From bb404b6ce61c3098431fc09d9891d9bbe669723d Mon Sep 17 00:00:00 2001 From: Thierry Schork Date: Wed, 31 Jan 2024 14:50:39 +0100 Subject: [PATCH] sync --- DBG - Scripter les jobs.sql | 3 +- DBG - check SA login errors.sql | 5 +- DBG - syncro H debug.sql | 8 +- DELPHIX - count tables per schemas.sql | 58 +++++ EXPLOIT - recovery pending.sql | 14 ++ SWTRIATEST01 - tde enabling.sql | 35 +++ TDE - scripts to init and rotate keys.sql | 256 ++++++++++++++++++++++ 7 files changed, 370 insertions(+), 9 deletions(-) create mode 100644 DELPHIX - count tables per schemas.sql create mode 100644 EXPLOIT - recovery pending.sql create mode 100644 SWTRIATEST01 - tde enabling.sql create mode 100644 TDE - scripts to init and rotate keys.sql diff --git a/DBG - Scripter les jobs.sql b/DBG - Scripter les jobs.sql index 7021db3..fef97e8 100644 --- a/DBG - Scripter les jobs.sql +++ b/DBG - Scripter les jobs.sql @@ -65,7 +65,8 @@ DECLARE @job_id UNIQUEIDENTIFIER = NULL, SELECT sj.job_id,sj.name, sj.[enabled], sj.[description], sj.start_step_id, sj.category_id, sj.owner_sid, sj.notify_level_eventlog, sj.notify_level_email, sj.notify_level_netsend, sj.notify_level_page, sj.notify_email_operator_id, sj.notify_netsend_operator_id, sj.notify_page_operator_id, sj.delete_level FROM msdb.dbo.sysjobs sj JOIN msdb.dbo.[syscategories] sc ON sc.[category_id] = sj.[category_id] -WHERE LOWER(sj.name) NOT LIKE '%distribution%' +WHERE 1=1 + AND LOWER(sj.name) NOT LIKE '%distribution%' AND LOWER(sj.name) NOT LIKE '%subscription%' AND LOWER(sj.name) NOT LIKE '%replication%' AND LOWER(sj.name) NOT LIKE '%ActivePos_read-%' diff --git a/DBG - check SA login errors.sql b/DBG - check SA login errors.sql index b1bfc42..76181fb 100644 --- a/DBG - check SA login errors.sql +++ b/DBG - check SA login errors.sql @@ -13,9 +13,6 @@ EXEC sys.xp_readerrorlog 0; SELECT * FROM @log l WHERE [l].[logMessage] LIKE '%''sa''%' -AND [l].[logDate]>'20231113' +AND [l].[logDate]>'20231120' -SELECT * -FROM msdb.dbo.sysjobs j -WHERE name LIKE 'D90700%' \ No newline at end of file diff --git a/DBG - syncro H debug.sql b/DBG - syncro H debug.sql index d0904c5..dd6e12f 100644 --- a/DBG - syncro H debug.sql +++ b/DBG - syncro H debug.sql @@ -22,15 +22,15 @@ select amr.AMR_horizontal_extraction_TS, amr.AMR_aps_ts, amr.AMR_extraction_time from aps_monitor_row amr ( nolock) join APS_monitor_table amt on amt.APS_monitor_table_ID = amr.AMR_APS_monitor_table -where amr.AMR_APS_TS BETWEEN '2023-06-15' AND '2023-06-15 23:59:59' /* Flag comme extrait */ - and amt.AMT_table_name = 'PH_item_regulation_info' /* Table en erreur */ +where amr.AMR_APS_TS BETWEEN '2023-11-21' AND '2023-11-21 23:59:59' /* Flag comme extrait */ + and amt.AMT_table_name = 'item_key' /* Table en erreur */ /* AMR totaux */ select amr.AMR_horizontal_extraction_TS, amr.AMR_aps_ts, amr.AMR_extraction_timestamp, amr.