sql2005关闭c2审核_C2审核–使用C2审核模式SQL Server审核和通用标准合规性

sql2005关闭c2审核

This article will cover SQL Server C2 auditing using C2 audit mode including an introduction, comparison of auditing technologies, configuration and common criteria compliance

本文将介绍使用C2审核模式SQL Server C2审核，包括简介，审核技术比较，配置和通用标准合规性

介绍 (Introduction)

Auditing is a key aspect of an IT system for many reasons such as compliances, troubleshooting, etc. SQL Server has different possibilities of configuring auditing at different levels. Though there exists different customizable, configurable auditing mechanisms, there needs to have predefined, standard auditing mechanism so that end users need to simply enable the auditing option.

由于诸如合规性，疑难解答等许多原因，审核是IT系统的关键方面。SQLServer具有在不同级别配置审核的不同可能性。尽管存在不同的可自定义，可配置的审核机制，但仍需要具有预定义的标准审核机制，以便最终用户只需简单地启用审核选项。

不同的审核配置 (Different Auditing Configurations)

As indicated before, there are several options for auditing in SQL Server.

如前所述，SQL Server中有多个审计选项。

Option	Pros	Cons
Server and Database Audit	Customizable to any granular level	A lot of configuration is needed
Triggers	DML/DDL triggers can be implemented for granular level	The performance will be impacted
System Views	Available out of the box	Limited Auditing options and most of the time it provides the current states only.
SQL Profiler	Customizable to any granular level	The performance will be impacted.
Extended Events	Customizable to any granular level	Configurations are needed

选项	优点	缺点
服务器和数据库审核	可自定义到任何粒度级别	需要大量配置
扳机	DML / DDL触发器可以实现细化级别	性能会受到影响
系统视图	开箱即用	受限审核选项，并且在大多数情况下，它仅提供当前状态。
SQL事件探查器	可自定义到任何粒度级别	性能将受到影响。
扩展活动	可自定义到任何粒度级别	需要配置

解 (Solution)

C2 Auditing and Common Criteria Compliance are two internationally accepted auditing standards.

C2审核和通用标准合规性是两个国际公认的审核标准。

C2 audit mode is the auditing option that can be used to facilitate auditing standard. By enabling C2 auditing, it allows the administrator to enable a comprehensive type of auditing, logging. This is named as C2 audit mode because it is logging of the form specified by the U.S. Department of Defense regulations to meet the certification at the C2 level of trust. Those regulations were specified in a document called the Trusted Computer System Evaluation Criteria, often referred to as the “Orange Book” in the “Rainbow Series.” The Orange Book is now depreciated in favor of the Common Criteria. Nonetheless, C2 Auditing is still a commonly used term.

C2审核模式是可用于促进审核标准的审核选项。通过启用C2审核，它允许管理员启用全面的审核，日志记录类型。之所以称为C2审核模式，是因为它记录了美国国防部法规指定的形式，以符合C2信任级别的认证。这些规定在称为“受信任的计算机系统评估标准”的文档中进行了指定，该文档通常在“彩虹系列”中称为“橙皮书”。现在，《橙皮书》已贬值，以支持通用标准。尽管如此， C2审计仍然是一个常用术语。

C2 audit mode generally means assigning a unique generated audit ID to each group of related processes, starting at login. Thereafter, certain forms of system calls performed by every process are logged with the audit ID.

C2审核模式通常意味着从登录开始就为每组相关进程分配唯一的生成的审核ID。此后，由每个进程执行的某些形式的系统调用都会用审核ID进行记录。

在SQL Server中配置C2审核 (Configuring C2 Auditing in SQL Server)

C2 audit mode feature is available in SQL Server on-premises edition but not in Azure SQL Server Database, Azure SQL Data Warehouse and Parallel Data Warehouse. In the case of Azure, there are separate auditing options are available.

C2审核模式功能在SQL Server本地版本中可用，但在Azure SQL Server数据库，Azure SQL数据仓库和并行数据仓库中不可用。对于Azure，有单独的审核选项可用。

This can be configured in multiple ways. Following is the configuration of C2 Auditing by using the user interface. Under the server properties, in the Security Tab, the following option can be selected to enable C2 audit mode.

可以通过多种方式进行配置。以下是使用用户界面进行C2审核的配置。在服务器属性下的“ 安全性”选项卡中，可以选择以下选项来启用C2审核模式。

In the above Figure, there is another option, Common Criteria compliance which will be discussed later.

在上图中，还有另一个选项，即“通用标准符合性”，将在后面讨论。

Also, this can be accomplished by T-SQL as well.

