Security vs. Monitoring – Puzzle: SOLVED

In this post I will talk a bit about security and monitoring and show you one particular case.

There are many monitoring tool which is used, for example Tivoli or Nagios. These tools technically do the same thing: keep checking the servers and services like SQL Server services and in case of any problem in some way they notify the operator about the problem.

For doing this, these tools need to have access not just to the operating system but to the sql server as well. The real concern here is what kind of permission is needed for the monitoring tool’s user or what kind of permissions can be granted.

Servers which contain sensitive data, like credit card data have to meet  certain auditing requirements. Here is the main rule: Never give more permission to a user than it’s really necessary. Any deviation from the standards have to be explained, and usually some additional action has to be taken in this case!

Minimum permission for a monitoring user:
VIEW SERVER STATE
Membership in the public role in the databases which need to be monitored.

Most of the time these permissions are enough, but sometimes unfortunately not and that’s where our case come into the picture. So let’s see it.

Our customer implemented the Nagios to monitor the sql server instances and the databases as well. We set the minimum permissions to the nagios user. However there was one stored procedure sp_monitor, which is also used by Nagios and which has a strong restriction: executing this stored procedure requires membership in the sysadmin fixed server role.

Remember to the main rule! Granting sysadmin server role to a simple monitoring user not just ‘more than it’s necessary’ but this would be the biggest permission we can even grant. So obviously  we did not give that permission to the user mentioned.

I think the workaround is a well known one, a really easy one, unfortunately I did find comments in certain forums which said (Let me strikethrough this because it is evil!): ‘give sysadmin role to the user‘. NEVER EVER!

First I thought that I just post my solution, but I think it would be good if you share your ideas with me and then I will post every different solution.

So please send your solution to me / robertATsqlapprenticeDOTnet / or leave a comment and let’s show how easy to handle a situation like this.

Thanks!

My solution.

This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *