Centrify DirectAudit for SQL installationQuestion:
What are the pre-requisite permissions and connectivity requirements for DirectAudit?Answers:Summary
This KB article explains in details what pre-requisites/features are required for a SQL server to host DirectAudit databases. The KB article also explains what database permissions are needed in order to create a DirectAudit installation, rotate an Audit Store database and upgrade DirectAudit databases to a newer version.
This KB article does not cover DirectAudit application permissions (assigned to a user or group using Audit Manager console) required to perform the above mentioned administrative tasks. For more information on application permissions requirement, please refer to the DirectManage Audit Manager help.1, SQL server requirements Common requirements
- Minimum version supported – Microsoft SQL 2005 Express Edition with Advanced Services (Microsoft SQL 2005 is not supported on Windows 8 and Server 2012)
- DirectAudit supports SQL Server 2014 Express, Standard and Enterprise
- SQL server hosting the Management database and/or Audit Store database must have a login present for NT AUTHORITY\SYSTEM account and this login must be a member of sysadmin fixed server role.
- For security reasons, the login for NT AUTHORITY\SYSTEM account can be disabled; however, there are two exceptions to this case. You cannot disable login for NT AUTHORITY\SYSTEM account if SQL server hosting the Management database is running under Local System account; also, the login cannot be disabled if Collector service is also running on the SQL server hosting the Audit Store database (this is not common).
- The DirectAudit database setup process will automatically enable CLR Integration feature of SQL server. The same setup process will also mark the DirectAudit database being setup as trustworthy.
- In case if DirectAudit is monitoring systems across multiple forests connected via one-way trust (typical DMZ scenario), the SQL server must reside in the internal domain and must support mixed mode authentication.
- Remote connections/TCP-IP protocol must be enabled for the SQL server hosting DirectAudit databases. These settings can be found/configured under the SQL Server Network Configuration section of Sql Server Configuration Manager tool.
Requirements specific to SQL server hosting Audit Store database
- SQL server hosting the Audit Store database must have the Full-text search feature installed and enabled; this requirement does not apply to SQL server hosting the Management database.
2, Permissions required to setup, rotate and upgrade DirectAudit databases
3, Enhancing database performance
- The user setting up DirectAudit installation/database must be a domain user and a member of sysadmin fixed server role on the SQL server. The sysadmin privileges are only required for the initial setup and can be revoked once the installation setup is complete. If sysadmin rights cannot be assigned to the setup user, customers also have an option to generate SQL scripts that can be run by DBA to pre-create the required databases manually.
- The user performing database rotation i.e. creating a new Audit Store database (either using Audit Manager console or SDK) must be a domain user and a member of sysadmin fixed server role on the SQL server. These privileges are also required only for the database creation process and can be revoked once the new Audit Store database is setup.
- The user performing database upgrade (using setup.exe) must be a domain user and a member of sysadmin fixed server role on the SQL server. If DirectAudit databases that need an upgrade are hosted on more than one SQL servers, the sysadmin rights must be assigned to the user on each of the SQL servers. These privileges are required only for the upgrade process and can be revoked once database upgrade is complete. Beginning Suite 2014, a user without sysadmin rights can upgrade the DirectAudit databases if he is one of the owners of each of the databases and has EXTERNAL ACCESS ASSEMBLY permission.
- The default auto growth size/rate of SQL server is 1 Megabyte which does not work well for DirectAudit. It is recommended to set the auto growth to 256 Megabytes (with Unrestricted File Growth option) for the active Audit Store database in order to reduce allocation overheads.
- It’s strongly recommended to set the recovery mode of all Audit Store databases to SIMPLE. The recovery mode for Management database can be set to FULL if needed.