USE [master];
GO

/****************************************/
/* Set variables needed by setup script */
DECLARE	@auditName varchar(25), @auditPath varchar(260), @auditGuid uniqueidentifier, @auditRetention int

-- Define the name of the audit
SET @auditName = 'STIG_AUDIT'

-- Define the Azure Storage container in which audit log files reside. Ensure that the Azure SQL Managed Instance (MI) managed identity has permission to write to this blob container.
SET @auditPath = 'https://XXXXXXXXXX.blob.core.windows.net/audit'

-- Define the unique identifier for the audit
SET @auditGuid = NEWID()

-- Define the Audit retention days 
SET @auditRetention = 365


/****************************************/


/* Insert the variables into a temp table so they survive for the duration of the script */
CREATE TABLE #SetupVars
(
	Variable	varchar(50),
	Value		varchar(260)
)
INSERT	INTO #SetupVars (Variable, Value)
		VALUES	('auditName', @auditName),
				('auditPath', @auditPath),
				('auditGuid', convert(varchar(40), @auditGuid)),
				('auditRetention', convert(varchar(10) ,@auditRetention))


/****************************************/
/* Delete the audit if is currently exists */
/****************************************/

USE [master];
GO

-- Disable the Server Audit Specification
DECLARE	@auditName varchar(25), @disableSpecification nvarchar(max)
SET		@auditName = (SELECT Value FROM #SetupVars WHERE Variable = 'auditName')
SET		@disableSpecification = '
IF EXISTS (SELECT 1 FROM sys.server_audit_specifications WHERE name = N''' + @auditName + '_SERVER_SPECIFICATION'')
ALTER SERVER AUDIT SPECIFICATION [' + @auditName + '_SERVER_SPECIFICATION] WITH (STATE = OFF);'
EXEC(@disableSpecification)
GO

-- Drop the Server Audit Specification
DECLARE	@auditName varchar(25), @dropSpecification nvarchar(max)
SET		@auditName = (SELECT Value FROM #SetupVars WHERE Variable = 'auditName')
SET		@dropSpecification = '
IF EXISTS (SELECT 1 FROM sys.server_audit_specifications WHERE name = N''' + @auditName + '_SERVER_SPECIFICATION'')
DROP SERVER AUDIT SPECIFICATION [' + @auditName + '_SERVER_SPECIFICATION];'
EXEC(@dropSpecification)
GO

-- Disable the Server Audit
DECLARE	@auditName varchar(25), @disableAudit nvarchar(max)
SET		@auditName = (SELECT Value FROM #SetupVars WHERE Variable = 'auditName')
SET		@disableAudit = '
IF EXISTS (SELECT 1 FROM sys.server_audits WHERE name = N''' + @auditName + ''')
ALTER SERVER AUDIT [' + @auditName + '] WITH (STATE = OFF);'
EXEC(@disableAudit)
GO

-- Drop the Server Audit
DECLARE	@auditName varchar(25), @dropAudit nvarchar(max)
SET		@auditName = (SELECT Value FROM #SetupVars WHERE Variable = 'auditName')
SET		@dropAudit = '
IF EXISTS (SELECT 1 FROM sys.server_audits WHERE name = N''' + @auditName + ''')
DROP SERVER AUDIT [' + @auditName + '];'
EXEC(@dropAudit)
GO

/**************************************************************************************/
/* Create the credential for the Azure storage account to store the Audit data          */
/**************************************************************************************/

DECLARE @createStatement	nvarchar(max) , @auditPath nvarchar(260)
SET		@auditPath = (SELECT Value FROM #SetupVars WHERE Variable = 'auditPath')
SET		@createStatement = '
IF NOT EXISTS (SELECT 1 FROM sys.credentials WHERE name = N''' + @auditPath + ''')
CREATE CREDENTIAL ['+@auditPath+'] WITH IDENTITY = ''MANAGED IDENTITY'''
EXEC(@createStatement)
GO

/****************************************/
/* Set up the SQL Server Audit          */
/****************************************/

USE [master];
GO

/* Create the Server Audit */
DECLARE	@auditName varchar(25), @auditPath varchar(260), @auditGuid varchar(40), @auditRetention varchar(4)

SELECT @auditName = Value FROM #SetupVars WHERE Variable = 'auditName'
SELECT @auditPath = Value FROM #SetupVars WHERE Variable = 'auditPath'
SELECT @auditGuid = Value FROM #SetupVars WHERE Variable = 'auditGuid'
SELECT @auditRetention = value FROM #SetupVars WHERE Variable = 'auditRetention'


DECLARE @createStatement	nvarchar(max)
SET		@createStatement = '
CREATE SERVER AUDIT [' + @auditName + ']
TO URL
( 
	PATH = ''' + @auditPath + '''
	, RETENTION_DAYS = ' + @auditRetention + '
)
WITH
( 
	QUEUE_DELAY = 1000
	, AUDIT_GUID = ''' + @auditGuid + '''
)
'
EXEC(@createStatement)
GO

