53675r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-008200
Vuln IDs
  • V-41208
Rule IDs
  • SV-53675r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Alter any database' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47799r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Alter any database' by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any database' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Alter any database' permission, this is a finding.

Fix: F-46600r1_fix

Remove the 'Alter any database' permission access from the account that has direct access by running the following script: USE master REVOKE ALTER ANY DATABASE TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Alter any credential permission.
AC-3 - Medium - CCI-000022 - V-41209 - SV-53677r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-008100
Vuln IDs
  • V-41209
Rule IDs
  • SV-53677r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Alter any credential' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47800r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Alter any credential' by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any credential' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Alter any credential' permission, this is a finding.

Fix: F-46602r1_fix

Remove the 'Alter any credential' permission access from the account that has direct access by running the following script: USE master REVOKE ALTER ANY CREDENTIAL TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Alter any connection permission.
AC-3 - Medium - CCI-000022 - V-41246 - SV-53727r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-008000
Vuln IDs
  • V-41246
Rule IDs
  • SV-53727r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Alter any connection' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47813r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Alter any connection' by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any connection' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Alter any connection' permission, this is a finding.

Fix: F-46636r1_fix

Remove the 'Alter any connection' permission access from the account that has direct access by running the following script: USE master REVOKE ALTER ANY CONNECTION TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Alter any availability group permission.
AC-3 - Medium - CCI-000022 - V-41247 - SV-53728r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-007900
Vuln IDs
  • V-41247
Rule IDs
  • SV-53728r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Alter any availability group' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47814r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Alter any availability group' by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any availability group' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * fromsys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Alter any availability group' permission, this is a finding.

Fix: F-46637r1_fix

Remove the 'Alter any availability group' permission access from the account that has direct access by running the following script: USE master REVOKE ALTER ANY AVAILABILITY GROUP TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Alter server state permission.
AC-3 - Medium - CCI-000022 - V-41248 - SV-53729r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-007800
Vuln IDs
  • V-41248
Rule IDs
  • SV-53729r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Alter server state' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47815r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Alter server state' by running the following query: Select * from sys.server_permissions where permission_name = 'Alter server state' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Alter server state' permission, this is a finding.

Fix: F-46638r1_fix

Remove the 'Alter server state' permission access from the account that has direct access by running the following script: USE master REVOKE ALTER SERVER STATE TO <'account name'> GO

b
SQL Server must enforce access control policies to restrict the Connect SQL permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41249 - SV-53730r2_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-007700
Vuln IDs
  • V-41249
Rule IDs
  • SV-53730r2_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Connect SQL' permission is a high server-level privilege that must only be granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. If the 'Connect SQL' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47817r3_chk

Obtain the list of roles that are authorized for the SQL Server 'Connect SQL' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Connect SQL' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If role has 'Grant', 'With Grant' or 'Deny' privileges to the 'Connect SQL' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46639r1_fix

Remove the 'Connect SQL' permission access from the role that is not authorized by executing the following query: REVOKE Connect SQL TO <'role name'>

b
SQL Server must not grant users direct access control to the Alter any event notification permission.
AC-3 - Medium - CCI-000022 - V-41250 - SV-53732r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-007600
Vuln IDs
  • V-41250
Rule IDs
  • SV-53732r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Alter any event notification' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47818r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Alter any event notification' by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any event notification' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Alter any event notification' permission, this is a finding.

Fix: F-46641r1_fix

Remove the 'Alter any event notification' permission access from the account that has direct access by running the following script: USE master REVOKE ALTER ANY EVENT NOTIFICATION TO <'account name'> GO

b
SQL Server must enforce access control policies to restrict the View any database permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41251 - SV-53733r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-007500
Vuln IDs
  • V-41251
Rule IDs
  • SV-53733r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'View any database' permission is a high server-level privilege that must only be granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. If the 'View any database' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47819r2_chk

Obtain the list of roles that are authorized for the SQL Server 'View any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'View any database' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If role has 'Grant', 'With Grant' or 'Deny' privileges to the 'View any database' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46642r1_fix

Remove the View any database' permission access from the role that is not authorized by executing the following query: REVOKE View any database TO <'role name'>

b
SQL Server must not grant users direct access control to the Alter any server audit permission.
AC-3 - Medium - CCI-000022 - V-41252 - SV-53734r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-007400
Vuln IDs
  • V-41252
Rule IDs
  • SV-53734r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Alter any server audit' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47820r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Alter any server audit' by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any server audit' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Alter any server audit' permission, this is a finding.

Fix: F-46643r1_fix

Remove the 'Alter any server audit' permission access from the account that has direct access by running the following script: USE master REVOKE ALTER ANY SERVER AUDIT TO <'account name'> GO

b
SQL Server must enforce access control policies to restrict the Shutdown permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41253 - SV-53735r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-007300
Vuln IDs
  • V-41253
Rule IDs
  • SV-53735r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Shutdown' permission is a high server-level privilege that must only be granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. , If the 'Shutdown' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47821r2_chk

Obtain the list of roles that are authorized for the SQL Server Shutdown' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Shutdown' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant' or 'Deny' privileges to the "Shutdown" permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46644r1_fix

Remove the' 'Shutdown' permission access from the role that is not authorized by executing the following query: REVOKE Shutdown TO <'role name'>

b
SQL Server must enforce access control policies to restrict the External access assembly permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41254 - SV-53736r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-007200
Vuln IDs
  • V-41254
Rule IDs
  • SV-53736r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'External access assembly' permission is a high server-level privilege that must only be granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. If the 'External access assembly' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47822r2_chk

Obtain the list of roles that are authorized for the SQL Server 'External access assembly' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'External access assembly' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'External access assembly' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46645r1_fix

Remove the 'External access assembly' permission access from the role that is not authorized by executing the following query: REVOKE External access assembly TO <'role name'>

b
SQL Server must enforce access control policies to restrict the Create trace event notification permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41255 - SV-53737r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-007100
Vuln IDs
  • V-41255
Rule IDs
  • SV-53737r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Create trace event notification' permission is a high server-level privilege that must only be granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. If the 'Create trace event notification' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47823r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Create trace event notification' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Create trace event notification' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'Create trace event notification' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46646r1_fix

Remove the 'Create trace event notification' permission access from the role that is not authorized by executing the following query: REVOKE Create trace event notification TO <'role name'>

b
SQL Server must enforce access control policies to restrict the Create server role permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41256 - SV-53738r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-007000
Vuln IDs
  • V-41256
Rule IDs
  • SV-53738r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Create server role' permission is a high server-level privilege that must only be granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. , If the 'Create server role' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47824r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Create server role' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Create server role' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'Create server role' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46647r1_fix

Remove the 'Create server role' permission access from the role that is not authorized by executing the following query: REVOKE Create server role TO <'role name'>

b
SQL Server must enforce access control policies to restrict the Create endpoint permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41257 - SV-53739r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-006900
Vuln IDs
  • V-41257
Rule IDs
  • SV-53739r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Create endpoint' permission is a high server-level privilege that must only be granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. If the 'Create endpoint' permissions are granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47825r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Create endpoint' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Create endpoint' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'Create endpoint' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46648r1_fix

Remove the 'Create endpoint' permission access from the role that is not authorized by executing the following query: REVOKE Create endpoint TO <'role name'>

b
SQL Server must enforce access control policies to restrict the Create DDL event notification permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41258 - SV-53740r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-006800
Vuln IDs
  • V-41258
Rule IDs
  • SV-53740r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Create DDL event notification' permission is a high server-level privilege that must only be granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. If the 'Create DDL event notification' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47826r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Create DDL event notification' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Create DDL event notification' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'Create DDL event notification' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46649r1_fix

Remove the 'Create DDL event notification' permission access from the role that is not authorized by executing the following query: REVOKE Create DDL event notification TO <'role name'>

b
SQL Server must enforce access control policies to restrict the Create availability group permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41259 - SV-53741r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-006700
Vuln IDs
  • V-41259
Rule IDs
  • SV-53741r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Create availability group' permission is a high server-level privilege that must only be granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. If the 'Create availability group' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47827r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Create availability group' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Create availability group' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'Create availability group' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46650r1_fix

Remove the 'Create availability group' permission access from the role that is not authorized by executing the following query: REVOKE Create availability group TO <'role name'>

b
SQL Server must enforce access control policies to restrict the Alter any server audit permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41260 - SV-53742r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-006600
Vuln IDs
  • V-41260
Rule IDs
  • SV-53742r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations, or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Alter any server audit' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. If the 'Alter any server audit' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47828r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Alter any server audit' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any server audit' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Alter any server audit' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46651r1_fix

Remove the 'Alter any server audit' permission access from the role that is not authorized by executing the following query: REVOKE Alter any server audit TO <'role name'>

b
SQL Server must enforce access control policies to restrict the View any definition permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41261 - SV-53743r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-006500
Vuln IDs
  • V-41261
Rule IDs
  • SV-53743r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'View any definition' permission is a high server-level privilege that must only be granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. If the 'View any definition' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47829r2_chk

Obtain the list of roles that are authorized for the SQL Server 'View any definition' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'View any definition' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'View any definition' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46652r1_fix

Remove the 'View any definition' permission access from the role that is not authorized by executing the following query: REVOKE View any definition TO <'role name'>

b
SQL Server must not grant users direct access control to the Authenticate server permission.
AC-3 - Medium - CCI-000022 - V-41262 - SV-53744r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-006400
Vuln IDs
  • V-41262
Rule IDs
  • SV-53744r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Authenticate server' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47830r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Authenticate server' by running the following query: Select * from sys.server_permissions where permission_name = 'Authenticate server' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Authenticate server' permission, this is a finding.

