More Info:

Enable auditing for all SQL Servers.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

CISAZURE, CBP, HIPAA, ISO27001, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the “Auditing Disabled for SQL Servers” misconfiguration in Azure using the Azure console, follow these steps:
  1. Log in to the Azure portal (https://portal.azure.com/) using your credentials.
  2. Navigate to the Azure SQL Server that you want to remediate.
  3. Click on the “Auditing” option from the left-hand side menu.
  4. In the “Auditing” blade, click on “Enable Auditing”.
  5. In the “Audit to” section, select the destination where you want to store the audit logs. You can choose to store the logs in a storage account or log analytics workspace.
  6. In the “Audit logs retention (days)” section, specify the number of days for which you want to retain the audit logs.
  7. In the “Event types to audit” section, select the events that you want to audit. You can choose to audit all events or select specific events.
  8. In the “Storage account settings” or “Log Analytics workspace settings” section, specify the required details for the destination where you want to store the audit logs.
  9. Click on “Save” to enable auditing for the SQL Server.
  10. Verify that auditing is enabled by checking the “Auditing” blade. You should see a message that says “Auditing is enabled”.
That’s it! You have successfully remediated the “Auditing Disabled for SQL Servers” misconfiguration in Azure.

Here are the step-by-step instructions to remediate the issue of auditing disabled for SQL Servers on Azure using Azure CLI:
  1. Open the Azure CLI on your local machine or Azure Cloud Shell.
  2. Login to your Azure account using the following command: 
az login
  1. Once you are logged in, select the Azure subscription that contains the SQL Server you want to remediate:
az account set --subscription <subscription_id>
  1. Next, check the current auditing status of the SQL Server using the following command:
az sql server audit-policy show --resource-group <resource_group_name> --server <server_name>
  1. If auditing is disabled, you can enable it by running the following command:
az sql server audit-policy update --resource-group <resource_group_name> --server <server_name> --state Enabled --storage-account <storage_account_name> --storage-key <storage_account_key> --storage-endpoint <storage_account_endpoint>
Note: Replace <resource_group_name>, <server_name>, <storage_account_name>, <storage_account_key>, and <storage_account_endpoint> with the appropriate values for your environment.
  1. After running the command, wait for a few minutes to allow the changes to propagate.
  2. Finally, verify that auditing is now enabled for the SQL Server using the following command: 
az sql server audit-policy show --resource-group <resource_group_name> --server <server_name>
That’s it! You have successfully remediated the misconfiguration of auditing disabled for SQL Servers on Azure using Azure CLI.
To remediate the issue of auditing being disabled for SQL Servers in Azure using Python, you can use the Azure SDK for Python. Here are the step-by-step instructions:
  1. Install the Azure SDK for Python using pip:
pip install azure-mgmt-sql
  1. Import the necessary modules:
from azure.identity import DefaultAzureCredential
from azure.mgmt.sql import SqlManagementClient
  1. Authenticate using the default Azure credentials:
credential = DefaultAzureCredential()
subscription_id = 'YOUR_SUBSCRIPTION_ID'
resource_group_name = 'YOUR_RESOURCE_GROUP_NAME'
server_name = 'YOUR_SQL_SERVER_NAME'
  1. Create a SqlManagementClient object:
sql_client = SqlManagementClient(credential, subscription_id)
  1. Enable auditing for the SQL Server:
from azure.mgmt.sql.models import ServerSecurityAlertPolicy, SecurityAlertPolicyState
security_alert_policy = ServerSecurityAlertPolicy(state=SecurityAlertPolicyState.enabled)
sql_client.server_security_alert_policies.create_or_update(resource_group_name, server_name, security_alert_policy_name='default', parameters=security_alert_policy)
  1. Verify that auditing has been enabled by checking the current state of the security alert policy:
current_security_alert_policy = sql_client.server_security_alert_policies.get(resource_group_name, server_name, security_alert_policy_name='default')
print(current_security_alert_policy.state)
These steps will enable auditing for the specified SQL Server in Azure using Python.