I really enjoyed speaking at the Portland SQL Server User Group meeting last night about SQL Server security…and I have an update.
We were talking about the supposed inability of auditing to audit usage of sys.fn_get_audit_file, the system function that reads an audit log. Raul Garcia of the SQL Server team had the answer. "For the particular scenario in this bug (sys.fn_get_audit_file), the permission being exercised is SELECT, not EXECUTE, hence the apparent failure to audit usage."
An database audit specification in the master database for SELECT ON OBJECT::sys.fn_get_audit_file BY PUBLIC will audit it, regardless of the "current database" when the function is issued.
Thanks Raul.