Fix: F-46653r1_fix

Remove the 'Authenticate server' permission access from the account that has direct access by running the following script: USE master REVOKE AUTHENTICATE SERVER TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Administer bulk operations permission.
AC-3 - Medium - CCI-000022 - V-41263 - SV-53745r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-006300
Vuln IDs
  • V-41263
Rule IDs
  • SV-53745r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Administer bulk operations' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47831r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Administer bulk operations' by running the following query: Select * from sys.server_permissions where permission_name = 'Administer bulk operations' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Administer bulk operations' permission, this is a finding.

Fix: F-46654r1_fix

Remove the 'Administer bulk operations' permission access from the account that has direct access by running the following script: USE master REVOKE ADMINISTER BULK OPERATIONS TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Create endpoint permission.
AC-3 - Medium - CCI-000022 - V-41264 - SV-53746r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-006200
Vuln IDs
  • V-41264
Rule IDs
  • SV-53746r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Create endpoint' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47832r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Create endpoint' by running the following query: Select * from sys.server_permissions where permission_name = 'Create endpoint' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Create endpoint' permission, this is a finding.

Fix: F-46655r1_fix

Remove the 'Create endpoint' permission access from the account that has direct access by running the following script: USE master REVOKE CREATE ENDPOINT TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Create DDL event notification permission.
AC-3 - Medium - CCI-000022 - V-41265 - SV-53747r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-006100
Vuln IDs
  • V-41265
Rule IDs
  • SV-53747r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Create DDL event notification' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47833r2_chk

The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Create DDL event notification' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.

Fix: F-46656r1_fix

Remove the 'Create DDL event notification' permission access from the account that has direct access by running the following script: USE master REVOKE CREATE DDL EVENT NOTIFICATION TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Create availability group permission.
AC-3 - Medium - CCI-000022 - V-41266 - SV-53748r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-006000
Vuln IDs
  • V-41266
Rule IDs
  • SV-53748r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Create availability group' permission is a high server level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47834r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Create availability group' by running the following query: Select * from sys.server_permissions where permission_name = 'Create availability group' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Create availability group' permission, this is a finding.

Fix: F-46657r1_fix

Remove the 'Create availability group' permission access from the account that has direct access by running the following script: USE master REVOKE CREATE AVAILABILITY GROUP TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Create any database permission.
AC-3 - Medium - CCI-000022 - V-41267 - SV-53749r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-005900
Vuln IDs
  • V-41267
Rule IDs
  • SV-53749r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Create any database' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47835r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Create any database' by running the following query: Select * from sys.server_permissions where permission_name = 'Create any database' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Create any database' permission, this is a finding.

Fix: F-46658r1_fix

Remove the 'Create any database'" permission access from the account that has direct access by running the following script: USE master REVOKE CREATE ANY DATABASE TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Control server permission.
AC-3 - Medium - CCI-000022 - V-41268 - SV-53750r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-005800
Vuln IDs
  • V-41268
Rule IDs
  • SV-53750r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Control server' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47836r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Control server' by running the following query: Select * from sys.server_permissions where permission_name = 'Control server' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Control server' permission, this is a finding.

Fix: F-46659r1_fix

Remove the 'Control server' permission access from the account that has direct access by running the following script: USE master REVOKE CONTROL SERVER TO <'account name'> GO

b
SQL Server must enforce access control policies to restrict the Administer bulk operations permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41269 - SV-53751r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-005700
Vuln IDs
  • V-41269
Rule IDs
  • SV-53751r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Administer bulk operations' permission is a high server-level privilege that must only be granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. If the 'Administer bulk operations' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47837r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Administer bulk operations' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Administer bulk operations' If any rows are returned, run the following query substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'Administer bulk operations' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46660r1_fix

Remove the 'Administer bulk operations' permission access from the role that is not authorized by executing the following query: REVOKE Administer bulk operations TO <'role name'>

b
SQL Server must enforce access control policies to restrict the Alter resources permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41270 - SV-53752r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-005600
Vuln IDs
  • V-41270
Rule IDs
  • SV-53752r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Alter resources' permission is a high server-level privilege that must only be granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. If the 'Alter resources' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47838r3_chk

Obtain the list of roles that are authorized for the SQL Server 'Alter resources' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Alter resources' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'Alter resources' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46661r1_fix

Remove the 'Alter resources' permission access from the role that is not authorized by executing the following query: REVOKE Alter resources TO <'role name'>

b
SQL Server must not grant users direct access control to the Alter any linked server permission.
AC-3 - Medium - CCI-000022 - V-41271 - SV-53753r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-005500
Vuln IDs
  • V-41271
Rule IDs
  • SV-53753r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Alter any linked server' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47839r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Alter any linked server' by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any linked server' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Alter any linked server' permission, this is a finding.

Fix: F-46662r1_fix

Remove the 'Alter any linked server' permission access from the account that has direct access by running the following script: USE master REVOKE ALTER ANY LINKED SERVER TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Connect SQL permission.
AC-3 - Medium - CCI-000022 - V-41272 - SV-53754r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-005400
Vuln IDs
  • V-41272
Rule IDs
  • SV-53754r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Connect SQL' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47840r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Connect SQL' by running the following query: Select * from sys.server_permissions where permission_name = 'Connect SQL' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Connect SQL' permission, this is a finding.

Fix: F-46663r1_fix

Remove the 'Connect SQL' permission access from the account that has direct access by running the following script: USE master REVOKE CONNECT SQL TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Alter any event session permission.
AC-3 - Medium - CCI-000022 - V-41273 - SV-53755r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-005300
Vuln IDs
  • V-41273
Rule IDs
  • SV-53755r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Alter any event session' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47841r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Alter any event session' by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any event session' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Alter any event session' permission, this is a finding.

Fix: F-46664r1_fix

Remove the 'Alter any event session' permission access from the account that has direct access by running the following script: USE master REVOKE ALTER ANY EVENT SESSION TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Alter trace permission.
AC-3 - Medium - CCI-000022 - V-41274 - SV-53756r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-005200
Vuln IDs
  • V-41274
Rule IDs
  • SV-53756r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Alter trace' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47842r2_chk

Obtain the list of accounts that have direct access to the Obtain the list of accounts that have direct access to the server-level permission 'Alter trace' by running the following query: Select * from sys.server_permissions where permission_name = 'Alter trace' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Alter trace' permission, this is a finding.

Fix: F-46665r1_fix

Remove the 'Alter trace' permission access from the account that has direct access by running the following script: USE master REVOKE ALTER TRACE TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Alter Settings permission.
AC-3 - Medium - CCI-000022 - V-41275 - SV-53757r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-005100
Vuln IDs
  • V-41275
Rule IDs
  • SV-53757r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Alter Settings' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47843r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Alter Settings' by running the following query: Select * from sys.server_permissions where permission_name = 'Alter Settings' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Alter Settings' permission, this is a finding.

Fix: F-46666r1_fix

Remove the 'Alter Settings' permission access from the account that has direct access by running the following script: USE master REVOKE ALTER SETTINGS TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Create trace event notification permission.
AC-3 - Medium - CCI-000022 - V-41276 - SV-53758r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-005000
Vuln IDs
  • V-41276
Rule IDs
  • SV-53758r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Create trace event notification' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47844r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Create trace event notification' by running the following query: Select * from sys.server_permissions where permission_name = 'Create trace event notification' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Create trace event notification' permission, this is a finding.

Fix: F-46667r1_fix

Remove the 'Create trace event notification' permission access from the account that has direct access by running the following script: USE master REVOKE CREATE TRACE EVENT NOTIFICATION TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Alter resources permission.
AC-3 - Medium - CCI-000022 - V-41277 - SV-53759r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-004900
Vuln IDs
  • V-41277
Rule IDs
  • SV-53759r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Alter resources' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47845r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Alter resources' by running the following query: Select * from sys.server_permissions where permission_name = 'Alter resources' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Alter resources' permission, this is a finding.

Fix: F-46668r1_fix

Remove the 'Alter resources' permission access from the account that has direct access by running the following script: USE master REVOKE ALTER RESOURCES TO <'account name'> GO

b
SQL Server must not grant users direct access control to the External access assembly permission.
AC-3 - Medium - CCI-000022 - V-41278 - SV-53760r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-004800
Vuln IDs
  • V-41278
Rule IDs
  • SV-53760r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'External access assembly' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47846r3_chk

Obtain the list of accounts that have direct access to the server-level permission 'External access assembly' by running the following query: Select * from sys.server_permissions where permission_name = 'External access assembly' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'External access assembly' permission, this is a finding.

