The audit information produced by Azure SQL Managed Instance must be protected from unauthorized access.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-276298	SRG-APP-000118-DB-000059	MSQL-D0-005900	SV-276298r1150102_rule	2025-10-07	1

Description
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to audit records provides information an attacker could potentially use to their advantage. To ensure the veracity of audit data, the information system and/or the application must protect audit information from any and all unauthorized access. This includes read, write, copy, etc. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files enjoy the proper file system permissions utilizing file system protections and limiting log data location. Additionally, applications with user interfaces to audit records must not allow the unfettered manipulation of or access to those records via the application. If the application provides access to the audit data, the application becomes accountable for ensuring that audit information is protected from unauthorized access. Azure SQL Managed Instance is able to view and manipulate audit file data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Satisfies: SRG-APP-000118-DB-000059, SRG-APP-000119-DB-000060, SRG-APP-000120-DB-000061

Description

If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to audit records provides information an attacker could potentially use to their advantage. To ensure the veracity of audit data, the information system and/or the application must protect audit information from any and all unauthorized access. This includes read, write, copy, etc. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files enjoy the proper file system permissions utilizing file system protections and limiting log data location. Additionally, applications with user interfaces to audit records must not allow the unfettered manipulation of or access to those records via the application. If the application provides access to the audit data, the application becomes accountable for ensuring that audit information is protected from unauthorized access. Azure SQL Managed Instance is able to view and manipulate audit file data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Satisfies: SRG-APP-000118-DB-000059, SRG-APP-000119-DB-000060, SRG-APP-000120-DB-000061

ℹ️ Check
To obtain the Azure SQL Managed Instance audit file location(s), connect to the Azure SQL Managed Instance in SSMS and run the following query: SELECT [AuditStorageAccount] = SUBSTRING(audit_file_path, CHARINDEX('://', audit_file_path ) + 3, CHARINDEX('.', audit_file_path ) - CHARINDEX('://', audit_file_path ) - 3) ,[AuditContainer] = SUBSTRING(audit_file_path, CHARINDEX('/', audit_file_path, CHARINDEX('//', audit_file_path) + 2) + 1, CHARINDEX('/', audit_file_path, CHARINDEX('/', audit_file_path, CHARINDEX('//', audit_file_path) + 2) + 1) - CHARINDEX('/', audit_file_path, CHARINDEX('//',audit_file_path) + 2) - 1) FROM sys.dm_server_audit_status WHERE audit_file_path IS NOT NULL The result will display the name of the storage account where the audit data is stored and the audit container. Review the storage settings for the audit. Verify that the audit storage has the correct permissions by doing the following: 1. Navigate to the audit storage account then select "Containers" under the Data Storage heading. 2. Select the Audit Container name from the query result. 3. Scroll to the Settings heading on the left-side menu and select "Configuration". 4. Verify the following settings: - "Secure transfer required" must be Enabled. - "Allow Blob anonymous access" must be Disabled. - "Allow storage account key access" must be Disabled. - "Allow recommended upper limit for shared access signature (SAS) expiry interval" must have an organizationally defined limit. - "Minimum TLS version" must be set to the latest available version that is supported by the application. Any settings that do not match the above requirements must be approved and documented, if not, this is a finding.

ℹ️ Check

To obtain the Azure SQL Managed Instance audit file location(s), connect to the Azure SQL Managed Instance in SSMS and run the following query: SELECT [AuditStorageAccount] = SUBSTRING(audit_file_path, CHARINDEX('://', audit_file_path ) + 3, CHARINDEX('.', audit_file_path ) - CHARINDEX('://', audit_file_path ) - 3) ,[AuditContainer] = SUBSTRING(audit_file_path, CHARINDEX('/', audit_file_path, CHARINDEX('//', audit_file_path) + 2) + 1, CHARINDEX('/', audit_file_path, CHARINDEX('/', audit_file_path, CHARINDEX('//', audit_file_path) + 2) + 1) - CHARINDEX('/', audit_file_path, CHARINDEX('//',audit_file_path) + 2) - 1) FROM sys.dm_server_audit_status WHERE audit_file_path IS NOT NULL The result will display the name of the storage account where the audit data is stored and the audit container. Review the storage settings for the audit. Verify that the audit storage has the correct permissions by doing the following: 1. Navigate to the audit storage account then select "Containers" under the Data Storage heading. 2. Select the Audit Container name from the query result. 3. Scroll to the Settings heading on the left-side menu and select "Configuration". 4. Verify the following settings: - "Secure transfer required" must be Enabled. - "Allow Blob anonymous access" must be Disabled. - "Allow storage account key access" must be Disabled. - "Allow recommended upper limit for shared access signature (SAS) expiry interval" must have an organizationally defined limit. - "Minimum TLS version" must be set to the latest available version that is supported by the application. Any settings that do not match the above requirements must be approved and documented, if not, this is a finding.

✔️ Fix
Modify storage permissions to meet the requirement to protect against unauthorized access. To review the storage configuration, navigate to the Azure Portal and review the audit storage configuration. 1. Navigate to the audit storage account then select "Containers" under the Data Storage heading. 2. Select the Audit Container name from the query result. 3. Scroll to the Settings heading on the left-side menu and select "Configuration". - Set "Secure transfer required" to Enabled. - Set "Allow Blob anonymous access" to Disabled. - Set "Allow storage account key access" to Disabled. - Set "Allow recommended upper limit for shared access signature (SAS) expiry interval" to an organizationally defined limit. - Set "Minimum TLS version" to the latest available version that is supported by the application.

✔️ Fix

Modify storage permissions to meet the requirement to protect against unauthorized access. To review the storage configuration, navigate to the Azure Portal and review the audit storage configuration. 1. Navigate to the audit storage account then select "Containers" under the Data Storage heading. 2. Select the Audit Container name from the query result. 3. Scroll to the Settings heading on the left-side menu and select "Configuration". - Set "Secure transfer required" to Enabled. - Set "Allow Blob anonymous access" to Disabled. - Set "Allow storage account key access" to Disabled. - Set "Allow recommended upper limit for shared access signature (SAS) expiry interval" to an organizationally defined limit. - Set "Minimum TLS version" to the latest available version that is supported by the application.