* from aps_monitor_row amr ( nolock) join APS_monitor_table amt on amt.APS_monitor_table_ID = amr.AMR_APS_monitor_table -where amr.AMR_APS_TS BETWEEN '2023-06-15' AND '2023-06-15 23:59:59' /* Flag comme extrait */ +where amr.AMR_APS_TS BETWEEN '2023-11-21' AND '2023-11-21 23:59:59' /* Flag comme extrait */ --and AMR_APS_monitor_table = 460 /* Item_Key */ --#endregion @@ -43,7 +43,7 @@ UPDATE aps_monitor_row SET AMR_horizontal_extraction_TS = NULL, AMR_extraction_timestamp = NULL WHERE AMR_APS_TS BETWEEN '2023-06-15' AND '2023-06-15 23:59:59' /* Flag comme extrait */ - AND AMR_APS_monitor_table NOT IN (1817) /* Item_Key */ /* (334700 rows affected) */ + AND AMR_APS_monitor_table NOT IN (1817) /* Item_Key = 460*/ /* (334700 rows affected) */ /**************************/ /* Etapes de la synchro H (Step 3)*/ diff --git a/DELPHIX - count tables per schemas.sql b/DELPHIX - count tables per schemas.sql new file mode 100644 index 0000000..f6532d7 --- /dev/null +++ b/DELPHIX - count tables per schemas.sql @@ -0,0 +1,58 @@ +USE master; + +IF OBJECT_ID('tempdb..#dbs')IS NOT NULL BEGIN; + DROP TABLE #dbs; +END; + +SELECT [db].[name] +INTO #dbs + FROM sys.databases db + WHERE [db].[name] NOT IN ( 'master', 'msdb', 'tempdb', 'distribution', 'model', 'symbiose', 'arizonaCash', 'activerob', 'SSISDB' ); + +IF OBJECT_ID('tempdb..#TblCountBySchema')IS NOT NULL BEGIN; + DROP TABLE #TblCountBySchema; +END; + +CREATE TABLE #TblCountBySchema( + [db_name] varchar(255) NOT NULL, + [schema_name] varchar(255) NOT NULL, + [tables_count] int NOT NULL + + ,CONSTRAINT pk_tblCountBySchema PRIMARY KEY ([db_name], [schema_name]) +) + +DECLARE @tpl VARCHAR(MAX)=' +use @db@ + +INSERT INTO #TblCountBySchema([db_name], [schema_name], [tables_count]) +SELECT + ''@db@'' as [db_name], + [t].[TABLE_SCHEMA] as [schema_name], + COUNT(1) AS table_count +FROM [INFORMATION_SCHEMA].[TABLES] t +GROUP BY [t].[TABLE_SCHEMA]; +' + +/* declare variables */ +DECLARE @dbName VARCHAR(255) + +DECLARE csr_db CURSOR FAST_FORWARD READ_ONLY FOR SELECT name FROM [#dbs] + +OPEN csr_db + +FETCH NEXT FROM csr_db INTO @dbName + +WHILE @@FETCH_STATUS = 0 +BEGIN + DECLARE @stmt NVARCHAR(MAX) = REPLACE(@tpl, '@db@', @dbName); + PRINT @stmt; + EXEC sp_executesql @stmt, N''; + + FETCH NEXT FROM csr_db INTO @dbName +END + +CLOSE csr_db +DEALLOCATE csr_db + +SELECT * +FROM [#TblCountBySchema] \ No newline at end of file diff --git a/EXPLOIT - recovery pending.sql b/EXPLOIT - recovery pending.sql new file mode 100644 index 0000000..da42b5f --- /dev/null +++ b/EXPLOIT - recovery pending.sql @@ -0,0 +1,14 @@ +ALTER DATABASE arizona SET EMERGENCY; +GO + +ALTER DATABASE arizona set single_user +GO + +DBCC CHECKDB (arizona, REPAIR_ALLOW_DATA_LOSS) WITH ALL_ERRORMSGS, NO_INFOMSGS; +GO + +ALTER DATABASE