Fix: F-46669r1_fix

Remove the 'External access assembly' permission access from the account that has direct access by running the following script: USE master REVOKE EXTERNAL ACCESS ASSEMBLY TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Alter any login permission.
AC-3 - Medium - CCI-000022 - V-41279 - SV-53761r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-004700
Vuln IDs
  • V-41279
Rule IDs
  • SV-53761r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Alter any login' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47847r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Alter any login' by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any login' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Alter any login' permission, this is a finding.

Fix: F-46670r1_fix

Remove the 'Alter any login' permission access from the account that has direct access by running the following script: USE master REVOKE ALTER ANY LOGIN TO <'account name'> GO

b
SQL Server must enforce access control policies to restrict the Alter any availability group permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41280 - SV-53762r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-004600
Vuln IDs
  • V-41280
Rule IDs
  • SV-53762r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations, or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Alter any availability group' permission is a high server-level privilege that must only be granted to individual administration accounts through roles and users. If the 'Alter any availability group' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47848r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Alter any availability group' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any availability group' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Alter any availability group' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46671r1_fix

Remove the 'Alter any availability group' permission access from the role that is not authorized by executing the following query: REVOKE Alter any availability group TO <'role name'>

b
SQL Server must enforce access control policies to restrict the Alter any login permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41281 - SV-53763r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-004500
Vuln IDs
  • V-41281
Rule IDs
  • SV-53763r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations, or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Alter any login' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. If the 'Alter any login' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47849r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Alter any login' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any login' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Alter any login' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46672r1_fix

Remove the 'Alter any login' permission access from the role that is not authorized by executing the following query: REVOKE Alter any login TO <'role name'>

b
SQL Server must enforce access control policies to restrict the Alter any linked server permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41283 - SV-53765r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-004300
Vuln IDs
  • V-41283
Rule IDs
  • SV-53765r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations, or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Alter any linked server' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. If the 'Alter any linked server' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47851r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Alter any linked server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any linked server' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Alter any linked server' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46674r1_fix

Remove the 'Alter any linked server' permission access from the role that is not authorized by executing the following query: REVOKE Alter any linked server TO <'role name'>

b
SQL Server must not grant users direct access control to the Shutdown permission.
AC-3 - Medium - CCI-000022 - V-41284 - SV-53766r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-004200
Vuln IDs
  • V-41284
Rule IDs
  • SV-53766r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Shutdown' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47852r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Shutdown' by running the following query: Select * from sys.server_permissions where permission_name = 'Shutdown' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Shutdown' permission, this is a finding.

Fix: F-46675r1_fix

Remove the 'Shutdown' permission access from the account that has direct access by running the following script: USE master REVOKE SHUTDOWN TO <'account name'> GO

b
SQL Server must enforce access control policies to restrict the View server state permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41285 - SV-53767r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-004100
Vuln IDs
  • V-41285
Rule IDs
  • SV-53767r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'View server state' permission is a high server-level privilege that must only granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. If the 'View server state' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47853r2_chk

Obtain the list of roles that are authorized for the SQL Server 'View server state' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'View server state' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'View server state' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46676r1_fix

Remove the 'View server state' permission access from the role that is not authorized by executing the following query: REVOKE View server state TO <'role name'>

b
SQL Server must enforce access control policies to restrict the Alter trace permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41286 - SV-53768r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-004000
Vuln IDs
  • V-41286
Rule IDs
  • SV-53768r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Alter trace' permission is a high server-level privilege that must only be granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. If the 'Alter trace' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47854r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Alter trace' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Alter trace' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'Alter trace' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46677r1_fix

Remove the 'Alter trace' permission access from the role that is not authorized by executing the following query: REVOKE Alter trace TO <'role name'>

b
SQL Server must not grant users direct access control to the Unsafe assembly permission.
AC-3 - Medium - CCI-000022 - V-41287 - SV-53769r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-003900
Vuln IDs
  • V-41287
Rule IDs
  • SV-53769r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Unsafe assembly' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47855r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Unsafe assembly' by running the following query: Select * from sys.server_permissions where permission_name = 'Unsafe assembly' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Unsafe assembly' permission, this is a finding.

Fix: F-46678r1_fix

Remove the 'Unsafe assembly' permission access from the account that has direct access by running the following script: USE master REVOKE UNSAFE ASSEMBLY TO <'account name'> GO

b
SQL Server must enforce access control policies to restrict the Control server permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41288 - SV-53770r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-003800
Vuln IDs
  • V-41288
Rule IDs
  • SV-53770r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Control server' permission is a high server-level privilege that must only be granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. If the 'Control server' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47856r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Control server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Control server' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'Control server' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46679r1_fix

Remove the 'Control server' permission access from the role that is not authorized by executing the following query: REVOKE Control server TO <'role name'>

b
SQL Server must not grant users direct access control to the Create server role permission.
AC-3 - Medium - CCI-000022 - V-41289 - SV-53771r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-003700
Vuln IDs
  • V-41289
Rule IDs
  • SV-53771r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Create server role' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47857r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Create server role' by running the following query: Select * from sys.server_permissions where permission_name = 'Create server role' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Create server role' permission, this is a finding.

Fix: F-46680r1_fix

Remove the 'Create server role' permission access from the account that has direct access by running the following script: USE master REVOKE CREATE SERVER ROLE TO <'account name'> GO

b
SQL Server must enforce access control policies to restrict the Alter any server role permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41290 - SV-53772r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-003600
Vuln IDs
  • V-41290
Rule IDs
  • SV-53772r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations, or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Alter any server role' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. If the 'Alter any server role' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47858r3_chk

Obtain the list of roles that are authorized for the SQL Server 'Alter any server role' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any server role' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Alter any server role' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46681r1_fix

Remove the 'Alter any server role' permission access from the role that is not authorized by executing the following query: REVOKE Alter any server role TO <'role name'>

b
SQL Server must enforce access control policies to restrict the Alter Settings permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41291 - SV-53773r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-003500
Vuln IDs
  • V-41291
Rule IDs
  • SV-53773r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Alter Settings' permission is a high server-level privilege that must only be granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. If the 'Alter Settings' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47859r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Alter Settings' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Alter Settings' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'Alter Settings' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46682r1_fix

Remove the 'Alter Settings' permission access from the role that is not authorized by executing the following query: REVOKE Alter Settings TO <'role name'>

b
SQL Server must enforce access control policies to restrict the Authenticate server permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41292 - SV-53774r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-003400
Vuln IDs
  • V-41292
Rule IDs
  • SV-53774r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations, or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Authenticate server' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. If the 'Authenticate server' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47860r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Authenticate server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Authenticate server' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Authenticate server' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46683r1_fix

Remove the 'Authenticate server' permission access from the role that is not authorized by executing the following query: REVOKE Authenticate server TO <'role name'>

b
SQL Server must enforce access control policies to restrict the Create any database permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41293 - SV-53775r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-003300
Vuln IDs
  • V-41293
Rule IDs
  • SV-53775r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Create any database' permission is a high server-level privilege that must only be granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. If the 'Create any database' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47861r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Create any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Create any database' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'Create any database' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46684r1_fix

Remove the 'Create any database' permission access from the role that is not authorized by executing the following query: REVOKE Create any database TO <'role name'>

b
SQL Server must not grant users direct access control to the View server state permission.
AC-3 - Medium - CCI-000022 - V-41294 - SV-53776r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-003200
Vuln IDs
  • V-41294
Rule IDs
  • SV-53776r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'View server state' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47862r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'View server state' by running the following query: Select * from sys.server_permissions where permission_name = 'View server state' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'View server state' permission, this is a finding.

Fix: F-46685r1_fix

Remove the 'View server state' permission access from the account that has direct access by running the following script: USE master REVOKE VIEW SERVER STATE TO <'account name'> GO

b
SQL Server must not grant users direct access control to the Alter any server role permission.
AC-3 - Medium - CCI-000022 - V-41295 - SV-53777r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-003100
Vuln IDs
  • V-41295
Rule IDs
  • SV-53777r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Alter any server role' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47863r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'Alter any server role' by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any server role' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'Alter any server role' permission, this is a finding.

Fix: F-46686r1_fix

Remove the 'Alter any server role' permission access from the account that has direct access by running the following script: USE master REVOKE ALTER ANY SERVER ROLE TO <'account name'> GO

b
SQL Server must not grant users direct access control to the View any definition permission.
AC-3 - Medium - CCI-000022 - V-41296 - SV-53778r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-003000
Vuln IDs
  • V-41296
Rule IDs
  • SV-53778r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'View any definition' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.
Checks: C-47864r2_chk

Obtain the list of accounts that have direct access to the server-level permission 'View any definition' by running the following query: Select * from sys.server_permissions where permission_name = 'View any definition' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where principal_id = &lt;grantee_principal_id&gt; If any user accounts have direct access to the 'View any definition' permission, this is a finding.

