Control: 5.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'
Description
SQL Server Audit Retention should be configured to be greater than 90 days.
Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.
Remediation
From Azure Portal
- Go to
SQL servers
. - For each SQL server, under
Security
, clickAuditing
. - If
Storage
is checked, expandAdvanced properties
. - Set
Retention (days)
to a value greater than90
, or0
for unlimited retention. - Click
Save
.
From PowerShell
For each Server, set retention policy to more than 90 days
Log Analytics Example
Set-AzSqlServerAudit -ResourceGroupName <resource group name> -ServerName <SQL Server name> -RetentionInDays <Number of Days to retain the audit logs, should be more than 90 days> -LogAnalyticsTargetState Enabled -WorkspaceResourceId "/subscriptions/<subscription ID>/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/<workspace name>
Event Hub Example
Set-AzSqlServerAudit -ResourceGroupName "<resource group name>" -ServerName "<SQL Server name>" -EventHubTargetState Enabled -EventHubName "<Event Hub name>" -EventHubAuthorizationRuleResourceId "<Event Hub Authorization Rule Resource ID>"
Blob Storage Example
Set-AzSqlServerAudit -ResourceGroupName "<resource group name>" -ServerName "<SQL Server name>" -BlobStorageTargetState Enabled -StorageAccountResourceId "/subscriptions/<subscription_ID>/resourceGroups/<Resource_Group>/providers/Microsoft.Storage/storageAccounts/<Storage Account name>"
Default Value
By default, SQL Server audit storage is disabled
.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v300_5_1_6
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v300_5_1_6 --share
SQL
This control uses a named query:
sql_server_auditing_retention_period_90