arizona set multi_user +GO + +EXEC sp_configure filestream_access_level, 2; +RECONFIGURE; \ No newline at end of file diff --git a/SWTRIATEST01 - tde enabling.sql b/SWTRIATEST01 - tde enabling.sql new file mode 100644 index 0000000..3d5d8d0 --- /dev/null +++ b/SWTRIATEST01 - tde enabling.sql @@ -0,0 +1,35 @@ +USE master; -- Replace with your database name +SET XACT_ABORT ON + +-- Create a new master key if not already created +IF NOT EXISTS (SELECT * FROM sys.symmetric_keys WHERE name = '##MS_DatabaseMasterKey##') +BEGIN + CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'v$~2YXERm2cj:WL9dlQu|Rvh7OohY/%v:'; + PRINT 'master key created' +END + +/* +-- Create a new certificate +CREATE CERTIFICATE TDECert +WITH SUBJECT = 'Database TDE encryption', + START_DATE = '20240101', -- Replace with the desired start date in the format 'YYYYMMDD' + EXPIRY_DATE = '20241231' -- Replace with the desired expiry date in the format 'YYYYMMDD' + +BACKUP CERTIFICATE [TDECert] TO FILE = 'd:\TDECert.cer'; + +BACKUP CERTIFICATE TDECert +TO FILE = 'd:\TDE_Cert.cer' +WITH PRIVATE KEY (file='d:\TDE_CertKey.pvk', +ENCRYPTION BY PASSWORD='Hax0r$P@ss') + +*/ + +USE [AdventureWorks2022] +CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE TDECert + +USE master +ALTER DATABASE [AdventureWorks2022] SET ENCRYPTION ON + +SELECT [d].[name], [e].[encryption_state_desc], e.* +FROM sys.dm_database_encryption_keys e + JOIN sys.databases d ON d.[database_id]=e.[database_id]; \ No newline at end of file diff --git a/TDE - scripts to init and rotate keys.sql b/TDE - scripts to init and rotate keys.sql new file mode 100644 index 0000000..7fd5df8 --- /dev/null +++ b/TDE - scripts to init and rotate keys.sql @@ -0,0 +1,256 @@ +/* TDE ACTIVATION */ +USE [master]; +GO + +DECLARE @oldlogin VARCHAR(255), + @keyname VARCHAR(255) = 'TDE_20241101', + @AZkeyname VARCHAR(255) = 'SQLTDE'; + +SELECT @oldlogin = sp.name + FROM sys.server_principal_credentials pc +INNER JOIN sys.credentials c + ON pc.credential_id = c.credential_id + JOIN sys.server_principals sp + ON sp.principal_id = pc.principal_id +WHERE c.name = 'sysadmin_ekm_cred'; + +IF (@oldlogin IS NOT NULL) EXEC ('ALTER LOGIN ' + @oldlogin + ' DROP CREDENTIAL [sysadmin_ekm_cred];'); + +ALTER LOGIN [sysadmin_ekm] ADD CREDENTIAL [sysadmin_ekm_cred]; + +EXEC ('IF NOT EXISTS(SELECT 1 FROM sys.asymmetric_keys WHERE name = ''' + @keyname + ''') CREATE ASYMMETRIC KEY [' + @keyname + '] +FROM PROVIDER [AzureKeyVault_EKM_Prov] +WITH PROVIDER_KEY_NAME = ''' + @AZkeyname + ''', CREATION_DISPOSITION = OPEN_EXISTING;'); + +ALTER LOGIN [sysadmin_ekm] DROP CREDENTIAL [sysadmin_ekm_cred]; + +EXEC ('IF NOT EXISTS (SELECT 1 FROM sys.syslogins where name = ''' + @keyname + ''')CREATE LOGIN [' + @keyname + '] FROM ASYMMETRIC KEY [' + @keyname + '];'); + +EXEC ('ALTER