Fix: F-46687r1_fix

Remove the 'View any definition' permission access from the account that has direct access by running the following script: USE master REVOKE VIEW ANY DEFINITION TO <'account name'> GO

b
SQL Server must enforce access control policies to restrict the Alter any connection permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41297 - SV-53779r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-002900
Vuln IDs
  • V-41297
Rule IDs
  • SV-53779r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations, or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Alter any connection' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. If the 'Alter any connection' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47865r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Alter any connection' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any connection' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Alter any connection' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46688r1_fix

Remove the 'Alter any connection' permission access from the role that is not authorized by executing the following query: REVOKE Alter any connection TO <'role name'>

b
SQL Server must enforce access control policies to restrict the Alter any credential permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41298 - SV-53780r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-002800
Vuln IDs
  • V-41298
Rule IDs
  • SV-53780r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations, or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Alter any credential' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. If the 'Alter any credential' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47866r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Alter any credential' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any credential' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Alter any credential' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46689r1_fix

Remove the 'Alter any credential' permission access from the role that is not authorized by executing the following query: REVOKE Alter any credential TO <'role name'>

b
SQL Server must enforce access control policies to restrict the Alter any database permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41299 - SV-53781r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-002700
Vuln IDs
  • V-41299
Rule IDs
  • SV-53781r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations, or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Alter any database' permission is a high server-level privilege that must only be granted to individual administration accounts through roles If the 'Alter any database' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47867r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Alter any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any database' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Alter any database' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46690r1_fix

Remove the 'Alter any database' permission access from the role that is not authorized by executing the following query: REVOKE Alter any database TO <'role name'>

b
SQL Server must enforce access control policies to restrict the Alter any endpoint permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41300 - SV-53782r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-002600
Vuln IDs
  • V-41300
Rule IDs
  • SV-53782r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations, or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Alter any endpoint' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. If the 'Alter any endpoint' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47868r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Alter any endpoint' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any endpoint' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Alter any endpoint' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46691r1_fix

Remove the 'Alter any endpoint' permission access from the role that is not authorized by executing the following query: REVOKE Alter any endpoint TO <'role name'>

b
SQL Server must enforce access control policies to restrict the Alter any event notification permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41301 - SV-53783r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-002500
Vuln IDs
  • V-41301
Rule IDs
  • SV-53783r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations, or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Alter any event notification' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. If the 'Alter any event notification' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47869r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Alter any event notification' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any event notification' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Alter any event notification' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46692r1_fix

Remove the 'Alter any event notification' permission access from the role that is not authorized by executing the following query: REVOKE Alter any event notification TO <'role name'>

b
SQL Server must enforce access control policies to restrict the Alter any event session permission to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41302 - SV-53784r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-002400
Vuln IDs
  • V-41302
Rule IDs
  • SV-53784r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations, or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Alter any event session' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. If the 'Alter any event session' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47870r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Alter any event session' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any event session' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If any role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Alter any event session' permission and the user is not authorized to have the permission, this is a finding.

Fix: F-46693r1_fix

Remove the 'Alter any event session' permission access from the role that is not authorized by executing the following query: REVOKE Alter any event session TO <'role name'>

b
SQL Server must enforce access control policies to restrict Alter server state permissions to only authorized roles.
AC-3 - Medium - CCI-000022 - V-41303 - SV-53785r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-002300
Vuln IDs
  • V-41303
Rule IDs
  • SV-53785r1_rule
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. SQL Server's 'Alter server state' permission is a high server-level privilege that must only be granted to individual administration accounts through roles, and users who have access must require this privilege to accomplish the organizational missions and/or functions. If the 'Alter server state' permissions are granted to roles that are unauthorized to have this privilege, then this access must be removed.
Checks: C-47871r2_chk

Obtain the list of roles that are authorized for the SQL Server 'Alter server state' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: Select * from sys.server_permissions where permission_name = 'Alter server state' If any rows are returned, run the following query, substituting the &lt;grantee_principal_id&gt; with those returned in the previous query. Select * from sys.server_principals where type = 'R' and principal_id = &lt;grantee_principal_id&gt; If role has 'Grant', 'With Grant' or 'Deny' privileges to the 'Alter server state' permission and the role is not authorized to have the permission, this is a finding.

Fix: F-46694r2_fix

Remove the 'Alter server state' permission access from the role that is not authorized by executing the following query: REVOKE Alter server state TO <'role name'>

b
SQL Server must enforce non-DAC policies over users and resources where the policy rule set for each policy specifies access control information (i.e., position, nationality, age, project, time of day).
AC-3 - Medium - CCI-000022 - V-41304 - SV-53786r1_rule
RMF Control
AC-3
Severity
M
CCI
CCI-000022
Version
SQL2-00-002200
Vuln IDs
  • V-41304
Rule IDs
  • SV-53786r1_rule
Non-DACs controls are determined by policy makers and are managed centrally or by a central authority. These controls must not be changed at the discretion of ordinary application users. Data protection requirements may result in a non-DAC policy being specified as part of the application design. Non-DACs are employed at the application level to restrict and control access to application data, thereby providing increased information security for the organization. SQL Server Non-DAC is maintained through the use of Roles. Roles are set up within SQL Server to grant user accounts read and/or write permissions to system objects: databases, tables, columns, etc. After a role is created, user accounts can be assigned to a role granting them permissions of that role. If users have permissions to database objects that they are not authorized to have, the user account that has access to the unauthorized database object must be removed from the role that grants that access. Policy rule sets would be developed to establish that each user receives only the information to which the user is authorized. Frequently, roles grant access to multiple privileges; if a user is authorized and determined to need access to authorized privilege granted by a role, and unauthorized for other privileges of that same role, it may be necessary to split the privileges of one role into two roles.
Checks: C-47873r2_chk

Check for direct user assignment to server permissions by running the following script: /********************************************************************************** LIST ALL DIRECT SERVER PERMISSIONS TO ANY ACCOUNT EXCEPT SYSTEM ADMINISTRATOR accounts. DO NOT LIST ROLES. ***********************************************************************************/ DECLARE @admin_Account_name sysname SET @admin_Account_name = 'NO admin ACCOUNT found' DECLARE @server_name sysname SET @server_name = 'NO Server found' SELECT @server_name = name FROM sys.servers WHERE server_id = 0 SET @admin_Account_name = @server_name + '\Administrator' SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('K', 'S', 'U') AND pe.grantee_principal_id &gt; 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pr.type WHEN 'K' THEN 1 WHEN 'S' THEN 2 WHEN 'U' THEN 3 ELSE 4 END If any user account list indicates direct access to any server permission, this is a finding. Obtain the list of available user-defined server roles from system documentation. Obtain the list of available user-defined server roles from the SQL Server system by running the following script: /********************************************************************************** LIST ALL INDIRECT (via ROLES) ACCESS TO THE SERVER PERMISSION. ***********************************************************************************/ DECLARE @admin_Account_name sysname SET @admin_Account_name = 'NO admin ACCOUNT found' DECLARE @server_name sysname SET @server_name = 'NO Server found' SELECT @server_name = name FROM sys.servers WHERE server_id = 0 SET @admin_Account_name = @server_name + '\Administrator' SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('R') AND pe.grantee_principal_id &gt; 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pe.state WHEN 'D' THEN 1 WHEN 'W' THEN 2 WHEN 'G' THEN 3 ELSE 4 E Obtain the list of user role assignments in the system documentation. Check all SQL Server user-defined server roles for authorized and documented permission assignments. Repeat steps for each user-defined server role. Navigate to SQL Server Management Studio &gt;&gt; Object Explorer &gt;&gt; &lt;'SQL Server name'&gt; &gt;&gt; Security &gt;&gt; Server Roles &gt;&gt; right click &lt;'user-defined server role name'&gt; &gt;&gt; Properties &gt;&gt; Members. If both user-defined role(s) and user(s) are listed as "Member of this role", this is a propagation of access rights, and this is a finding.

Fix: F-46695r2_fix

Add the user as a member of the user-defined server role within the system documentation. Remove the user from direct access to server permission by running the following script: USE master REVOKE <'server permission name'> TO <'account name'> CASCADE Remove the user from user-defined role access by running the following script: USE master ALTER SERVER ROLE [<'server role name'>] DROP MEMBER <'user name'>

b
SQL Server must notify appropriate individuals when accounts are modified.
AC-2 - Medium - CCI-001684 - V-41305 - SV-53787r2_rule
RMF Control
AC-2
Severity
M
CCI
CCI-001684
Version
SQL2-00-023300
Vuln IDs
  • V-41305
Rule IDs
  • SV-53787r2_rule
Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to modify an existing account for later use. Notification of account creation is one method and best practice for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and/or application owners exist. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.
Checks: C-47874r4_chk

Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.

