Restrict disabling SQL Server audit

Question

question

liton asked Jun 17, '13

Restrict disabling SQL Server audit

Is there a way to password protect sql server audits? I’m creating an audit specification to record the DML statement and there are few people who have the sysadmin role in the sql server instance. I don’t want to remove their sysadmin role and in the mean time I want them to be able to disable the Sql Server audit. I want to be able to audit the database without worrying about that someone could disable the audit then make changes to the database.

security audit

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 1 · 2013-06-17T14:33:01Z

sqlaj 1 answered Jun 17, '13

True anyone in the sysadmin role can alter the audits at the server level. Be mindful of users with .dbo access at the database level as well. Take a look here for auditing information. http://msdn.microsoft.com/en-us/library/cc280386.aspx I am pretty sure you can audit changes made to the audit. :)

3

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

sqlaj 1 commented · Jun 17, 2013 at 02:37 PM

Yup, as I thought. See this audit spec. "AUDIT_CHANGE_GROUP" "This event is raised whenever any audit is created, modified or deleted."

0 ·

liton commented · Jun 17, 2013 at 02:54 PM

Great, this is what I was looking for. Thanks. The only other concern that I might have is that they can remove (delete) the audit but I guess I can still can check the file to see the changes. I'm saving he changes to a file which they don't have access.

0 ·

sqlaj 1 commented · Jun 17, 2013 at 03:14 PM

You can also have the information logged to say the Windows (application) logs. They can still clear those. We have an extra layer. A tool that reads the logs and stores that information else where.

0 ·

question