三、安全审计(8.1.4.3)
3.1 SQL Server审计配置
-- 22. 查看服务器级审计配置
SELECT
name AS[审计名],
type_desc AS[类型],
status_desc AS[状态],
is_state_enabled AS[已启用],
create_date,
modify_date
FROM sys.server_audits;
-- 23. 查看审计详细配置(文件路径、大小等)
SELECT
name,
type_desc,
status_desc,
is_state_enabled,
audit_file_path AS[文件路径],
max_file_size AS[最大文件大小],
max_rollover_files AS[最大轮转文件数],
queue_delay AS[队列延迟毫秒],
on_failure_desc AS[失败时操作]
FROM sys.server_audits
WHERE type_desc ='FILE';
-- 24. 查看服务器审计规范(审计哪些操作)
SELECT
s.name AS[审计名],
sp.name AS[规范名],
sp.is_state_enabled AS[规范启用],
audit_action_name AS[审计动作],
class_desc AS[对象类型],
is_group AS[是否动作组]
FROM sys.server_audit_specifications sp
JOIN sys.server_audits s ON sp.audit_guid = s.audit_guid
JOIN sys.server_audit_specification_details spd ON sp.server_specification_id = spd.server_specification_id
WHERE sp.is_state_enabled =1;
-- 25. 查看数据库级审计(所有数据库)
EXEC sp_MSforeachdb '
USE [?];
IF EXISTS (SELECT 1 FROM sys.database_audits)
SELECT
DB_NAME() AS [数据库],
name AS [审计名],
type_desc,
is_state_enabled,
audit_file_path
FROM sys.database_audits;
';
-- 26. 查看数据库审计规范
EXEC sp_MSforeachdb '
USE [?];
IF EXISTS (SELECT 1 FROM sys.database_audit_specifications)
SELECT
DB_NAME() AS [数据库],
sp.name AS [规范名],
sp.is_state_enabled,
spd.audit_action_name,
spd.class_desc
FROM sys.database_audit_specifications sp
JOIN sys.database_audit_specification_details spd ON sp.database_specification_id = spd.database_specification_id;
';
-- 27. 查看当前审计日志状态(最近写入时间)
SELECT
name,
status_desc,
type_desc,
audit_file_path,
(SELECTMAX(event_time)FROM sys.fn_get_audit_file(audit_file_path,DEFAULT,DEFAULT))AS[最后事件时间]
FROM sys.server_audits
WHERE type_desc ='FILE'AND status_desc ='STARTED';
3.2 扩展事件与日志分析
-- 28. 查看扩展事件会话(XEvents,轻量级审计)
SELECT
name,
status_desc AS[状态],
start_time,
target_name AS[目标类型]
FROM sys.dm_xe_sessions
ORDERBY name;
-- 29. 查看默认跟踪是否启用(SQL Server 2016及之前)
SELECT
status,
path,
max_size,
stop_time
FROM sys.traces
WHERE is_default =1;
-- 30. 查看错误日志配置
EXEC xp_readerrorlog 0,1, N'Logging';-- 查看日志配置信息
-- 31. 查看最近登录审计(需启用审计或扩展事件)
-- 方法1:使用fn_get_audit_file读取审计文件
SELECT
event_time,
action_id,
action_name,
succeeded,
session_server_principal_name AS[登录名],
server_instance_name,
database_name,
schema_name,
object_name,
statement
FROM sys.fn_get_audit_file('D:\SQLAudit\*.sqlaudit',DEFAULT,DEFAULT)
WHERE action_name IN('LOGIN','LOGOUT','FAILED_LOGIN_GROUP')
ORDERBY event_time DESC
OFFSET0ROWSFETCHNEXT100ROWS ONLY;
-- 32. 查看权限变更审计记录
SELECT
event_time,
action_name,
session_server_principal_name,
database_name,
schema_name,
object_name,
statement,
succeeded
FROM sys.fn_get_audit_file('D:\SQLAudit\*.sqlaudit',DEFAULT,DEFAULT)
WHERE action_name IN('GRANT','REVOKE','DENY','ALTER','CREATE','DROP')
ORDERBY event_time DESC;