Fix: F-46696r3_fix

-- Run this script to create and start an audit trace that audits required events. -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances. -- The database server must be restarted for the trace to take effect. USE master; GO BEGIN TRY DROP PROCEDURE fso_audit END TRY BEGIN CATCH END CATCH; GO CREATE PROCEDURE fso_audit AS -- Create a Queue DECLARE @rc INT; DECLARE @TraceID INT; DECLARE @options INT = 6; -- 6 specifies TRACE_FILE_ROLLOVER (2) and SHUTDOWN_ON_ERROR (4) DECLARE @tracefile NVARCHAR(128) = 'D:<path>\<filename>'; -- Trace file location and beginning of file name (SQL Server adds a suffix) DECLARE @maxfilesize BIGINT = 500; -- Trace file size limit in megabytes DECLARE @stoptime datetime = null; -- do not stop DECLARE @filecount INT = 10; -- Number of trace files in the rollover set EXEC @rc = SP_TRACE_CREATE @TraceID output, @options, @tracefile, @maxfilesize, @stoptime, @filecount ; IF (@rc != 0) GOTO Error; -- Set the events: DECLARE @on BIT = 1; -- Logins are audited based on SQL Server instance -- setting Audit Level stored in registry -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.[#]\MSSQLServer\AuditLevel -- Audit Login -- Occurs when a user successfully logs in to SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 14, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 14, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 14, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 14, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 14, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 14, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 14, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 14, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 14, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 14, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 14, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 14, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 14, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 14, 64, @on; -- SessionLoginName -- Audit Logout -- Occurs when a user logs out of SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 15, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 15, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 15, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 15, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 15, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 15, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 15, 13, @on; -- Duration EXEC SP_TRACE_SETEVENT @TraceID, 15, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 15, @on; -- EndTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 15, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 15, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 15, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 15, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 15, 64, @on; -- SessionLoginName -- Audit Server Starts and Stops -- Occurs when the SQL Server service state is modified. EXEC SP_TRACE_SETEVENT @TraceID, 18, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 18, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 18, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 18, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 18, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 18, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 18, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 18, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 18, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 18, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 18, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 18, 64, @on; -- SessionLoginName -- Audit Login Failed -- Indicates that a login attempt to SQL Server from a client failed. EXEC SP_TRACE_SETEVENT @TraceID, 20, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 20, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 20, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 20, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 20, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 20, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 20, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 20, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 20, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 20, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 20, 31, @on; -- Error EXEC SP_TRACE_SETEVENT @TraceID, 20, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 20, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 20, 64, @on; -- SessionLoginName -- Audit Statement GDR Event -- Occurs every time a GRANT, DENY, REVOKE for a statement -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 102, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 102, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 102, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 102, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 102, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 102, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 102, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 102, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 102, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 102, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 102, 64, @on; -- SessionLoginName -- Audit Object GDR Event -- Occurs every time a GRANT, DENY, REVOKE for an object -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 103, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 103, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 103, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 103, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 103, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 103, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 103, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 103, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 103, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 103, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 44, @on; -- ColumnPermissions EXEC SP_TRACE_SETEVENT @TraceID, 103, 59, @on; -- ParentName EXEC SP_TRACE_SETEVENT @TraceID, 103, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 103, 64, @on; -- SessionLoginName -- Audit AddLogin Event -- Occurs when a SQL Server login is added or removed; -- for sp_addlogin and sp_droplogin. EXEC SP_TRACE_SETEVENT @TraceID, 104, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 104, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 104, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 104, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 104, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 104, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 104, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 104, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 104, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 104, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 104, 64, @on; -- SessionLoginName -- Audit Login GDR Event -- Occurs when a Windows login right is added or removed; -- for sp_grantlogin, sp_revokelogin, and sp_denylogin. EXEC SP_TRACE_SETEVENT @TraceID, 105, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 105, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 105, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 105, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 105, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 105, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 105, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 105, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 105, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 105, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 105, 64, @on; -- SessionLoginName -- Audit Login Change Property Event -- Occurs when a property of a login, except passwords, -- is modified; for sp_defaultdb and sp_defaultlanguage. EXEC SP_TRACE_SETEVENT @TraceID, 106, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 64, @on; -- Audit Login Change Password Event -- Occurs when a SQL Server login password is changed. -- Passwords are not recorded. EXEC SP_TRACE_SETEVENT @TraceID, 107, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 64, @on; -- Audit Add Login to Server Role Event -- Occurs when a login is added or removed from a fixed server role; -- for sp_addsrvrolemember, and sp_dropsrvrolemember. EXEC SP_TRACE_SETEVENT @TraceID, 108, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 64, @on; -- Audit Add DB User Event -- Occurs when a login is added or removed as a database user -- (Windows or SQL Server) to a database; for sp_grantdbaccess, -- sp_revokedbaccess, sp_adduser, and sp_dropuser. EXEC SP_TRACE_SETEVENT @TraceID, 109, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 21, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 51, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 64, @on; -- Audit Add Member to DB Role Event -- Occurs when a login is added or removed as a database user -- (fixed or user-defined) to a database; for sp_addrolemember, -- sp_droprolemember, and sp_changegroup. EXEC SP_TRACE_SETEVENT @TraceID, 110, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 64, @on; -- Audit Add Role Event -- Occurs when a login is added or removed as a database user to a -- database; for sp_addrole and sp_droprole. EXEC SP_TRACE_SETEVENT @TraceID, 111, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 64, @on; -- Audit App Role Change Password Event -- Occurs when a password of an application role is changed. EXEC SP_TRACE_SETEVENT @TraceID, 112, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 64, @on; -- Audit Statement Permission Event -- Occurs when a statement permission (such as CREATE TABLE) is used. EXEC SP_TRACE_SETEVENT @TraceID, 113, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 64, @on; -- Audit Backup/Restore Event -- Occurs when a BACKUP or RESTORE command is issued. EXEC SP_TRACE_SETEVENT @TraceID, 115, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 64, @on; -- Audit DBCC Event -- Occurs when DBCC commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 116, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 64, @on; -- Audit Change Audit Event -- Occurs when audit trace modifications are made. EXEC SP_TRACE_SETEVENT @TraceID, 117, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 64, @on; -- Audit Object Derived Permission Event -- Occurs when a CREATE, ALTER, and DROP object commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 118, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 64, @on; -- Audit Database Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 128, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 64, @on; -- Audit Database Object Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 129, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 64, @on; -- Audit Database Principal Management Event -- Occurs when principals, such as users, are created, altered, or -- dropped from a database. EXEC SP_TRACE_SETEVENT @TraceID, 130, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 64, @on; -- Audit Schema Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 131, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 64, @on; -- Audit Server Principal Impersonation Event -- Occurs when there is an impersonation within server scope, such -- as EXECUTE AS LOGIN. EXEC SP_TRACE_SETEVENT @TraceID, 132, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 64, @on; -- Audit Database Principal Impersonation Event -- Occurs when an impersonation occurs within the database scope, -- such as EXECUTE AS USER or SETUSER. EXEC SP_TRACE_SETEVENT @TraceID, 133, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 64, @on; -- Audit Server Object Take Ownership Event -- Occurs when the owner is changed for objects in server scope. EXEC SP_TRACE_SETEVENT @TraceID, 134, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 64, @on; -- Audit Database Object Take Ownership Event -- Occurs when a change of owner for objects within database scope -- occurs. EXEC SP_TRACE_SETEVENT @TraceID, 135, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 64, @on; -- Audit Change Database Owner -- Occurs when ALTER AUTHORIZATION is used to change the owner of a -- database and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 152, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 64, @on; -- Audit Schema Object Take Ownership Event -- Occurs when ALTER AUTHORIZATION is used to assign an owner to an -- object and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 153, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 64, @on; -- Audit Server Scope GDR Event -- Indicates that a grant, deny, or revoke event for permissions in -- server scope occurred, such as creating a login. EXEC SP_TRACE_SETEVENT @TraceID, 170, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 64, @on; -- Audit Server Object GDR Event -- Indicates that a grant, deny, or revoke event for a schema object, -- such as a table or function, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 171, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 64, @on; -- Audit Database Object GDR Event -- Indicates that a grant, deny, or revoke event for database -- objects, such as assemblies and schemas, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 172, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 64, @on; -- Audit Server Operation Event -- Occurs when Security Audit operations such as altering settings, -- resources, external access, or authorization are used. EXEC SP_TRACE_SETEVENT @TraceID, 173, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 64, @on; -- Audit Server Alter Trace Event -- Occurs when a statement checks for the ALTER TRACE permission. EXEC SP_TRACE_SETEVENT @TraceID, 175, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 64, @on; -- Audit Server Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 176, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 46, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 64, @on; -- Audit Server Principal Management Event -- Occurs when server principals are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 177, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 64, @on; -- Audit Database Operation Event -- Occurs when database operations occur, such as checkpoint or -- subscribe query notification. EXEC SP_TRACE_SETEVENT @TraceID, 178, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 64, @on; -- Set the trace status to start. EXEC SP_TRACE_SETSTATUS @TraceID, 1; -- Display trace ID for future reference. SELECT @TraceID AS TraceID; GOTO Finish; Error: SELECT @rc AS ErrorCode; Finish: GO EXEC SP_PROCOPTION 'fso_audit', 'startup', 'true'; GO -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances.

b
SQL Server must automatically audit account modification.
AC-2 - Medium - CCI-001403 - V-41306 - SV-53788r2_rule
RMF Control
AC-2
Severity
M
CCI
CCI-001403
Version
SQL2-00-001900
Vuln IDs
  • V-41306
Rule IDs
  • SV-53788r2_rule
Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method and best practice for mitigating this risk. A comprehensive application account management process ensures an audit trail automatically documents the modification of application user accounts and, as required, notifies administrators, application owners, and/or appropriate individuals. Applications must provide this capability directly, leverage complimentary technology providing this capability, or a combination thereof. Automated account-auditing processes greatly reduce the risk that accounts will be surreptitiously modified, and provides logging that can be used for forensic purposes. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.
Checks: C-47875r4_chk

Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.

