I'm trying to Audit Sysadmin users at Database level; however, none of the SELECTS, INSERTS, UPDATES and DELETES are being audited.
I created the Server Audit, followed by the Server Audit specification
ADD (DATABASE_OBJECT_ACCESS_GROUP) and then the Database Audit specification to audit the database as a whole: ADD (SELECT, UPDATE, INSERT, DELETE, EXECUTE, RECEIVE, REFERENCES ON DATABASE::TestAuditDB BY newsa2);
I tested it by INSERTing and SELECTing with that user 'newsa2'; however, no audit entries were found.
I need very specific entries for each sysadmin user to be entered into the Audit log
Here is my code:
USE [master]
GO
DROP SERVER AUDIT [Audit_sql2016]
TO FILE
( FILEPATH = N'C:\Audit\SQL2016'
,MAXSIZE = 100 MB
,MAX_ROLLOVER_FILES = 2147483647
,RESERVE_DISK_SPACE = OFF
)
WITH
( QUEUE_DELAY = 1000
,ON_FAILURE = CONTINUE
);
GO
CREATE SERVER AUDIT SPECIFICATION [Audit_sql2016Specification]
FOR SERVER AUDIT [Audit_sql2016]
ADD (DATABASE_OBJECT_ACCESS_GROUP)
WITH (STATE = OFF);
GO
ALTER SERVER AUDIT SPECIFICATION [Audit_sql2016Specification]
FOR SERVER AUDIT [Audit_sql2016]
WITH (STATE = ON);
ALTER SERVER AUDIT Audit_sql2016 WITH (STATE = OFF)
GO
USE TestAuditDB
GO
DROP DATABASE AUDIT SPECIFICATION [Audit_sql2016SpecificationDatabase]
FOR SERVER AUDIT [Audit_sql2016]
ADD (SELECT, UPDATE, INSERT, DELETE, EXECUTE, RECEIVE, REFERENCES ON DATABASE::TestAuditDB BY newsa2);
ALTER DATABASE AUDIT SPECIFICATION [Audit_sql2016SpecificationDatabase]
--FOR SERVER AUDIT [Audit_sql2016]
WITH (STATE = ON);
I have adapted and fixed your script (there is a missing step to enable SERVER AUDIT - I noticed with SQL Server Management Studio where there was a red cross for related icon):
USE [master]
GO
ALTER SERVER AUDIT [audit_server] WITH (STATE=OFF)
GO
DROP SERVER AUDIT [audit_server]
GO
ALTER SERVER AUDIT SPECIFICATION [audit_spec] WITH (STATE = OFF)
GO
DROP SERVER AUDIT SPECIFICATION [audit_spec]
GO
CREATE SERVER AUDIT [audit_server]
TO FILE
( FILEPATH = 'C:\Audit'
)
WHERE database_name='test';
GO
ALTER SERVER AUDIT [audit_server] WITH (STATE = ON);
GO
CREATE SERVER AUDIT SPECIFICATION [audit_spec]
FOR SERVER AUDIT [audit_server]
WITH (STATE = OFF);
GO
ALTER SERVER AUDIT SPECIFICATION [audit_spec]
FOR SERVER AUDIT [audit_server]
ADD (DATABASE_OBJECT_ACCESS_GROUP)
WITH (STATE = ON);
USE Test
GO
ALTER DATABASE AUDIT SPECIFICATION [audit_db]
WITH (STATE = OFF);
GO
DROP DATABASE AUDIT SPECIFICATION [audit_db]
GO
CREATE DATABASE AUDIT SPECIFICATION [audit_db]
FOR SERVER AUDIT [audit_server]
ADD (SELECT, UPDATE, INSERT, DELETE, EXECUTE, RECEIVE, REFERENCES ON DATABASE::test by public);
GO
ALTER DATABASE AUDIT SPECIFICATION [audit_db]
WITH (STATE = ON);
GO
With this setup I can have in audit following DML statements run by user dbo in database test (corresponding login has sysadmin role):
use test
go
delete from t;
go
insert into t values(1);
go
Tested with SQL Server 2019.
You can audit only a specific schema with:
CREATE DATABASE AUDIT SPECIFICATION [audit_db]
FOR SERVER AUDIT [audit_server]
ADD (SELECT, UPDATE, INSERT, DELETE, EXECUTE, RECEIVE, REFERENCES ON SCHEMA::myschema by public);
GO
Should we add the SCHEMA_OBJECT_ACCESS_GROUP to the Audit Server specification? I want to audit only the dbo schema, as the sys schema audits are generating too much noise.
