数据库审核
SQL Server 2008引入了审核实例、数据库级别活动的能力。
使用服务器审核对象将活动捕获到目标数据目的地,这个对象定义将活动捕获到文件、windows应用程序事件日志、windows安全事件日志。
使用服务器审核规范定义在实例范围内希望捕获哪些事件。使用数据库审核规范对象可以在数据库范围内定义希望捕获哪些事件。
只允许一个服务器规范绑定到一个服务器审核规范对象上,而一个或多个数据库审核复返可以绑定到一个服务器审核对象上。一个服务器审核对象可以同时配置一个服务器审核规范、一个或多个数据库审核规范。
--1.1创建服务器审核对象的操作,必须在master数据库中执行
use master
go
--1.2创建服务器审核对象
create server audit wcc_server_audit
to file
(
filepath = 'E:\', --审核日志的文件路径,或者:APPLICATION_LOG,SECURITY_LOG
maxsize = 500MB, --审核文件可以增大到的最大大小
max_rollover_files = 10, --保留在文件系统中,外加当前文件的最大文件数
reserve_disk_space = off --按MAXSIZE值为磁盘上的文件预先分配大小
)
with
(
queue_delay = 1000, --确定在强制处理审核操作之前,可以延迟的毫秒数
on_failure = continue --当不能写入目标时,sql实例是否关闭
)
--1.3查看服务器审核对象
select audit_id,
name, --服务器审核对象名
audit_guid,
principal_id,
type_desc, --日志类型
on_failure_desc, --当不能写入目标时,sql实例是否关闭
is_state_enabled, --是否启用
queue_delay --在审核过程操作之前,可以延迟的毫秒数
from sys.server_audits s
--2.1查看可以使用哪些审核组
select name, --审核操作或审核组的名称
class_desc, --应用审核操作对象的类的名称
covering_action_name, --包含此行中所述的审核操作的审核操作或审核组的名称
parent_class_desc,
covering_parent_action_name,
configuration_level,
containing_group_name
from sys.dm_audit_actions
WHERE class_desc = 'server' --审核操作的类
and configuration_level = 'group' --配置级别
ORDER BY name
--2.2创建服务器审核规范,捕获实例范围的事件
create server audit specification wcc_server_audit_specification
for server audit wcc_server_audit
add (SERVER_ROLE_MEMBER_CHANGE_GROUP),
ADD (DBCC_GROUP),
ADD (BACKUP_RESTORE_GROUP)
WITH (STATE = ON )
--2.3服务器审核中的服务器审核规范详细信息(操作)的信息
select s.server_specification_id,
s.name,
s.is_state_enabled,
sd.audit_action_name,
sd.is_group
from sys.server_audit_specifications s
inner join sys.server_audit_specification_details sd
on sd.server_specification_id = s.server_specification_id
--3.1查看对象有哪些操作可以被审核
select name, --审核操作或审核组的名称
class_desc, --应用审核操作对象的类的名称
covering_action_name, --包含此行中所述的审核操作的审核操作或审核组的名称
parent_class_desc,
covering_parent_action_name,
configuration_level,
containing_group_name
from sys.dm_audit_actions
WHERE class_desc = 'object' --审核操作的类
and configuration_level = 'action' --配置级别
ORDER BY name
--3.2查看数据库范围有哪些操作可以被审核
select name, --审核操作或审核组的名称
class_desc, --应用审核操作对象的类的名称
covering_action_name, --包含此行中所述的审核操作的审核操作或审核组的名称
parent_class_desc,
covering_parent_action_name,
configuration_level,
containing_group_name
from sys.dm_audit_actions
WHERE class_desc = 'database' --审核操作的类
and configuration_level = 'group' --配置级别
ORDER BY name
--3.3创建数据库审核规范,捕获数据库范围的事件
use AdventureWorks
go
create database audit specification wcc_database_audit_specification
for server audit wcc_server_audit
add (DATABASE_PRINCIPAL_IMPERSONATION_GROUP), --跟踪所有模拟行为
add (insert,update,delete
on humanresources.department
by public)
with
(state = on )
--3.4数据库审核规范详细信息
select das.database_specification_id,
das.name,
das.is_state_enabled,
dasd.audit_action_id,
dasd.is_group,
dasd.class_desc,
case when dasd.major_id > 0
then OBJECT_NAME(major_id,db_id()) +
case when dasd.minor_id > 0
then '.' + COL_NAME(major_id,minor_id)
else ''
end
else 'N/A'
end object_column_name,
dasd.audited_principal_id
from sys.database_audit_specifications das
inner join sys.database_audit_specification_details dasd
on das.database_specification_id = dasd.database_specification_id
--注意:无法从用户数据库中对服务器审核执行更改,
--此操作必须在 master 数据库中执行。
use master
go
--5.1开启服务器审核
