Activer l’audit de sécurité

Plutôt que de journaliser les connexions dans l’errorlog, activer l’audit de sécurité : plus sûr, moins polluant et plus complet…

/*-------------------------------------------------------------------
[SCRIPT] Configure security audit  
[DATABASE] master
[Date] 20210815
[DESCRIPTION] configure security audit
[MAJ PAR] DATAFLY - Arian Papillon
-------------------------------------------------------------------*/
DECLARE @sql NVARCHAR(MAX);
DECLARE @errorlogpath NVARCHAR(1000);
SELECT @errorlogpath = LEFT(path, LEN(path) - 1)
FROM sys.dm_os_server_diagnostics_log_configurations;
-- Create server audit
IF EXISTS (SELECT * FROM sys.server_audits WHERE name = 'Security-Audit')
    PRINT 'Security Audit already existing, not modified';
ELSE
BEGIN
    SET @sql
        = N'CREATE SERVER AUDIT [Security-Audit]
TO FILE
(    FILEPATH = ''' + @errorlogpath
          + N'''
    ,MAXSIZE = 100 MB
    ,MAX_ROLLOVER_FILES = 10
    ,RESERVE_DISK_SPACE = OFF
) WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE);';

    EXEC (@sql);

    -- Add server audit specifications
    SET @sql
        = N'
    CREATE SERVER AUDIT SPECIFICATION [Security-Audit-Specification]
    FOR SERVER AUDIT [Security-Audit]
--        ADD (SUCCESSFUL_LOGIN_GROUP),
       ADD (FAILED_LOGIN_GROUP)
      , ADD (AUDIT_CHANGE_GROUP)
      , ADD (SERVER_PRINCIPAL_CHANGE_GROUP)
      , ADD (LOGIN_CHANGE_PASSWORD_GROUP)
      , ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP)
      , ADD (SERVER_PERMISSION_CHANGE_GROUP);
    -- Audit activation
    ALTER SERVER AUDIT [Security-Audit]
    WITH (STATE = ON);
    ALTER SERVER AUDIT SPECIFICATION [Security-Audit-Specification]
    WITH (STATE = ON);';

    EXEC (@sql);
END;
GO

/*-------------------------------------------------------------------

[SCRIPT] Configure security audit

[DATABASE] master

[Date] 20210815

[DESCRIPTION] configure security audit

[MAJ PAR] DATAFLY - Arian Papillon

-------------------------------------------------------------------*/

DECLARE @sql NVARCHAR(MAX);

DECLARE @errorlogpath NVARCHAR(1000);

SELECT @errorlogpath = LEFT(path, LEN(path) - 1)

FROM sys.dm_os_server_diagnostics_log_configurations;

-- Create server audit

IF EXISTS (SELECT * FROM sys.server_audits WHERE name = 'Security-Audit')

PRINT 'Security Audit already existing, not modified';

ELSE

BEGIN

SET @sql

= N'CREATE SERVER AUDIT [Security-Audit]

TO FILE

( FILEPATH = ''' + @errorlogpath

+ N'''

,MAXSIZE = 100 MB

,MAX_ROLLOVER_FILES = 10

,RESERVE_DISK_SPACE = OFF

) WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE);';

EXEC (@sql);

-- Add server audit specifications

SET @sql

= N'

CREATE SERVER AUDIT SPECIFICATION [Security-Audit-Specification]

FOR SERVER AUDIT [Security-Audit]

-- ADD (SUCCESSFUL_LOGIN_GROUP),

ADD (FAILED_LOGIN_GROUP)

, ADD (AUDIT_CHANGE_GROUP)

, ADD (SERVER_PRINCIPAL_CHANGE_GROUP)

, ADD (LOGIN_CHANGE_PASSWORD_GROUP)

, ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP)

, ADD (SERVER_PERMISSION_CHANGE_GROUP);

-- Audit activation

ALTER SERVER AUDIT [Security-Audit]

WITH (STATE = ON);

ALTER SERVER AUDIT SPECIFICATION [Security-Audit-Specification]

WITH (STATE = ON);';

EXEC (@sql);

END;