/* Turn on the Audit */
DECLARE	@auditName varchar(25), @enableAudit nvarchar(max)
SET		@auditName = (SELECT Value FROM #SetupVars WHERE Variable = 'auditName')
SET		@enableAudit = '
IF EXISTS (SELECT 1 FROM sys.server_audits WHERE name = N''' + @auditName + ''')
ALTER SERVER AUDIT [' + @auditName + '] WITH (STATE = ON);'
EXEC(@enableAudit)
GO

/* Create the server audit specifications */
DECLARE	@auditName varchar(25), @createSpecification nvarchar(max)
SET		@auditName = (SELECT Value FROM #SetupVars WHERE Variable = 'auditName')
SET		@createSpecification = '
CREATE SERVER AUDIT SPECIFICATION [' + @auditName + '_SERVER_SPECIFICATION]
FOR SERVER AUDIT [' + @auditName + ']
	ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP),     --    MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (AUDIT_CHANGE_GROUP),                         --    MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (BACKUP_RESTORE_GROUP),                       --    MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (DATABASE_CHANGE_GROUP),                      --    MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (DATABASE_OBJECT_ACCESS_GROUP),               --    MSQL-D0-011800
	ADD (DATABASE_OBJECT_CHANGE_GROUP),               --    MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP),     --    MSQL-D0-013400, MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-014200, MSQL-D0-015100, MSQL-D0-013600
	ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP),    --    MSQL-D0-013400, MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-014200, MSQL-D0-015100, MSQL-D0-013600
	ADD (DATABASE_OPERATION_GROUP),                   --    MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (DATABASE_OWNERSHIP_CHANGE_GROUP),            --    MSQL-D0-013400, MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-014200, MSQL-D0-015100, MSQL-D0-013600
	ADD (DATABASE_PERMISSION_CHANGE_GROUP),           --    MSQL-D0-013400, MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-014200, MSQL-D0-015100, MSQL-D0-013600
	ADD (DATABASE_PRINCIPAL_CHANGE_GROUP),            --    MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (DATABASE_PRINCIPAL_IMPERSONATION_GROUP),     --    MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP),          --    MSQL-D0-013400, MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-014200, MSQL-D0-015100, MSQL-D0-013600
	ADD (DBCC_GROUP),                                 --    MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (FAILED_LOGIN_GROUP),                         --    MSQL-D0-014800
	ADD (LOGIN_CHANGE_PASSWORD_GROUP),                --    MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (LOGOUT_GROUP),                               --    MSQL-D0-015000, MSQL-D0-015100
	ADD (SCHEMA_OBJECT_ACCESS_GROUP),				  --    MSQL-D0-004600, MSQL-D0-012900, MSQL-D0-013200, MSQL-D0-014000, MSQL-D0-014600, MSQL-D0-015400, MSQL-D0-004500
	ADD (SCHEMA_OBJECT_CHANGE_GROUP),                 --    MSQL-D0-011800, MSQL-D0-013800, MSQL-D0-014400, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP),       --    MSQL-D0-011800, MSQL-D0-013400, MSQL-D0-013600, MSQL-D0-014200, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100 
	ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP),      --    MSQL-D0-011800, MSQL-D0-013400, MSQL-D0-013600, MSQL-D0-014200, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100 
	ADD (SERVER_OBJECT_CHANGE_GROUP),                 --    MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP),       --    MSQL-D0-011800, MSQL-D0-013400, MSQL-D0-013600, MSQL-D0-014200, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (SERVER_OBJECT_PERMISSION_CHANGE_GROUP),      --    MSQL-D0-011800, MSQL-D0-013400, MSQL-D0-013600, MSQL-D0-014200, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (SERVER_OPERATION_GROUP),                     --    MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (SERVER_PERMISSION_CHANGE_GROUP),             --    MSQL-D0-011800, MSQL-D0-013400, MSQL-D0-013600, MSQL-D0-014200, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (SERVER_PRINCIPAL_CHANGE_GROUP),              --    MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (SERVER_PRINCIPAL_IMPERSONATION_GROUP),       --    MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP),            --    MSQL-D0-011800, MSQL-D0-013400, MSQL-D0-013600, MSQL-D0-014200, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (SERVER_STATE_CHANGE_GROUP),                  --    MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (SUCCESSFUL_LOGIN_GROUP),                     --    MSQL-D0-014800, MSQL-D0-015200
	ADD (TRACE_CHANGE_GROUP),                         --    MSQL-D0-011800, MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
	ADD (USER_CHANGE_PASSWORD_GROUP)                  --    MSQL-D0-014900, MSQL-D0-015000, MSQL-D0-015100
WITH (STATE = ON);'
EXEC(@createSpecification)
GO

/* Clean up */
DROP TABLE #SetupVars