SQL Server 数据库审核不适用于系统管理员用户

Posted

技术标签:

【中文标题】SQL Server 数据库审核不适用于系统管理员用户【英文标题】:SQL Server Database Auditing not working for Sysadmin users 【发布时间】:2020-10-19 04:50:18 【问题描述】:

我正在尝试在数据库级别审核系统管理员用户;但是,没有任何 SELECTS、INSERTS、UPDATES 和 DELETES 被审计。

我创建了服务器审核,然后是服务器审核规范 ADD (DATABASE_OBJECT_ACCESS_GROUP),然后是数据库审计规范以审计整个数据库:ADD (SELECT, UPDATE, INSERT, DELETE, EXECUTE, RECEIVE, REFERENCES ON DATABASE::TestAuditDB BY newsa2);

我通过使用该用户“newsa2”进行插入和选择来测试它;但是,没有找到审计条目。

我需要将每个系统管理员用户的非常具体的条目输入到审核日志中

这是我的代码:

USE [master]
GO

DROP SERVER AUDIT [Audit_sql2016]
TO FILE 
(    FILEPATH = N'C:\Audit\SQL2016'
    ,MAXSIZE = 100 MB
    ,MAX_ROLLOVER_FILES = 2147483647
    ,RESERVE_DISK_SPACE = OFF
)
WITH
(    QUEUE_DELAY = 1000
    ,ON_FAILURE = CONTINUE
);
GO

CREATE SERVER AUDIT SPECIFICATION [Audit_sql2016Specification]
FOR SERVER AUDIT [Audit_sql2016]
   ADD (DATABASE_OBJECT_ACCESS_GROUP) 
WITH (STATE = OFF);
GO

ALTER SERVER AUDIT SPECIFICATION [Audit_sql2016Specification]
FOR SERVER AUDIT [Audit_sql2016]
WITH (STATE = ON);

ALTER SERVER AUDIT Audit_sql2016 WITH (STATE = OFF)
GO

USE TestAuditDB
GO

DROP DATABASE AUDIT SPECIFICATION [Audit_sql2016SpecificationDatabase]
FOR SERVER AUDIT [Audit_sql2016]
      ADD (SELECT, UPDATE, INSERT, DELETE, EXECUTE, RECEIVE, REFERENCES ON DATABASE::TestAuditDB BY newsa2);

ALTER DATABASE AUDIT SPECIFICATION [Audit_sql2016SpecificationDatabase]
--FOR SERVER AUDIT [Audit_sql2016]
WITH (STATE = ON);

【问题讨论】:

【参考方案1】:

我已经修改并修复了您的脚本(缺少启用 SERVER AUDIT 的步骤 - 我注意到 SQL Server Management Studio 的相关图标有一个红色叉号):

USE [master]
GO

ALTER SERVER AUDIT [audit_server] WITH (STATE=OFF)
GO

DROP SERVER AUDIT [audit_server]
GO

ALTER SERVER AUDIT SPECIFICATION [audit_spec] WITH (STATE = OFF)
GO

DROP SERVER AUDIT SPECIFICATION [audit_spec]
GO

CREATE SERVER AUDIT [audit_server]
TO FILE 
(    FILEPATH = 'C:\Audit'
)
WHERE database_name='test';
GO

ALTER SERVER AUDIT [audit_server] WITH (STATE = ON);
GO

CREATE SERVER AUDIT SPECIFICATION [audit_spec]
FOR SERVER AUDIT [audit_server]
WITH (STATE = OFF);
GO

ALTER SERVER AUDIT SPECIFICATION [audit_spec]
FOR SERVER AUDIT [audit_server]
ADD (DATABASE_OBJECT_ACCESS_GROUP)
WITH (STATE = ON);

USE Test
GO

ALTER DATABASE AUDIT SPECIFICATION [audit_db]
WITH (STATE = OFF);
GO

DROP DATABASE AUDIT SPECIFICATION [audit_db]
GO

CREATE DATABASE AUDIT SPECIFICATION [audit_db]
FOR SERVER AUDIT [audit_server]
      ADD (SELECT, UPDATE, INSERT, DELETE, EXECUTE, RECEIVE, REFERENCES ON DATABASE::test by public);
GO

ALTER DATABASE AUDIT SPECIFICATION [audit_db]
WITH (STATE = ON);
GO

通过此设置,我可以在数据库测试中由用户 dbo 运行的 DML 语句进行审计(相应的登录具有 sysadmin 角色):

use  test
go
delete from t;
go
insert into t values(1);
go

使用 SQL Server 2019 测试。

您只能通过以下方式审核特定架构:

CREATE DATABASE AUDIT SPECIFICATION [audit_db]
FOR SERVER AUDIT [audit_server]
      ADD (SELECT, UPDATE, INSERT, DELETE, EXECUTE, RECEIVE, REFERENCES ON SCHEMA::myschema by public);
GO

【讨论】:

我能不能像这样只为特定的 sa 用户进行审计:``` CREATE DATABASE AUDIT SPECIFICATION [audit_db] FOR SERVER AUDIT [audit_server] ADD (SELECT, UPDATE, INSERT, DELETE, EXECUTE, RECEIVE,数据库参考::newsa2);去``` 我不确定这是否可行,因为 sa 是一个登录名,它映射到数据库中的 dbo。我了解您只能使用数据库主体。所以newsa2是数据库用户没问题,但newsa2是登录用户就不行了。 日志中有很多噪音 - 几乎 94%。我可以改为对 SCHEMA 进行审计吗? 是的,您只能审核特定架构:我已经用一个示例更新了我的答案。 我们是否应该将 SCHEMA_OBJECT_ACCESS_GROUP 添加到审核服务器规范中?我只想审核 dbo 架构,因为 sys 架构审核会产生太多噪音。【参考方案2】:

我们是否应该将 SCHEMA_OBJECT_ACCESS_GROUP 添加到审核服务器规范中?我只想审核 dbo 架构,因为 sys 架构审核会产生太多噪音。 答:不需要。 DATABASE_OBJECT_ACCESS_GROUP 也负责这一点。

【讨论】:

我有一个问题,在选择schema_object_access_group时,sys模式中有太多审计。有没有办法阻止这种情况?一旦添加了这个 SCHEMA_OBJECT_ACCESS_GROUP ,似乎每个架构都会被审计。

以上是关于SQL Server 数据库审核不适用于系统管理员用户的主要内容,如果未能解决你的问题,请参考以下文章