LOGIN [' + @keyname + '] ADD CREDENTIAL [sysadmin_ekm_cred];'); + +DECLARE @sqlCommand VARCHAR(MAX); + +SET @sqlCommand + = 'USE ? IF NOT EXISTS (SELECT 1 FROM sys.dm_database_encryption_keys AS e + LEFT JOIN master.sys.asymmetric_keys AS c + ON e.encryptor_thumbprint = c.thumbprint +WHERE DB_NAME(e.database_id) = DB_NAME() AND c.name like ''TDE%'') IF DB_ID(''?'') > 4 +BEGIN +CREATE DATABASE ENCRYPTION KEY +WITH ALGORITHM = AES_256 +ENCRYPTION BY SERVER ASYMMETRIC KEY [' + @keyname + ']; +ALTER DATABASE ? SET ENCRYPTION ON +END;'; + +EXEC master..sp_MSforeachdb @sqlCommand; + + + + + +BACKUP DATABASE [TestTDE] +TO DISK = N'D:\SQLDatabaseDump\TDE_20241101.bak' +WITH COPY_ONLY, + NOFORMAT, + INIT, + NAME = N'TestTDE-Full Database Backup', + SKIP, + NOREWIND, + NOUNLOAD, + COMPRESSION, + STATS = 10; +GO + + + +/* ROTATE */ + +/* CREATE NEW KEY IN AZURE BY POWERSHELL */ +USE [master]; +GO + +DECLARE @oldlogin VARCHAR(255), + @keyname VARCHAR(255) = 'TDE_20241201', + @AZkeyname VARCHAR(255) = 'SQLTDE'; + +SELECT @oldlogin = sp.name + FROM sys.server_principal_credentials pc +INNER JOIN sys.credentials c + ON pc.credential_id = c.credential_id + JOIN sys.server_principals sp + ON sp.principal_id = pc.principal_id +WHERE c.name = 'sysadmin_ekm_cred'; + +EXEC ('ALTER LOGIN ' + @oldlogin + ' DROP CREDENTIAL [sysadmin_ekm_cred];'); + +ALTER LOGIN [sysadmin_ekm] ADD CREDENTIAL [sysadmin_ekm_cred]; + +EXEC ('CREATE ASYMMETRIC KEY [' + @keyname + '] +FROM PROVIDER [AzureKeyVault_EKM_Prov] +WITH PROVIDER_KEY_NAME = ''' + @AZkeyname + ''', CREATION_DISPOSITION = OPEN_EXISTING;'); + +ALTER LOGIN [sysadmin_ekm] DROP CREDENTIAL [sysadmin_ekm_cred]; + +EXEC ('CREATE LOGIN [' + @keyname + '] FROM ASYMMETRIC KEY [' + @keyname + '];'); + +EXEC ('ALTER LOGIN [' + @keyname + '] ADD CREDENTIAL [sysadmin_ekm_cred];'); + +DECLARE @sqlCommand VARCHAR(MAX); + +SET @sqlCommand + = 'USE ? IF EXISTS (SELECT 1 FROM sys.dm_database_encryption_keys AS e + LEFT JOIN master.sys.asymmetric_keys AS c + ON e.encryptor_thumbprint = c.thumbprint +WHERE DB_NAME(e.database_id) = DB_NAME() AND c.name like ''TDE%'') ALTER DATABASE ENCRYPTION KEY +ENCRYPTION BY SERVER ASYMMETRIC KEY [' + @keyname + '];'; + +EXEC master..sp_MSforeachdb @sqlCommand; + +EXEC ('DROP LOGIN ' + @oldlogin + ';'); +EXEC ('DROP ASYMMETRIC KEY [' + @oldlogin + '];'); + + + + + +/* RESTORE OLD BACKUP */ +USE [master]; +GO + + +DECLARE @oldlogin VARCHAR(255), + @keynametorestore VARCHAR(255) = 'TDE_20241101', + @keyname VARCHAR(255) = 'TDE_20241201', + @db VARCHAR(255) = 'TestTDE2', + @AZkeyname VARCHAR(255) = 'SQLTDE/f514174481184130aef24e8999dd14c4'; + +SELECT @oldlogin = sp.name + FROM sys.server_principal_credentials pc +INNER JOIN sys.credentials c + ON pc.credential_id = c.credential_id + JOIN sys.server_principals sp + ON