同样，这也可以通过T-SQL完成。

--Enabling C2 Auditing
sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO
sp_configure 'c2 audit mode', 1
GO
RECONFIGURE WITH OVERRIDE;
GO

The output of this result is followed.

跟踪此结果的输出。

Configuration option ‘show advanced options’ changed from 1 to 1. Run the RECONFIGURE statement to install.

配置选项“显示高级选项”从1更改为1。运行RECONFIGURE语句进行安装。

Configuration option ‘c2 audit mode’ changed from 0 to 1. Run the RECONFIGURE statement to install.

配置选项“ c2审核模式”从0更改为1。运行RECONFIGURE语句进行安装。

SQL Server needs to be restarted for this configuration to effect after the configuration is made.

配置完成后，需要重新启动SQL Server才能使此配置生效。

When the SQL Server instance is started, audit log will be written to trace file in the \mssql\data directory for default instances or the \mssql$instancename\data directory for named instances. For example, C:\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\DATA is the folder name for traces. The trace file name will have the format of as audittrace_yyyymmddhhmmss.trc, where the second part of the name indicates date and time when the trace file was created. Since these logs are created in a folder, windows permissions need to be applied in order to secure audit files.

启动SQL Server实例时，对于默认实例，审计日志将写入\ mssql \ data目录中的跟踪文件，对于命名实例，将写入\ mssql $ instancename \ data目录中的跟踪文件。例如， C：\ Program Files \ Microsoft SQL Server \ MSSQL13.MSSQLSERVER \ MSSQL \ DATA是文件夹的名称痕迹。跟踪文件名的格式为audittrace_yyyymmddhhmmss.trc，其中第二部分表示创建跟踪文件的日期和时间。由于这些日志是在文件夹中创建的，因此需要应用Windows权限才能保护审核文件。

This trace file can be read from the SQL Profiler tool by opening the profiler tool and opening the trace file.

可以通过打开分析器工具并打开跟踪文件，从SQL Profiler工具中读取此跟踪文件。

Also, the following T-SQL query can be used to retrieve the audit data from traces.

同样，以下T-SQL查询可用于从跟踪中检索审计数据。

--Retiving C2 Audited Data
SELECT *
FROM ::fn_trace_gettable('C:\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\DATA\audittrace20181213003156.trc', default)

The advantage of this is that the users have the option of joining, filtering or grouping option for better analysis. In case of troubleshooting, it is much better to import traces to a database table. In the case of database tables, you have the option of adding indexes to improve the performance.

这样做的好处是用户可以选择加入，过滤或分组以进行更好的分析。在进行故障排除的情况下，最好将跟踪导入数据库表中。对于数据库表，可以选择添加索引以提高性能。

The trace file will have a rollover the size of 200 MB which is fixed and after the SQL Server database engine restarts new trace file will be created. It is important to note that C2 auditing can consume a huge amount of disk space on an active system in a short amount of time. This is due to the fact that every auditing option is stored in the trace file. Also, in the case of C2 audit mode is failing, SQL Server instance will be shut down. This means that Auditing has the highest priority over the SQL Server database engine user operations. This means that administrators have to have extra care for the SQL Server systems where C2 auditing is enabled.

跟踪文件的总大小为200 MB，这是固定的，并且在SQL Server数据库引擎重新启动之后，将创建新的跟踪文件。重要的是要注意，C2审核会在很短的时间内消耗活动系统上的大量磁盘空间。这是因为每个审核选项都存储在跟踪文件中。另外，在C2审核模式失败的情况下，SQL Server实例将被关闭。这意味着审核比SQL Server数据库引擎用户操作具有最高优先级。这意味着管理员必须特别注意启用了C2审核SQL Server系统。

Also, to disable the C2 audit mode for a temporary basis, you need to restart SQL Server with the –f flag. If SQL Server shut down due to the failure of C2 Auditing, disable C2 audit mode temporary, then disable the C2 auditing after restarting the SQL Server instance.

另外，要临时禁用C2审核模式，您需要使用–f标志重新启动SQL Server。如果由于C2审核失败而关闭SQL Server，请暂时禁用C2审核模式，然后在重新启动SQL Server实例后禁用C2审核。

A major disadvantage of the C2 audit mode is the performance impact to the SQL Server instance apart from the huge storage it requires. An advantage of the C2 Auditing is that data is saved in the trace files where backups can be taken. However, since these traces files are stored outside of SQL Server, security needs to be applied in order to protect the trace files.