Fix: F-46697r3_fix

-- Run this script to create and start an audit trace that audits required events. -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances. -- The database server must be restarted for the trace to take effect. USE master; GO BEGIN TRY DROP PROCEDURE fso_audit END TRY BEGIN CATCH END CATCH; GO CREATE PROCEDURE fso_audit AS -- Create a Queue DECLARE @rc INT; DECLARE @TraceID INT; DECLARE @options INT = 6; -- 6 specifies TRACE_FILE_ROLLOVER (2) and SHUTDOWN_ON_ERROR (4) DECLARE @tracefile NVARCHAR(128) = 'D:<path>\<filename>'; -- Trace file location and beginning of file name (SQL Server adds a suffix) DECLARE @maxfilesize BIGINT = 500; -- Trace file size limit in megabytes DECLARE @stoptime datetime = null; -- do not stop DECLARE @filecount INT = 10; -- Number of trace files in the rollover set EXEC @rc = SP_TRACE_CREATE @TraceID output, @options, @tracefile, @maxfilesize, @stoptime, @filecount ; IF (@rc != 0) GOTO Error; -- Set the events: DECLARE @on BIT = 1; -- Logins are audited based on SQL Server instance -- setting Audit Level stored in registry -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.[#]\MSSQLServer\AuditLevel -- Audit Login -- Occurs when a user successfully logs in to SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 14, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 14, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 14, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 14, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 14, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 14, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 14, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 14, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 14, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 14, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 14, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 14, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 14, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 14, 64, @on; -- SessionLoginName -- Audit Logout -- Occurs when a user logs out of SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 15, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 15, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 15, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 15, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 15, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 15, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 15, 13, @on; -- Duration EXEC SP_TRACE_SETEVENT @TraceID, 15, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 15, @on; -- EndTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 15, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 15, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 15, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 15, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 15, 64, @on; -- SessionLoginName -- Audit Server Starts and Stops -- Occurs when the SQL Server service state is modified. EXEC SP_TRACE_SETEVENT @TraceID, 18, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 18, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 18, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 18, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 18, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 18, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 18, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 18, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 18, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 18, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 18, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 18, 64, @on; -- SessionLoginName -- Audit Login Failed -- Indicates that a login attempt to SQL Server from a client failed. EXEC SP_TRACE_SETEVENT @TraceID, 20, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 20, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 20, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 20, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 20, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 20, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 20, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 20, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 20, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 20, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 20, 31, @on; -- Error EXEC SP_TRACE_SETEVENT @TraceID, 20, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 20, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 20, 64, @on; -- SessionLoginName -- Audit Statement GDR Event -- Occurs every time a GRANT, DENY, REVOKE for a statement -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 102, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 102, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 102, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 102, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 102, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 102, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 102, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 102, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 102, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 102, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 102, 64, @on; -- SessionLoginName -- Audit Object GDR Event -- Occurs every time a GRANT, DENY, REVOKE for an object -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 103, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 103, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 103, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 103, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 103, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 103, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 103, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 103, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 103, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 103, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 44, @on; -- ColumnPermissions EXEC SP_TRACE_SETEVENT @TraceID, 103, 59, @on; -- ParentName EXEC SP_TRACE_SETEVENT @TraceID, 103, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 103, 64, @on; -- SessionLoginName -- Audit AddLogin Event -- Occurs when a SQL Server login is added or removed; -- for sp_addlogin and sp_droplogin. EXEC SP_TRACE_SETEVENT @TraceID, 104, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 104, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 104, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 104, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 104, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 104, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 104, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 104, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 104, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 104, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 104, 64, @on; -- SessionLoginName -- Audit Login GDR Event -- Occurs when a Windows login right is added or removed; -- for sp_grantlogin, sp_revokelogin, and sp_denylogin. EXEC SP_TRACE_SETEVENT @TraceID, 105, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 105, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 105, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 105, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 105, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 105, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 105, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 105, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 105, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 105, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 105, 64, @on; -- SessionLoginName -- Audit Login Change Property Event -- Occurs when a property of a login, except passwords, -- is modified; for sp_defaultdb and sp_defaultlanguage. EXEC SP_TRACE_SETEVENT @TraceID, 106, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 64, @on; -- Audit Login Change Password Event -- Occurs when a SQL Server login password is changed. -- Passwords are not recorded. EXEC SP_TRACE_SETEVENT @TraceID, 107, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 64, @on; -- Audit Add Login to Server Role Event -- Occurs when a login is added or removed from a fixed server role; -- for sp_addsrvrolemember, and sp_dropsrvrolemember. EXEC SP_TRACE_SETEVENT @TraceID, 108, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 64, @on; -- Audit Add DB User Event -- Occurs when a login is added or removed as a database user -- (Windows or SQL Server) to a database; for sp_grantdbaccess, -- sp_revokedbaccess, sp_adduser, and sp_dropuser. EXEC SP_TRACE_SETEVENT @TraceID, 109, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 21, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 51, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 64, @on; -- Audit Add Member to DB Role Event -- Occurs when a login is added or removed as a database user -- (fixed or user-defined) to a database; for sp_addrolemember, -- sp_droprolemember, and sp_changegroup. EXEC SP_TRACE_SETEVENT @TraceID, 110, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 64, @on; -- Audit Add Role Event -- Occurs when a login is added or removed as a database user to a -- database; for sp_addrole and sp_droprole. EXEC SP_TRACE_SETEVENT @TraceID, 111, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 64, @on; -- Audit App Role Change Password Event -- Occurs when a password of an application role is changed. EXEC SP_TRACE_SETEVENT @TraceID, 112, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 64, @on; -- Audit Statement Permission Event -- Occurs when a statement permission (such as CREATE TABLE) is used. EXEC SP_TRACE_SETEVENT @TraceID, 113, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 64, @on; -- Audit Backup/Restore Event -- Occurs when a BACKUP or RESTORE command is issued. EXEC SP_TRACE_SETEVENT @TraceID, 115, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 64, @on; -- Audit DBCC Event -- Occurs when DBCC commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 116, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 64, @on; -- Audit Change Audit Event -- Occurs when audit trace modifications are made. EXEC SP_TRACE_SETEVENT @TraceID, 117, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 64, @on; -- Audit Object Derived Permission Event -- Occurs when a CREATE, ALTER, and DROP object commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 118, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 64, @on; -- Audit Database Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 128, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 64, @on; -- Audit Database Object Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 129, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 64, @on; -- Audit Database Principal Management Event -- Occurs when principals, such as users, are created, altered, or -- dropped from a database. EXEC SP_TRACE_SETEVENT @TraceID, 130, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 64, @on; -- Audit Schema Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 131, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 64, @on; -- Audit Server Principal Impersonation Event -- Occurs when there is an impersonation within server scope, such -- as EXECUTE AS LOGIN. EXEC SP_TRACE_SETEVENT @TraceID, 132, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 64, @on; -- Audit Database Principal Impersonation Event -- Occurs when an impersonation occurs within the database scope, -- such as EXECUTE AS USER or SETUSER. EXEC SP_TRACE_SETEVENT @TraceID, 133, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 64, @on; -- Audit Server Object Take Ownership Event -- Occurs when the owner is changed for objects in server scope. EXEC SP_TRACE_SETEVENT @TraceID, 134, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 64, @on; -- Audit Database Object Take Ownership Event -- Occurs when a change of owner for objects within database scope -- occurs. EXEC SP_TRACE_SETEVENT @TraceID, 135, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 64, @on; -- Audit Change Database Owner -- Occurs when ALTER AUTHORIZATION is used to change the owner of a -- database and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 152, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 64, @on; -- Audit Schema Object Take Ownership Event -- Occurs when ALTER AUTHORIZATION is used to assign an owner to an -- object and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 153, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 64, @on; -- Audit Server Scope GDR Event -- Indicates that a grant, deny, or revoke event for permissions in -- server scope occurred, such as creating a login. EXEC SP_TRACE_SETEVENT @TraceID, 170, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 64, @on; -- Audit Server Object GDR Event -- Indicates that a grant, deny, or revoke event for a schema object, -- such as a table or function, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 171, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 64, @on; -- Audit Database Object GDR Event -- Indicates that a grant, deny, or revoke event for database -- objects, such as assemblies and schemas, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 172, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 64, @on; -- Audit Server Operation Event -- Occurs when Security Audit operations such as altering settings, -- resources, external access, or authorization are used. EXEC SP_TRACE_SETEVENT @TraceID, 173, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 64, @on; -- Audit Server Alter Trace Event -- Occurs when a statement checks for the ALTER TRACE permission. EXEC SP_TRACE_SETEVENT @TraceID, 175, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 64, @on; -- Audit Server Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 176, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 46, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 64, @on; -- Audit Server Principal Management Event -- Occurs when server principals are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 177, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 64, @on; -- Audit Database Operation Event -- Occurs when database operations occur, such as checkpoint or -- subscribe query notification. EXEC SP_TRACE_SETEVENT @TraceID, 178, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 64, @on; -- Set the trace status to start. EXEC SP_TRACE_SETSTATUS @TraceID, 1; -- Display trace ID for future reference. SELECT @TraceID AS TraceID; GOTO Finish; Error: SELECT @rc AS ErrorCode; Finish: GO EXEC SP_PROCOPTION 'fso_audit', 'startup', 'true'; GO -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances.

b
SQL Server must ensure that remote sessions that access an organization-defined list of security functions and security-relevant information are audited.
AC-17 - Medium - CCI-001454 - V-41307 - SV-53789r2_rule
RMF Control
AC-17
Severity
M
CCI
CCI-001454
Version
SQL2-00-001600
Vuln IDs
  • V-41307
Rule IDs
  • SV-53789r2_rule
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network and system access is accomplished by leveraging common communication protocols to establish a remote connection. These connections will typically originate over either the public Internet or the Public Switched Telephone Network (PSTN). Neither of these internetworking mechanisms is private or secure, and they do not by default restrict access to networked resources once connectivity is established. Numerous best practices are employed to protect remote connections, such as utilizing encryption to protect data sessions and firewalls to restrict and control network connectivity. In addition to these protections, auditing must also be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident.
Checks: C-47876r4_chk

Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.

Fix: F-46698r5_fix

-- Run this script to create and start an audit trace that audits required events. -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances. -- The database server must be restarted for the trace to take effect. USE master; GO BEGIN TRY DROP PROCEDURE fso_audit END TRY BEGIN CATCH END CATCH; GO CREATE PROCEDURE fso_audit AS -- Create a Queue DECLARE @rc INT; DECLARE @TraceID INT; DECLARE @options INT = 6; -- 6 specifies TRACE_FILE_ROLLOVER (2) and SHUTDOWN_ON_ERROR (4) DECLARE @tracefile NVARCHAR(128) = 'D:<path>\<filename>'; -- Trace file location and beginning of file name (SQL Server adds a suffix) DECLARE @maxfilesize BIGINT = 500; -- Trace file size limit in megabytes DECLARE @stoptime datetime = null; -- do not stop DECLARE @filecount INT = 10; -- Number of trace files in the rollover set EXEC @rc = SP_TRACE_CREATE @TraceID output, @options, @tracefile, @maxfilesize, @stoptime, @filecount ; IF (@rc != 0) GOTO Error; -- Set the events: DECLARE @on BIT = 1; -- Logins are audited based on SQL Server instance -- setting Audit Level stored in registry -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.[#]\MSSQLServer\AuditLevel -- Audit Login -- Occurs when a user successfully logs in to SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 14, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 14, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 14, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 14, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 14, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 14, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 14, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 14, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 14, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 14, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 14, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 14, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 14, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 14, 64, @on; -- SessionLoginName -- Audit Logout -- Occurs when a user logs out of SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 15, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 15, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 15, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 15, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 15, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 15, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 15, 13, @on; -- Duration EXEC SP_TRACE_SETEVENT @TraceID, 15, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 15, @on; -- EndTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 15, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 15, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 15, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 15, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 15, 64, @on; -- SessionLoginName -- Audit Server Starts and Stops -- Occurs when the SQL Server service state is modified. EXEC SP_TRACE_SETEVENT @TraceID, 18, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 18, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 18, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 18, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 18, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 18, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 18, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 18, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 18, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 18, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 18, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 18, 64, @on; -- SessionLoginName -- Audit Login Failed -- Indicates that a login attempt to SQL Server from a client failed. EXEC SP_TRACE_SETEVENT @TraceID, 20, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 20, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 20, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 20, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 20, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 20, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 20, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 20, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 20, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 20, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 20, 31, @on; -- Error EXEC SP_TRACE_SETEVENT @TraceID, 20, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 20, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 20, 64, @on; -- SessionLoginName -- Audit Statement GDR Event -- Occurs every time a GRANT, DENY, REVOKE for a statement -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 102, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 102, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 102, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 102, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 102, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 102, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 102, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 102, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 102, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 102, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 102, 64, @on; -- SessionLoginName -- Audit Object GDR Event -- Occurs every time a GRANT, DENY, REVOKE for an object -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 103, 1, @on; -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 103, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 103, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 103, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 103, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 103, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 19, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 103, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 28, @on; -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 103, 34, @on; -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 103, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 103, 37, @on; -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 39, @on; -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 40, @on; -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 44, @on; -- ColumnPermissions EXEC SP_TRACE_SETEVENT @TraceID, 103, 59, @on; -- ParentName EXEC SP_TRACE_SETEVENT @TraceID, 103, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 103, 64, @on; -- SessionLoginName -- Audit AddLogin Event -- Occurs when a SQL Server login is added or removed; -- for sp_addlogin and sp_droplogin. EXEC SP_TRACE_SETEVENT @TraceID, 104, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 104, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 104, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 104, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 104, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 104, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 104, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 104, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 104, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 104, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 104, 64, @on; -- SessionLoginName -- Audit Login GDR Event -- Occurs when a Windows login right is added or removed; -- for sp_grantlogin, sp_revokelogin, and sp_denylogin. EXEC SP_TRACE_SETEVENT @TraceID, 105, 6, @on; -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 105, 7, @on; -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 105, 8, @on; -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 105, 10, @on; -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 105, 11, @on; -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 12, @on; -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 105, 14, @on; -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 105, 23, @on; -- Success EXEC SP_TRACE_SETEVENT @TraceID, 105, 26, @on; -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 105, 35, @on; -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 105, 41, @on; -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 42, @on; -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 43, @on; -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 60, @on; -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 105, 64, @on; -- SessionLoginName -- Audit Login Change Property Event -- Occurs when a property of a login, except passwords, -- is modified; for sp_defaultdb and sp_defaultlanguage. EXEC SP_TRACE_SETEVENT @TraceID, 106, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 106, 64, @on; -- Audit Login Change Password Event -- Occurs when a SQL Server login password is changed. -- Passwords are not recorded. EXEC SP_TRACE_SETEVENT @TraceID, 107, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 107, 64, @on; -- Audit Add Login to Server Role Event -- Occurs when a login is added or removed from a fixed server role; -- for sp_addsrvrolemember, and sp_dropsrvrolemember. EXEC SP_TRACE_SETEVENT @TraceID, 108, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 108, 64, @on; -- Audit Add DB User Event -- Occurs when a login is added or removed as a database user -- (Windows or SQL Server) to a database; for sp_grantdbaccess, -- sp_revokedbaccess, sp_adduser, and sp_dropuser. EXEC SP_TRACE_SETEVENT @TraceID, 109, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 21, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 51, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 109, 64, @on; -- Audit Add Member to DB Role Event -- Occurs when a login is added or removed as a database user -- (fixed or user-defined) to a database; for sp_addrolemember, -- sp_droprolemember, and sp_changegroup. EXEC SP_TRACE_SETEVENT @TraceID, 110, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 110, 64, @on; -- Audit Add Role Event -- Occurs when a login is added or removed as a database user to a -- database; for sp_addrole and sp_droprole. EXEC SP_TRACE_SETEVENT @TraceID, 111, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 111, 64, @on; -- Audit App Role Change Password Event -- Occurs when a password of an application role is changed. EXEC SP_TRACE_SETEVENT @TraceID, 112, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 112, 64, @on; -- Audit Statement Permission Event -- Occurs when a statement permission (such as CREATE TABLE) is used. EXEC SP_TRACE_SETEVENT @TraceID, 113, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 113, 64, @on; -- Audit Backup/Restore Event -- Occurs when a BACKUP or RESTORE command is issued. EXEC SP_TRACE_SETEVENT @TraceID, 115, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 115, 64, @on; -- Audit DBCC Event -- Occurs when DBCC commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 116, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 116, 64, @on; -- Audit Change Audit Event -- Occurs when audit trace modifications are made. EXEC SP_TRACE_SETEVENT @TraceID, 117, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 44, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 117, 64, @on; -- Audit Object Derived Permission Event -- Occurs when a CREATE, ALTER, and DROP object commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 118, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 118, 64, @on; -- Audit Database Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 128, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 128, 64, @on; -- Audit Database Object Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 129, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 129, 64, @on; -- Audit Database Principal Management Event -- Occurs when principals, such as users, are created, altered, or -- dropped from a database. EXEC SP_TRACE_SETEVENT @TraceID, 130, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 130, 64, @on; -- Audit Schema Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 131, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 131, 64, @on; -- Audit Server Principal Impersonation Event -- Occurs when there is an impersonation within server scope, such -- as EXECUTE AS LOGIN. EXEC SP_TRACE_SETEVENT @TraceID, 132, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 132, 64, @on; -- Audit Database Principal Impersonation Event -- Occurs when an impersonation occurs within the database scope, -- such as EXECUTE AS USER or SETUSER. EXEC SP_TRACE_SETEVENT @TraceID, 133, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 38, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 133, 64, @on; -- Audit Server Object Take Ownership Event -- Occurs when the owner is changed for objects in server scope. EXEC SP_TRACE_SETEVENT @TraceID, 134, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 134, 64, @on; -- Audit Database Object Take Ownership Event -- Occurs when a change of owner for objects within database scope -- occurs. EXEC SP_TRACE_SETEVENT @TraceID, 135, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 135, 64, @on; -- Audit Change Database Owner -- Occurs when ALTER AUTHORIZATION is used to change the owner of a -- database and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 152, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 152, 64, @on; -- Audit Schema Object Take Ownership Event -- Occurs when ALTER AUTHORIZATION is used to assign an owner to an -- object and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 153, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 59, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 153, 64, @on; -- Audit Server Scope GDR Event -- Indicates that a grant, deny, or revoke event for permissions in -- server scope occurred, such as creating a login. EXEC SP_TRACE_SETEVENT @TraceID, 170, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 170, 64, @on; -- Audit Server Object GDR Event -- Indicates that a grant, deny, or revoke event for a schema object, -- such as a table or function, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 171, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 171, 64, @on; -- Audit Database Object GDR Event -- Indicates that a grant, deny, or revoke event for database -- objects, such as assemblies and schemas, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 172, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 19, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 172, 64, @on; -- Audit Server Operation Event -- Occurs when Security Audit operations such as altering settings, -- resources, external access, or authorization are used. EXEC SP_TRACE_SETEVENT @TraceID, 173, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 173, 64, @on; -- Audit Server Alter Trace Event -- Occurs when a statement checks for the ALTER TRACE permission. EXEC SP_TRACE_SETEVENT @TraceID, 175, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 175, 64, @on; -- Audit Server Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 176, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 46, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 176, 64, @on; -- Audit Server Principal Management Event -- Occurs when server principals are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 177, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 39, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 42, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 43, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 45, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 177, 64, @on; -- Audit Database Operation Event -- Occurs when database operations occur, such as checkpoint or -- subscribe query notification. EXEC SP_TRACE_SETEVENT @TraceID, 178, 1, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 6, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 7, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 8, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 10, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 11, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 12, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 14, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 23, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 26, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 28, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 34, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 35, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 37, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 40, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 41, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 60, @on; EXEC SP_TRACE_SETEVENT @TraceID, 178, 64, @on; -- Set the trace status to start. EXEC SP_TRACE_SETSTATUS @TraceID, 1; -- Display trace ID for future reference. SELECT @TraceID AS TraceID; GOTO Finish; Error: SELECT @rc AS ErrorCode; Finish: GO EXEC SP_PROCOPTION 'fso_audit', 'startup', 'true'; GO -- Note: Replace 'D:<path>\<filename>' with the path and file name to your audit file. -- Adjust the other parameters of SP_TRACE_CREATE to suit your system's circumstances.

