implementing auditing in sql server
DESCRIPTION
A common requirement for database administrators is to be able to track the activity within an instance of SQL. Based on governance, oversight, or policy most organizations require some means of tracking and recording specific events such as: 1. Failed logins 2. DDL events 3. Data access Ideally the front end application will have a means of capturing these day to day events, but if not SQL provides a number of tools that will audit SQL events and activity. This session will begin outlining the methods, native to SQL, to audit SQL events including: 1. C2 Auditing 2. Common Criteria Compliance 3. SQL Trace 4. DDL Triggers 5. DML Triggers 6. SQL Audit Each method will be outlined and demonstrated and particular attention will be paid to the resources required for each technique. Much of this session will be spent examining SQL Audit and looking into the internal workings of this technologyTRANSCRIPT
David Dye
Introduction
What is Auditing
Overview of auditing options
Introduction to SQL Audit
SQL Audit Objects
Implementing SQL Audit
Audit
David Dye
HTTP://WWW.SQLSAFETY.COM
Tracking and logging of events◦ Security events
◦ DDL events
◦ DML events
◦ Data access events
Often required by oversight or governance◦ HIPPA
◦ SOX
◦ PCI
C2 Auditing
Common Criteria Compliance
SQL Trace
DDL/DML Triggers
SQL Audit
Introduced in SQL 2000
Meets Department of Defense C2 security requirements
Configured at the server level
Audit logs are stored in the SQL folder structure
Audit logs viewed through SQL Profiler or fn_trace_gettable function
ALL events are defined and non-configurable
Instance wide auditing
Logs can ONLY be stored in default instance data directory
Rollover file size is non-configurable
Inability to write to log file results in SQL shut down
Introduced in SQL 2005◦ SQL 05 SP1 Evaluation Assurance Level 1 (EAL1)
◦ SQL 05 SP2/SQL 08 EAL4++
Does not include all C2 audit mode functionality
Includes◦ Residual Information Protection (RIP)
◦ The ability to view login statistics
◦ Column GRANT should not override table DENY
Requires Enterprise, Evaluation, or Developer edition
Does not incorporate all C2 audit mode functionality
Can degrade performance
EAL4++ requires running additional scripts
Traces can be scripted or created through profiler
Traces are highly configurable and can be selective
Results saved to file or table
Templates can be utilized
Can degrade performance
Trace scope can not be efficiently limited to object (database) or action
Programmatic limitations
Capture DDL and most DML events
Cons◦ Can be expensive!
◦ Trigger fails-Transaction FAILS
◦ Can’t capture all events
What is SQL Audit
SQL Audit Background
Introduced in SQL 2008
Provides the ability to audit server, database, and audit level events
Internal to the SQL server
Available in Enterprise, developer, and trial editions
Uses extended events Created through T-SQL, PowerShell or SSMS Audits can have the following scopes:◦ Server level
Include server operations, Logon, Logoff, etc.◦ Database level
Database action, DML, or DDL◦ Audit level
Alter, Create, Drop, etc. audits
Audits can be synchronous or asynchronous and logged to◦ File◦ Windows application log◦ Windows security log
Full management, configuration, and administration available through .NET using SMO
Server Audit
Server Level Audit Groups
Database Level Audit Groups◦ Database Level Audit Actions
Audit Level Specification Groups
1.Created in the master database• First audit object to be created• Defines
How the audit will be stored File
Max file size (2mb is default and 2,147,483,647 TB is max)
Max number of rollover files (unlimited is default)
Reserved disk space (reserves the max. file space unless this is unlimited)
Application log
Security log
Synchronous or asynchronous
State of the SQL service on failure to maintain audit
