Azure SQL Managed Instance must protect its audit configuration from unauthorized access, modification, and deletion.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-276299	SRG-APP-000121-DB-000202	MSQL-D0-006200	SV-276299r1149806_rule	2025-10-07	1

Description
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data; therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the deletion of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. This focuses on external tools for log maintenance and review. Other STIG requirements govern SQL privileges to maintain trace or audit definitions. Satisfies: SRG-APP-000121-DB-000202, SRG-APP-000122-DB-000203, SRG-APP-000123-DB-000204

Description

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data; therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the deletion of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. This focuses on external tools for log maintenance and review. Other STIG requirements govern SQL privileges to maintain trace or audit definitions. Satisfies: SRG-APP-000121-DB-000202, SRG-APP-000122-DB-000203, SRG-APP-000123-DB-000204

ℹ️ Check
Check the documentation for a list of approved users with access to Azure SQL Managed Instance Audit files. To create, alter, or drop a server audit, principals require the ALTER ANY SERVER AUDIT or the CONTROL SERVER permission. Review the SQL Server permissions granted to principals. Look for permissions ALTER ANY SERVER AUDIT, ALTER ANY DATABASE AUDIT, CONTROL SERVER: SELECT login.name, perm.permission_name, perm.state_desc FROM sys.server_permissions perm JOIN sys.server_principals login ON perm.grantee_principal_id = login.principal_id WHERE permission_name in ('ALTER ANY DATABASE AUDIT', 'ALTER ANY SERVER AUDIT', 'CONTROL SERVER') AND login.name not like '##MS_%'; Modify audit permissions to meet the requirement to protect against unauthorized access to Audit files. To review the roles and users, navigate to the Azure Portal, and review the Azure Storage container that is hosting the Audit files. Remove any undocumented permissions or excessive permissions to audit storage for user and roles. If unauthorized accounts have these privileges, this is a finding.

ℹ️ Check

Check the documentation for a list of approved users with access to Azure SQL Managed Instance Audit files. To create, alter, or drop a server audit, principals require the ALTER ANY SERVER AUDIT or the CONTROL SERVER permission. Review the SQL Server permissions granted to principals. Look for permissions ALTER ANY SERVER AUDIT, ALTER ANY DATABASE AUDIT, CONTROL SERVER: SELECT login.name, perm.permission_name, perm.state_desc FROM sys.server_permissions perm JOIN sys.server_principals login ON perm.grantee_principal_id = login.principal_id WHERE permission_name in ('ALTER ANY DATABASE AUDIT', 'ALTER ANY SERVER AUDIT', 'CONTROL SERVER') AND login.name not like '##MS_%'; Modify audit permissions to meet the requirement to protect against unauthorized access to Audit files. To review the roles and users, navigate to the Azure Portal, and review the Azure Storage container that is hosting the Audit files. Remove any undocumented permissions or excessive permissions to audit storage for user and roles. If unauthorized accounts have these privileges, this is a finding.

✔️ Fix
Apply or modify permissions on tools used to view or modify audit log data (to include traces used for audit purposes), to make them accessible by authorized personnel only. Remove audit-related permissions from individuals and roles not authorized to have them: USE master; DENY [ALTER ANY SERVER AUDIT] TO [User]; GO