sp.principal_id = pc.principal_id +WHERE c.name = 'sysadmin_ekm_cred'; + +EXEC ('ALTER LOGIN ' + @oldlogin + ' DROP CREDENTIAL [sysadmin_ekm_cred];'); + +ALTER LOGIN [sysadmin_ekm] ADD CREDENTIAL [sysadmin_ekm_cred]; + +EXEC ('CREATE ASYMMETRIC KEY [' + @keynametorestore + '] +FROM PROVIDER [AzureKeyVault_EKM_Prov] +WITH PROVIDER_KEY_NAME = ''' + @AZkeyname + ''', CREATION_DISPOSITION = OPEN_EXISTING;'); + + +EXEC ('CREATE LOGIN [' + @keynametorestore + '] FROM ASYMMETRIC KEY [' + @keynametorestore + '];'); + +EXEC ('ALTER LOGIN [sysadmin_ekm] DROP CREDENTIAL [sysadmin_ekm_cred];'); + +EXEC ('ALTER LOGIN [' + @keynametorestore + '] ADD CREDENTIAL [sysadmin_ekm_cred];'); + + +RESTORE DATABASE [TestTDE2] +FROM DISK = N'D:\SQLDatabaseDump\TDE_20241101.bak' +WITH FILE = 1, + MOVE N'AdventureWorks2022' + TO N'F:\SQLDatabase\TestTDE2.mdf', + MOVE N'AdventureWorks2022_log' + TO N'G:\SQLDatabase\TestTDE2_log.ldf', + NOUNLOAD, + REPLACE, + STATS = 5; + + +EXEC ('ALTER LOGIN [' + @keynametorestore + '] DROP CREDENTIAL [sysadmin_ekm_cred];'); + +EXEC ('ALTER LOGIN [' + @keyname + '] ADD CREDENTIAL [sysadmin_ekm_cred];'); + +EXEC('USE ['+ @db +'];ALTER DATABASE ENCRYPTION KEY +ENCRYPTION BY SERVER ASYMMETRIC KEY [' + @keyname + '];') + + +USE [master]; + +EXEC('DROP LOGIN [' + @keynametorestore + '];') +EXEC('DROP ASYMMETRIC KEY [' + @keynametorestore + '];') +GO + + + + + + + + + + +/* VALIDATE */ +SELECT DB_NAME(e.database_id) AS DatabaseName, + e.database_id, + e.encryption_state, + CASE e.encryption_state + WHEN 0 THEN 'No database encryption key present, no encryption' + WHEN 1 THEN 'Unencrypted' + WHEN 2 THEN 'Encryption in progress' + WHEN 3 THEN 'Encrypted' + WHEN 4 THEN 'Key change in progress' + WHEN 5 THEN 'Decryption in progress' END AS encryption_state_desc, + c.name, + e.percent_complete, + e.create_date, + e.regenerate_date, + e.modify_date, + e.set_date, + e.opened_date, + e.key_algorithm, + e.key_length, + e.encryptor_thumbprint, + e.encryptor_type, + c.principal_id, + c.asymmetric_key_id, + c.pvt_key_encryption_type, + c.pvt_key_encryption_type_desc, + c.thumbprint, + c.algorithm, + c.algorithm_desc, + c.key_length, + c.sid, + c.string_sid, + c.public_key, + c.attested_by, + c.provider_type, + c.cryptographic_provider_guid, + c.cryptographic_provider_algid + FROM sys.dm_database_encryption_keys AS e + LEFT JOIN master.sys.asymmetric_keys AS c + ON e.encryptor_thumbprint = c.thumbprint +WHERE c.name <> 'tempdb'; + + + + +/* DROP */ +USE [master]; +GO + +ALTER DATABASE [TestTDE] SET ENCRYPTION OFF; +GO + +/* WAIT */ + +USE [TestTDE]; +GO + +DROP DATABASE ENCRYPTION KEY; +GO + +USE [master]; +GO + +ALTER LOGIN [TDE_20240601] DROP CREDENTIAL [sysadmin_ekm_cred]; +GO + +DROP LOGIN [TDE_20240601]; +GO + +DROP ASYMMETRIC KEY [TDE_20240601]; +GO \ No newline at end of file