Master Checklist

Auditing Databases

Checklist for Auditing Databases

1. qVerify that database permissions are granted or revoked appropriately for the required level of authorization.

2. qReview database permissions granted to individuals instead of groups or roles.

3. qEnsure that database permissions are not implicitly granted incorrectly.

4. qReview dynamic SQL executed in stored procedures.

5. qEnsure that row-level access to table data is implemented properly.

6. qRevoke PUBLIC permissions where not needed.

7. qRestrict access to the operating system.

8. qRestrict permissions on the directory to which the database is installed.

9. qRestrict permissions on the registry keys used by the database.

10. qCheck for default usernames and passwords.

11. qCheck for easily guessed passwords.

12. qCheck that password management capabilities are enabled.

13. qCheck that auditing is enabled.

14. qVerify that network encryption is implemented.

15. qVerify that encryption of data-at-rest is implemented where appropriate. Ensure that encryption key management is part of the disaster-recovery plan.

16. qVerify that the latest patches for the database have been installed.

17. qVerify that the database is running a version the vendor continues to support.

18. qVerify that policies and procedures are in place to identify when a patch is available and to apply the patch.

19. qCheck the integrity of the database by looking for root kits, viruses, backdoors, and Trojan horses.