b
SQL Server, when providing remote access capabilities, must utilize approved cryptography to protect the integrity of remote access sessions.
AC-17 - Medium - CCI-001453 - V-41308 - SV-53790r1_rule
RMF Control
AC-17
Severity
M
CCI
CCI-001453
Version
SQL2-00-001400
Vuln IDs
  • V-41308
Rule IDs
  • SV-53790r1_rule
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). The session data traversing the remote connection could be intercepted and compromised. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. If cryptography is not used, then the session data traversing the remote connection could be intercepted and potentially modified. Cryptography provides a means to secure the remote connection to prevent unauthorized changes to the data traversing the remote access connection, thereby providing a degree of integrity. The encryption strength of the mechanism is selected based on the security categorization of the information that is traversing the remote connection. Databases that accept remote connections must use approved cryptography to protect data being passed via an unsecure network. If approved cryptography is not used, data can be intercepted and potentially modified.
Checks: C-47877r3_chk

From a Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager &gt;&gt; SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab. If it is a DoD certificate, this is not a finding. If Force Encryption set to NO and a DOD certificate is not utilized, this is a finding.

Fix: F-46699r2_fix

Configure SQL Server to encrypt data passing over remote connections. From a Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, set Force Encryption to YES, and provide a DoD certificate on the Certificate tab.

b
SQL Server, when providing remote access capabilities, must utilize organization-defined cryptography to protect the confidentiality of data passing over remote access sessions.
AC-17 - Medium - CCI-000068 - V-41309 - SV-53791r1_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000068
Version
SQL2-00-001300
Vuln IDs
  • V-41309
Rule IDs
  • SV-53791r1_rule
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). The session data traversing the remote connection could be intercepted and compromised. Cryptography provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information traversing the remote connection. Databases that accept remote connections must use approved cryptography to prevent disclosure of data being passed via an unsecure network. If approved cryptography is not used, data can be intercepted or compromised.
Checks: C-47878r2_chk

From a Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager &gt;&gt; SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab. If it is a DoD Certificate, this is not a finding. If Force Encryption is set to NO, or a DoD Certificate is not utilized, this is a finding.

Fix: F-46700r2_fix

Configure SQL Server to encrypt data passing over remote connections. From a Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, set Force Encryption to YES, and provide a DoD certificate on the Certificate tab.

b
SQL Server must utilize approved cryptography when passing authentication data for remote access sessions.
AC-17 - Medium - CCI-000068 - V-41310 - SV-53792r1_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000068
Version
SQL2-00-001200
Vuln IDs
  • V-41310
Rule IDs
  • SV-53792r1_rule
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over either the Internet or the Public Switched Telephone Network (PSTN). Since neither of these internetworking mechanisms is private or secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Cryptography provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information traversing the remote connection. Login/account information can be compromised if authentication data being passed over a public network is not secured via approved cryptography. This can result in unauthorized access to the database.
Checks: C-47879r2_chk

From a Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager &gt;&gt; SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab. If it is a DoD Certificate, this is not a finding. If Force Encryption is set to NO, determine via system documentation what type of database connections are used by applications that connect to the database. If applications only connect with OLE DB connections (tools such as SQL Server Management Studio and SQLCMD utilize OLE DB), this is not a finding. If any other types of connections are utilized, and visible proof of encryption of authentication data cannot be witnessed, this is a finding.

Fix: F-46701r2_fix

Configure SQL Server to encrypt authentication data for remote connections using organization-defined encryption. Deploy organization-approved encryption to the SQL Server Network Connections. From a Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, set Force Encryption to YES, and provide a DOD certificate on the Certificate tab.

b
SQL Server must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.
AC-10 - Medium - CCI-000054 - V-41311 - SV-53793r1_rule
RMF Control
AC-10
Severity
M
CCI
CCI-000054
Version
SQL2-00-000100
Vuln IDs
  • V-41311
Rule IDs
  • SV-53793r1_rule
A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks. For example, boundary protection devices can filter certain types of packets to protect devices on an organization’s internal network from being directly affected by DoS attacks. Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. One way SQL Server can limit exposure of DoS attacks is through limiting the number of connections that can be opened by a single user. SQL Server supports this through the use of logon triggers.
Checks: C-47880r2_chk

Determine if a logon trigger exists. This trigger will be in the master database. If a trigger exists, determine if the trigger will deny logon if a maximum number of concurrent sessions for a given account is exceeded. For each user within SQL Server, ensure that the logon trigger has been applied. If a logon trigger to limit concurrent sessions by a single account hasn’t been applied to system users, this is a finding.

Fix: F-46702r2_fix

Implement logon triggers to restrict users from logging on multiple times.

b
Domain accounts used to manage a SQL Server platform must be different from those used to manage other platforms.
CM-6 - Medium - CCI-000366 - V-43196 - SV-55935r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SQL2-00-024600
Vuln IDs
  • V-43196
Rule IDs
  • SV-55935r1_rule
Separate accounts used to manage the SQL Server platform help prevent a lateral move within an environment if SQL were to be compromised.
Checks: C-49206r1_chk

Determine the accounts being used to manage the SQL Server operating system. Determine whether the same accounts are being used to manage other platforms. If the same account is used to manage more than one platform, this is a finding. Note: If, because of the application configuration, there are multiple instances of SQL that would share a given exploit, a single account would be allowed to be used for the group and would not be considered a finding.

Fix: F-48769r1_fix

Set up and use separate domain accounts to manage the SQL Server platform. These accounts must be different from those used to manage other platforms.