1. References the server audit defining how audit data is stored
• Created to record server level audit actions
1. SUCCESSFUL_LOGIN_GROUP
2. LOGOUT_GROUP
3. FAILED_LOGIN_GROUP
4. LOGIN_CHANGE_PASSWORD_GROUP
5. APPLICATION_ROLE_CHANGE_PASSWORD_GROUP
6. SERVER_ROLE_MEMBER_CHANGE_GROUP
7. DATABASE_ROLE_MEMBER_CHANGE_GROUP
8. BACKUP_RESTORE_GROUP
9. DBCC_GROUP
10. SERVER_OPERATION_GROUP
11. DATABASE_OPERATION_GROUP
12. AUDIT_ CHANGE_GROUP
13. SERVER_STATE_CHANGE_GROUP
14. SERVER_OBJECT_CHANGE_GROUP
15. SERVER_PRINCIPAL_CHANGE_GROUP
16. DATABASE_CHANGE_GROUP
17. DATABASE_OBJECT_CHANGE_GROUP
18. DATABASE_PRINCIPAL_CHANGE_GROUP
19. SCHEMA_OBJECT_CHANGE_GROUP
20. SERVER_PRINCIPAL_IMPERSONATION_GROUP
21. DATABASE_PRINCIPAL_IMPERSONATION_GROUP
22. SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP
23. DATABASE_OWNERSHIP_CHANGE_GROUP
24. DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
25. SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
26. SERVER_PERMISSION_CHANGE_GROUP
27. SERVER_OBJECT_PERMISSION_CHANGE_GROUP
28. DATABASE_PERMISSION_CHANGE_GROUP
29. DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
30. SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
31. DATABASE_OBJECT_ACCESS_GROUP
32. SCHEMA_OBJECT_ACCESS_GROUP
33. BROKER_LOGIN_GROUP
34. DATABASE_MIRRORING_LOGIN_GROUP
35. TRACE_CHANGE_GROUP
1. References the server audit defining how audit data is stored• Created to record database level audit actions
1.DATABASE_ROLE_MEMBER_CHANGE_GROUP
2.DATABASE_OPERATION_GROUP
3.DATABASE_CHANGE_GROUP
4.DATABASE_OBJECT_CHANGE_GROUP
5.DATABASE_PRINCIPAL_CHANGE_GROUP
6.SCHEMA_OBJECT_CHANGE_GROUP
7.DATABASE_PRINCIPAL_IMPERSONATION_GROUP
8.DATABASE_OWNERSHIP_CHANGE_GROUP
9.DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
10.SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
11.DATABASE_PERMISSION_CHANGE_GROUP
12.DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
13.SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
14.DATABASE_OBJECT_ACCESS_GROUP
15.SCHEMA_OBJECT_ACCESS_GROUP
1. References the server audit defining how audit data is stored
• Created to record database level actions
1.SELECT
2.UPDATE
3.INSERT
4.DELETE
5.EXECUTE
6.RECEIVE
7.REFERENCES
1. References the server audit defining how audit data is stored
• Created to record audit level action groups
1.AUDIT_ CHANGE_GROUP
• CREATE SERVER AUDIT
• ALTER SERVER AUDIT
• DROP SERVER AUDIT
• CREATE SERVER AUDIT SPECIFICATION
• ALTER SERVER AUDIT SPECIFICATION
• DROP SERVER AUDIT SPECIFICATION
• CREATE DATABASE AUDIT SPECIFICATION
• ALTER DATABASE AUDIT SPECIFICATION
• DROP DATABASE AUDIT SPECIFICATION
Creating Server Audit◦ Demo Using SSMS
Creating Audit Specification◦ Demo Using SSMS
Creating Server Specification◦ Demo T-SQL
Creating Database Specification◦ Demo T-SQL
Working with Audit Logs
1.Implementing a SQL audit begins with the server audit• Defines:
• How audit is saved
• Synchronous/Asynchronous
• What happens on failure
1.Create server audit 1.Using SSMS
2.Write to application log
3. Synchronous
4.Stop sql service on failure
$dbServer = new-Object Microsoft.SqlServer.Management.Smo.Server("(local)")
$dbAudit = New-Object Microsoft.SqlServer.Management.Smo.Audit($dbServer, "Test Audit")
$dbAudit.DestinationType = [Microsoft.SqlServer.Management.Smo.AuditDestinationType]'File'
$dbAudit.FilePath = "C:\Audit"
$dbAudit.Create()
$dbAudit.Enable()
1.SQL audit specification is created at the server level• Audits all audit events
• Utilizes a server audit
1.Create audit specification 1.Using SSMS
2.Using server audit
3. All Audit_Change events
1.Implementing a SQL audit begins with the server audit• Defines:
• What server audit will be used
• The database level events to be audited
1.Create database audit specification 1.Using T-SQL
2.Using server audit
3. SELECT and INSERT events on Person.Person by dbo
4.SELECT events on HumanResources.Employee by public