Sql-server – How to recreate a SQL Server audit without an audit gap

auditsql server

I have some audits and audit specifications on a SQL Server 2012 instance and I want to reapply the audit and audit spec definition every evening in case the DBAs change it. I have measured the time taken to do this on one of my Dev boxes, and it's quite short, but there's still a window there where some audit data could get lost. From a quick test I did to measure the time taken:

AuditRecreate_ms
----------------
23

(1 row(s) affected)

AuditSpecRecreate_ms
--------------------
16

(1 row(s) affected)

It's possible with SQLTrace because you can create a new trace and then delete the old one, and no audit data gets lost. I'm trying to move away from SQL Trace but retain an uninterrupted audit but at the same time make sure the audit definitions do not change. Any ideas here?

Best Answer

I want to reapply the audit and audit spec definition every evening in case the DBAs change it

Engaging in an arms race against the rightful admins is only going to cause delay and confusion.

Explain to DBAs the role and purpose of the audit, ask them not to change it
Use the audit itself to detect tampering
Follow up upon detecting tampering with administrativia to get the responsible party questioned/rewarded/punished depending on situation

If you cannot enforce above, it means by definition that you are not be able to enforce an audit, so why bother?

As for specifically the question, this advice applies always, to any situation: do not blindly re-apply a template 'in case it changed', only apply it if it had changed.

Ask your DBAs to help you, do not ask us to help you against your DBAs.

Related Solutions

Sql-server – How to Audit 2 or more SQL Logins (server principals) using SQL Server Audit

I believe you are using a part of SQL server audit specification in very first step:

Firstly you just need to create a server audit object using SQL Server Audit. Now in this audit section you are using where clause, which also requires a creation of sql server audit specification:
Check the permissions for altering an audit:

a)To create, alter, or drop a server audit, principals require the ALTER ANY SERVER AUDIT or the CONTROL SERVER permission.

b)Users with the ALTER ANY SERVER AUDIT permission can create server audit specifications and bind them to any audit.

Refer to below eg : from MSDN whihc might help you in understanding the audit using principals in where clause:

  CREATE DATABASE TestDB;
  GO
  USE TestDB;
  GO
  CREATE SCHEMA DataSchema;
  GO
  CREATE TABLE DataSchema.GeneralData (ID int PRIMARY KEY, DataField varchar(50) NOT NULL);
  GO
  CREATE TABLE DataSchema.SensitiveData (ID int PRIMARY KEY, DataField varchar(50) NOT NULL);
   GO
    -- Create the server audit in the master database
 USE master;
 GO
  CREATE SERVER AUDIT AuditDataAccess
  TO FILE ( FILEPATH ='C:\SQLAudit\' )
 WHERE object_name = 'SensitiveData' ;
 GO
 ALTER SERVER AUDIT AuditDataAccess WITH (STATE = ON);
  GO
 -- Create the database audit specification in the TestDB database
  USE TestDB;
  GO
CREATE DATABASE AUDIT SPECIFICATION [FilterForSensitiveData]
FOR SERVER AUDIT [AuditDataAccess] 
ADD (SELECT ON SCHEMA::[DataSchema] BY [public])
WITH (STATE = ON);
GO
-- Trigger the audit event by selecting from tables
 SELECT ID, DataField FROM DataSchema.GeneralData;
 SELECT ID, DataField FROM DataSchema.SensitiveData;
 GO
 --- Check the audit for the filtered content
  SELECT * FROM fn_get_audit_file('C:\SQLAudit\AuditDataAccess_*.sqlaudit',default,default);
   GO

Sql-server – SQL Server 2016 Audit Options

Temporal tables are new and in all editions. They add a start and end time to rows and keeps a history of datachanges with some DDL to pull back changes.

It may be possible to stick into existing applications but has some limitations (eg no cascade deletes) and so is much more likely to be put in during design time so that developers don't need to roll their own anymore.

Best Answer

Related Solutions

Sql-server – How to Audit 2 or more SQL Logins (server principals) using SQL Server Audit

Sql-server – SQL Server 2016 Audit Options

Related Question