Auditing engine bug in SQL 2008

by mmix July 21, 2009 13:17

There was an interesting topic in the [ES] forum that I moderate (serbian); to put it bluntly the guy wanted to use new SQL Server 2008 auditing functionality to check who of his users is "peeking" inside audit logs themselves ;), you know, the usual "who oversees the overseer" fallout. Just for a second we'll pretend that the would-be overseer wont copy the audit logs to his own instance of the SQL server ;) and that somehow he or she is forced to use SQL server to do it. Since one has to use fn_get_audit_file to parse the binary representation of the audit log into a meaningful table-to-query, we naturally assumed we could hook EXECUTE on master.sys.fn_get_audit_file function and this will solve the problem, you read the files => you get noted.

USE master;
go

CREATE DATABASE AUDIT SPECIFICATION AuditReadLogs
FOR SERVER AUDIT MyAuditSec
ADD (EXECUTE ON sys.fn_get_audit_file BY PUBLIC)
WITH (STATE = ON)
GO

Well, it was a long shot anyway (did I mention this didn't work?), but what has happened is that SQL Server gave us thumbs up:

Command(s) completed successfully.

Naturally, it did not work, to make matters worst it is very unclear if such construction is possible to begin with, but one would assume an error message is in order if things are wrongly assumed, even if its "hey, you can't audit that?!?". Just out of curiosity, I told the SQL manager to export the audit specification to see what SQL Server "understood" from our script. To much of my surprise, this is what I got:

CREATE DATABASE AUDIT SPECIFICATION [AuditReadLogs]
FOR SERVER AUDIT [MyAuditSec]
ADD (EXECUTE ON OBJECT:: BY [PUBLIC])
WITH (STATE = ON)
GO

Yes, you see it right, there is no object name, as in blank, so blank that if you try to execute this script you get (Msg 156, Level 15, State 1, Line 3 Incorrect syntax near the keyword 'BY'.) greeting. At least we got the error here so that the circle of confusion can be closed. I reported this bug to Microsoft (link) after being forced to fill out one extremely annoying survey from the Microsoft sales team (you know the works, how many employees, are you the boss, can we spam you til kingdom comes, etc, etc), I almost gave up but I heroically endured all that to bring this bug to light.

As for auditing the auditors, if you have any ideas, I'd love to hear them....

 

Tags: , , , ,

Programming | Programming | SQL Server | SQL Server

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (0) | Post RSSRSS comment feed

Comments

Add comment


(Will show your Gravatar icon)

  Country flag

biuquote
  • Comment
  • Preview
Loading



Powered by BlogEngine.NET 1.5.0.7
Theme by Mads Kristensen | Modified by Mooglegiant

Disclaimer

This blog contains my personal opinions and does not necessarily reflect the views of my employer; which, I might add, is paradoxical in itself being that I own the company I work for. If this doesn't rip the fabric of the universe, I don't know what will.