October 27, 2011 at 3:53 pm
Now DG0029 and DM5267 simply reference DG0145. If DG0145 is not used or in place, then C2 Audit mode is required. So as long as you just create the stored procedure provided in DG0145 you meet the security requirements for the STIG findings DG0029 and DM5267. Then DM0510 is marked as not a finding.
Most of the other findings have to do with regular review of the audit files and ensuring application name and other things are in the audit file itself.
This is correct. We use customs scripts to meet DG0145 requirements.
September 20, 2012 at 5:05 pm
I don't know if anyone provided a code based solution, but here is one that can be run by cscript.exe folderwatch.vbs
folderwatch.vbs:
Function FileExt(n)
dotpos = InStr(n,".")
if dotpos>0 then
FileExt = UCase(Mid(n,dotpos))
else
FileExt = NULL
end if
End Function
Function LZero2(n)
LZero2 = Mid(100+n,2,2)
End Function
Function DateZipFileName(d)
DateZipFileName = "audittrace" & Year(d) & LZero2(Month(d)) & LZero2(Day(d)) & ".zip"
End Function
Dim fso,winShell,MyTarget,MySource,file,oldnum,datapath,zipfolder
Set fso = CreateObject("Scripting.FileSystemObject")
datapath = "c:\program files\microsoft sql server\mssql.1\mssql\data"
zipfolder = datapath & "\c2_audit_zips\"
Set winShell = createObject("Shell.Application")
do while 1
set ofld = fso.GetFolder(datapath)
for each oFile in ofld.Files
if FileExt(oFile.Name)=".TRC" and oFile.Size>0 then
MySource = datapath & "\" & oFile.Name
MyTarget = zipfolder & DateZipFileName(oFile.DateLastModified)
oldnum = 1
if not fso.FileExists(MyTarget) then
Wscript.Echo "Creating Zip " & MyTarget
Set file = fso.CreateTextFile(MyTarget, True)
file.write("PK" & chr(5) & chr(6) & string(18,chr(0)))
file.close
oldnum = 0
end if
Wscript.Echo "Adding " & MySource & " to " & MyTarget
set fsfolder = winShell.NameSpace(MyTarget)
if oldnum=1 then
oldnum = fsfolder.items.count
end if
fsfolder.CopyHere MySource
do until fsfolder.items.count > oldnum
wscript.sleep 1000
loop
fso.DeleteFile MySource
end if
next
WScript.Sleep(15*60*1000)
loop
Set winShell = Nothing
Set fso = Nothing
Key notes:
1) As noted in the code, the path for the C2 audit files is C:\Program Files\Microsoft SQL Server\..., change the above code to indicate your actual audit folder location.
2) This script, once started runs continously and re-polls the directory every 15 minutes, noted by Sleep(15*60*1000)
3) The zip file location is based on having a subfolder called c2_audit_zips inside the C2 audit folder location.
4) The zip filename is audittraceYYYYMMDD.zip based on the code above. The YYYYMMDD is based on the .trc file's LastModifiedDate, that way the files are stored in zip files according to the date they were created.
5) Once a .trc file has been added to the .zip, it is deleted.
6) Only .trc files which are greater than 0 bytes are included. The .trc file which is currently being written to shows as 0 bytes until it is closed and cycled into the next one.
7) Note, the do while ... Sleep(1000) loop seems stupid, but without it, Windows built-in zip doesn't work.
Aloha,
Gary
September 20, 2012 at 5:14 pm
So the folderwatch.vbs was my first attempt at trying to contain the GIGs of C2 audit trace files.
To help be as STIG compliant as possible, I ended up writing a C# service because our IA folks did not let us enable task scheduler.
The native .zip "Package" feature in Microsoft .NET Framework 3.0 worked fine in testing, but failed when I ran it on the server because that package creates a Content.xml file inside every .zip it creates, and that file contains an MD5 hash.
I found out the hard way that our server had the FIPS 140 compliance policy installed and enforced. Whenever it tried to add a file to the .zip, the service would crash and stop.
The second attempt at doing it in C# involved using a Zip library.
Fortunately that library did not require creation of a Content.xml in every .zip
So now we have a service running under a least privilege account and the auditors are impressed.
Viewing 3 posts - 46 through 47 (of 47 total)
You must be logged in to reply to this topic. Login to reply