alter server audit [wcc_server_audit]
with (state = on )
--创建新的登录名
create login TestAudit
with password = 'testaudit',
check_expiration = off,
check_policy = off
--给服务器角色增加成员
exec sp_addsrvrolemember
@loginame = 'TestAudit',
@rolename = 'bulkadmin'
--备份数据库
backup database adventureworks
to disk = 'c:\adventureworks_backup.bak'
--执行DBCC操作
dbcc checkdb('adventureworks')
go
use adventureworks
go
--创建这个新的用户,在这个用户上下文中执行
create user TestAudit for login TestAudit
execute as user = 'TestAudit'
--返回到原来的登录名
revert
--添加,修改,删除数据
insert into humanresources.department
(name,groupname)
values('Traffic','Advertising')
update humanresources.department
set name = 'Media planning'
where name ='Traffic'
delete humanresources.department
where name = 'Media planning'
--5.2查看服务器审核二进制文件的内容
select af.event_time,
af.succeeded,
af.target_server_principal_name,
object_name
from fn_get_audit_file('E:\wcc_server_audit_*',
default,
default) af
inner join sys.dm_audit_actions aa
on aa.action_id = af.action_id
where aa.name = 'ADD MEMEBER'
and aa.class_desc = N'SERVER ROLE'
select af.event_time,
af.database_principal_name
from fn_get_audit_file('E:\wcc_server_audit_*',
default,
default) af
inner join sys.dm_audit_actions aa
on aa.action_id = af.action_id
where aa.name = 'DELETE'
and aa.class_desc = N'OBJECT'
and af.schema_name = 'HumanResources'
and af.object_name = 'department'
select af.event_time,
af.statement
from fn_get_audit_file('E:\wcc_server_audit_*',
default,
default) af
inner join sys.dm_audit_actions aa
on aa.action_id = af.action_id
where aa.name = 'backup'
and aa.class_desc = N'database'
select distinct
aa.name,
af.event_time,
af.database_principal_name,
af.target_server_principal_name,
af.object_name
from fn_get_audit_file('E:\wcc_server_audit_*',
default,
default) af
inner join sys.dm_audit_actions aa
on aa.action_id = af.action_id
--6.管理审核对象、审核规范
--6.1修改服务器审核规范
use master
go
alter server audit specification wcc_server_audit_specification
with (state = off)
alter server audit specification wcc_server_audit_specification
drop (backup_restore_group)
alter server audit specification wcc_server_audit_specification
drop (login_change_password_group)
alter server audit specification wcc_server_audit_specification
with (state = on )
--6.2修改数据库审核规范
use AdventureWorks
go
alter database audit specification wcc_database_audit_specification
with (state = off)
alter database audit specification wcc_database_audit_specification
drop (insert on humanresources.department by public)
alter database audit specification wcc_database_audit_specification
add (database_role_member_change_group)
alter database audit specification wcc_database_audit_specification
with (state = on)
--6.3修改服务器审核对象
use master
go
alter server audit wcc_server_audit
with (state = off)
alter server audit wcc_server_audit
to application_log
alter server audit wcc_server_audit
with (state = on)
--6.4删除数据库审核规范
alter database audit wcc_database_audit_specification
with (state = off)
drop database audit wcc_database_audit_specification
--6.5删除服务器审核规范
alter server audit specification wcc_server_audit_specification
with (state = off)
drop server audit specification wcc_server_audit_specification
--6.6删除服务器审核对象
alter server audit wcc_server_audit
with (state = off)
drop server audit wcc_server_audit