V-206525
SV-206525r960885_rule
CAT II
The DBMS must be able to generate audit records when privileges/permissions are retrieved.
From: Database Security Requirements Guide (V4R5)
Description
<VulnDiscussion>Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions.
This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Check Procedure
Review DBMS documentation to verify that audit records can be produced when privileges/permissions/role memberships are retrieved.
If the DBMS is not capable of this, this is a finding.
If the DBMS is currently required to audit the retrieval of privilege/permission/role membership information, review the DBMS/database security and audit configurations to verify that audit records are produced when privileges/permissions/role memberships are retrieved.
If they are not produced, this is a finding.
Fix Text
Deploy a DBMS capable of producing the required audit records when privileges/permissions/role memberships are retrieved.
If currently required, configure the DBMS to produce audit records when privileges/permissions/role memberships are retrieved.
CCI Reference
CCI-000172- Created
- 2026-03-06 17:52:29
- Last Updated
- 2026-04-07 20:08:14