2

我一直在开发一个模板来部署 SQL/XSS 注入检测。除了启用审核设置外,一切都很好。在文档中,我看到以下内容:

{
  "name": "default",
  "type": "Microsoft.Sql/servers/databases/auditingSettings",
  "apiVersion": "2017-03-01-preview",
  "properties": {
    "state": "string",
    "storageEndpoint": "string",
    "storageAccountAccessKey": "string",
    "retentionDays": "integer",
    "auditActionsAndGroups": [
      "string"
    ],
    "storageAccountSubscriptionId": "string",
    "isStorageSecondaryKeyInUse": boolean
  }
}

我相信我已经遵循了这个结构。在此处查看我的完整代码或此处的代码段:

  - apiVersion: 2017-03-01-preview
    type: Microsoft.Sql/servers/auditingSettings
    name: "[concat(parameters('sqlServerName'), '/auditing-default')]"
    dependsOn:
      - "[resourceId('Microsoft.Sql/servers', parameters('sqlServerName'))]"
    properties:
      state: Enabled
      storageEndpoint: "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')),
        '2018-03-01-preview').PrimaryEndpoints.Blob]"
      storageAccountAccessKey: "[listKeys(resourceId('Microsoft.Storage/storageAccounts',
        parameters('storageAccountName')), '2018-03-01-preview').keys[0].value]"
      retentionDays: 0
      storageAccountSubscriptionId: "[subscription().subscriptionId]"
      isStorageSecondaryKeyInUse: false'

我看到服务器/数据库之间存在差异,只是 /servers 的类型,但我实际上是从 Azure 快速入门和此处的特定文件中借用了此代码,其中代码如下:

{
        "apiVersion": "2017-03-01-preview",
        "type": "Microsoft.Sql/servers/auditingSettings",
        "name": "[concat(parameters('sqlServerName'), '/', 'default')]",
        "properties": {
          "state": "Enabled",
          "storageEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2018-03-01-preview').PrimaryEndpoints.Blob]",
          "storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2018-03-01-preview').keys[0].value]",
          "retentionDays": 0,
          "auditActionsAndGroups": null,
          "storageAccountSubscriptionId": "[subscription().subscriptionId]",
          "isStorageSecondaryKeyInUse": false
        }
      }

官方文档似乎没有关于在服务器级别添加 auditingSettings 的信息,但是这里的类型直接在服务器下,所以我有点迷茫。我还没有研究架构,但是任何关于这里可能发生的事情的帮助/指导将不胜感激!

4

3 回答 3

3

我们最近发布了一个模板,展示了如何部署启用了服务器审核的 Azure SQL Server。

完整示例在这里:https ://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.sql/sql-auditing-server-policy-to-blob-storage

于 2018-12-18T12:54:56.830 回答
0

由于其他答案返回 404,这里有一个完整的指令列表,以获取在 ARM 中工作的基础知识,以便在 SQL Server 级别进行审计。因此,这将审核 SQL Server 中的所有数据库。

首先,为您的 SQL Server 和存储帐户的名称创建一个参数:

"sqlServerName": {
  "type": "string"
},
"auditingStorageAccountName": {
  "type": "string"
}

然后在您的资源部分创建一个存储帐户来存储您的审核记录,此示例会将审核 blob 复制到配对区域 (RA-GRS)。必须如图所示显式添加网络 ACL,以便 Azure 可以写入审核日志。此示例还使用存储帐户分配的密钥,但也可以使用托管标识:

{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2019-06-01",
  "name": "[parameters('auditingStorageAccountName')]",
  "location": "[resourceGroup().location]",
  "sku": {
    "name": "Standard_RAGRS",
    "tier": "Standard"
  },
  "kind": "StorageV2",
  "properties": {
    "networkAcls": {
      "bypass": "AzureServices",
      "virtualNetworkRules": [],
      "ipRules": [],
      "defaultAction": "Allow"
    },
    "supportsHttpsTrafficOnly": true,
    "allowBlobPublicAccess": false,
    "encryption": {
      "services": {
        "blob": {
          "keyType": "Account",
          "enabled": true
        }
      },
      "keySource": "Microsoft.Storage"
    },
    "accessTier": "Hot"
  }
},
...

最后添加自己的审计设置 - 这个例子是针对在根目录中添加的资源(即直接在“资源”中:{}),将其作为子资源添加到 SQL Server 本身,类型需要只是“审计设置” . 保留天数为零意味着审计记录将无限期保留。必须明确添加订阅 ID,否则在门户中查看时设置无法正确显示:

{
  "type": "Microsoft.Sql/servers/auditingSettings",
  "name": "default",
  "apiVersion": "2020-11-01-preview",
  "dependsOn": [
    "[resourceId('Microsoft.Sql/servers/', parameters('sqlServerName'))]",
    "[resourceId('Microsoft.Storage/storageAccounts', parameters('auditingStorageAccountName'))]"
  ],
  "properties": {
    "retentionDays": 0,
    "state": "Enabled",
    "storageEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('auditingStorageAccountName'))).primaryEndpoints.blob]",
    "storageAccountAccessKey": "[listKeys(parameters('auditingStorageAccountName'), '2019-06-01').keys[0].value]",
    "storageAccountSubscriptionId": "[subscription().subscriptionId]"
  }
},
...
于 2021-05-05T11:00:46.410 回答
-1

对于那些寻求对 Log Analytics 工作区启用服务器级别审核的指导的人,我找到了这个github 链接

于 2020-10-09T16:43:36.087 回答