question

liton avatar image
liton asked

Restrict disabling SQL Server audit

Is there a way to password protect sql server audits? I’m creating an audit specification to record the DML statement and there are few people who have the sysadmin role in the sql server instance. I don’t want to remove their sysadmin role and in the mean time I want them to be able to disable the Sql Server audit. I want to be able to audit the database without worrying about that someone could disable the audit then make changes to the database.
securityaudit
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
sqlaj 1 avatar image
sqlaj 1 answered
True anyone in the sysadmin role can alter the audits at the server level. Be mindful of users with .dbo access at the database level as well. Take a look here for auditing information. http://msdn.microsoft.com/en-us/library/cc280386.aspx I am pretty sure you can audit changes made to the audit. :)
3 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Yup, as I thought. See this audit spec. "AUDIT_CHANGE_GROUP" "This event is raised whenever any audit is created, modified or deleted."
0 Likes 0 ·
Great, this is what I was looking for. Thanks. The only other concern that I might have is that they can remove (delete) the audit but I guess I can still can check the file to see the changes. I'm saving he changes to a file which they don't have access.
0 Likes 0 ·
You can also have the information logged to say the Windows (application) logs. They can still clear those. We have an extra layer. A tool that reads the logs and stores that information else where.
0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.