C2审核模式的主要缺点是对SQL Server实例的性能影响（除了所需的巨大存储空间）。 C2审核的一个优点是数据被保存在可以进行备份的跟踪文件中。但是，由于这些跟踪文件存储在SQL Server外部，因此需要应用安全性以保护跟踪文件。

通用标准合规 (Common Criteria Compliance)

C2 auditing has been deprecated by the Common Criteria specification which was developed by the European Union. Common Criteria Compliance is internationally recognized set of guidelines for security for information technology products. This is applied to operating systems, Databases, Network Devices and Smart cards etc. Common criteria certified products have been rigorously evaluated by accredited third party security labs.

C2审核已被欧盟制定的通用标准规范所弃用。通用标准合规性是国际公认的信息技术产品安全性准则集。这适用于操作系统，数据库，网络设备和智能卡等。经过认可的第三方安全实验室已对通用标准认证的产品进行了严格评估。

This option is available same versions as C2 Audit but Common Criteria Compliance is available in Enterprise and Data Center editions of SQL Server 2008 R2 and after versions. However, with respect to the SQL Server, if you are complying with either C2 or common criteria, the audit result is similar. In the case of Common Criteria Compliance, audited data can be viewed from system views which is more secure than the C2 audit mode.

此选项的可用版本与C2审核的版本相同，但SQL Server 2008 R2的企业版和数据中心版以及更高版本中提供了“通用标准合规性”。但是，对于SQL Server，如果您符合C2或通用标准，则审核结果是相似的。对于“通用标准合规性”，可以从系统视图查看已审核的数据，该数据比C2审核模式更安全。

Similar to C2 Auditing, Common Criteria Compliance can be enabled using the same option of the Security tab of the Server Properties dialog as shown below.

与C2审核类似，可以使用“ 服务器属性”对话框的“ 安全性”选项卡中的相同选项来启用“通用标准合规性”，如下所示。

This can be done from T-SQL as shown below:

可以从T-SQL完成，如下所示：

--Enabling common criteria compliance
sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO
EXEC sys.sp_configure N'common criteria compliance enabled', N'1'
GO
RECONFIGURE WITH OVERRIDE
GO

As for C2 Audit, SQL Server needs to be restarted for this configuration to effect after the configuration is made.

对于C2审核，需要重新启动SQL Server才能使此配置在完成配置后生效。

Common Criteria Compliance allows the following to occur:

通用标准合规性允许发生以下情况：

Residual Information Protection (RIP) 残留信息保护（RIP）
The ability to view login statistics 查看登录统计信息的能力
That column GRANT should not override table DENY 该列GRANT不应覆盖表DENY

These login statistics can be viewed by querying the sys.dm_exec_sessions dynamic management view. Last login date time and last unsuccessful login date time are available in sys.dm_exec_sessions but is not recorded unless Common Criteria Compliance is enabled.

可以通过查询sys.dm_exec_sessions动态管理视图来查看这些登录统计信息。上次登录日期时间和上次失败登录日期时间在sys.dm_exec_sessions中可用，但除非启用了“通用标准符合性”，否则不会记录下来。

Following are the Criteria Compliance related columns in the sys.dm_exec_sessions DMV.

以下是sys.dm_exec_sessions DMV中与“标准符合性”相关的列。

SELECT session_id,login_name,last_successful_logon, last_unsuccessful_logon,unsuccessful_logons
FROM sys.dm_exec_sessions

In Common Criteria Compliance, the major advantage is that the auditing data is stored in the database instance itself. However, in Common Criteria Compliance workaround should be applied to keep the historical data as dm_exec_sessions DMV does not store the historical data.

在Common Criteria Compliance中，主要优点是审核数据存储在数据库实例本身中。但是，由于dm_exec_sessions DMV不存储历史数据，因此在“通用标准合规性”中应采用变通方法来保留历史数据。

摘要 (Summary)

In case of any auditing mechanism, there will be an impact on the performance of the system. By considering the performance, Common Criteria Compliance is better than C2 audit mode. Also, feature-wise C2 Auditing is better than Common Criteria Compliance.

如果采用任何审核机制，将会对系统的性能产生影响。通过考虑性能，通用标准合规性优于C2审核模式。此外，按功能进行的C2审核要比“通用标准合规性”更好。

In case of SQL Server, administrators has the options of enabling both C2 audit mode and Common Criterial Compliance.

对于SQL Server，管理员可以选择启用C2审核模式和“通用标准合规性”。

翻译自: https://www.sqlshack.com/c2-auditing-sql-server-auditing-and-common-criteria-compliance-using-c2-audit-mode/

sql2005关闭c2审核