Ans: Not required. The DATABASE_OBJECT_ACCESS_GROUP takes care of this as well.
Related
We are trying to DENY the ALTER ANY DATABASE DDL TRIGGER permission to a login. This permission is listed in this Microsoft Doc.
But a testLogin that is also a user in one database, and has ALTER TABLE permission on TestTable, can still create a trigger on TestTable despite the fact that we ran the following T-SQL DENY statement successfully:
DENY ALTER ANY DATABASE DDL TRIGGER TO testLogin
As mentioned in this article (if you search for DENY ALTER ANY DATABASE DDL TRIGGER TO [Domain\User]) the above DENY statement should deny the testLogin to create a trigger on any database.
Question: what we may be doing wrong here and how can we fix the issue?
Remark: We are using an Azure SQL Managed Instance
I have MicroSoft SQL Server 2017, I audited all DML statements using commands like
CREATE DATABASE AUDIT SPECIFICATION [DatabaseAuditSpecification-dbo-GENERAL]
FOR SERVER AUDIT [Audit-Primary-dbo]
ADD (DELETE ON SCHEMA::xxx BY [dbo]),
ADD (INSERT ON SCHEMA::xxx BY [dbo]),
ADD (UPDATE ON SCHEMA::xxx BY [dbo]),
ADD (SELECT ON SCHEMA::xxx BY [dbo]),
ADD (DELETE ON SCHEMA::xxx BY [db_datawriter]),
ADD (INSERT ON SCHEMA::xxx BY [db_datawriter]),
...
Now I've been asked to audit ALL what is done by dbo/datawriter users, such as:
table drop/create/change
schema changes (alter table add column, ...)
BUT ALSO
unsuccessful schema accesses (select on a table which is not authorized)
unsuccessful executions due to integrity violation rules
Questions:
Is there any "audit all" on database by dbo, datawriter possibility?
How to audit failed attempts?
Thanks
I'm studying about SQL Server Audit. I have deployed Server Audit Specification. Now I want to query all the records but It doesn't return anything.
I use Windows Server 2012 Datacenter - SQL Server 2014 Developer Version
use master
go
select *
from sys.database_audit_specifications;
go
I got no output and don't understand why.
How can I fix it?
Here is an example that creates a server-level audit, then adds a database-level audit specification to track multiple operations on any object in the dbo schema.
USE master;
GO
-- create aserver audit
CREATE SERVER AUDIT Test_Server_Audit
TO FILE ( FILEPATH = 'C:\temp\' ); -- you may need to change that'
GO
-- turn it on
ALTER SERVER AUDIT Test_Server_Audit WITH (STATE = ON);
GO
-- create a demo database
CREATE DATABASE floob;
GO
USE floob;
GO
CREATE TABLE dbo.blat(x INT);
GO
-- create a database audit specification that monitors for activity
-- against any dbo object:
CREATE DATABASE AUDIT SPECIFICATION Test_Database_Audit
FOR SERVER AUDIT Test_Server_Audit
ADD (SELECT, UPDATE, DELETE, INSERT, EXECUTE ON SCHEMA::dbo BY PUBLIC)
WITH (STATE = ON);
GO
-- do a couple of things:
SELECT * FROM dbo.blat;
DELETE dbo.blat;
GO
-- you should see those couple of things in the audit file:
SELECT * FROM sys.fn_get_audit_file('C:\temp\*.sqlaudit', NULL, NULL);
GO
For Further Reading follow this
Is it possible to Clear SQL Server Audit File logs. I want to delete old logs by date but can't find a way to delete it both from interface and sql Query.
Yes, it is.
By sys.server_audits select old names via create_date column.
Then loop the names and delete them by using the next code for deleting:
ALTER SERVER AUDIT [Audit_name] WITH (STATE = OFF)
GO
USE [master]
GO
DROP SERVER AUDIT [Audit_name]
GO
I'm sending queries through Django on a PaaS service, and I think I can't access any command line utilities. I would have just dropped the entire database and recreated it, but I don't have permissions for that.
I'm looking for a simple command that would return the database to a completely virgin state.
you could cascade drop the schema and then drop the db:
drop schema myschema CASCADE;
drop database mydb;
if you do not have the rights to do so, you will have to drop table by table.
EDIT: If you can only drop tables, this will give you the SQL statements to run:
select 'drop table '||schemaname||'.'||tablename||' CASCADE;'
from pg_tables where schemaname = 'myschema' order by schemaname, tablename;