Scribd
Upload
88 views

Implementing Auditing in SQL Server SQLSAT74

This document discusses implementing auditing in SQL Server. It provides an overview of auditing options in SQL Server like C2 auditing, common criteria compliance, SQL traces, and triggers. It then focuses on SQL audit which was introduced in SQL 2008 and allows auditing of server, database, and audit level events. It describes the objects involved in SQL auditing like the server audit, audit specification groups, and audit actions. It demonstrates how to create a server audit, server audit specification, and database audit specification programmatically and using SQL Server Management Studio.

Uploaded by

ahw0000007
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
88 views

Implementing Auditing in SQL Server SQLSAT74

This document discusses implementing auditing in SQL Server. It provides an overview of auditing options in SQL Server like C2 auditing, common criteria compliance, SQL traces, and triggers. It then focuses on SQL audit which was introduced in SQL 2008 and allows auditing of server, database, and audit level events. It describes the objects involved in SQL auditing like the server audit, audit specification groups, and audit actions. It demonstrates how to create a server audit, server audit specification, and database audit specification programmatically and using SQL Server Management Studio.

Uploaded by

ahw0000007
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 33

Implementing Auditing in

David Dye
SQL Server
Implementing Auditing in SQL Server
 Introduction
 What is Auditing
 Overview of auditing options
 Introduction to SQL Audit
 SQL Audit Objects
 Implementing SQL Audit
 Audit
Introduction
 David Dye
[email protected]

 HTTP://SQLSAFETY.BLOGSPOT.COM
What is auditing
 Tracking and logging of events
◦ Security events
◦ DDL events
◦ DML events
◦ Data access events
 Often required by oversight or governance
◦ HIPPA
◦ SOX
◦ PCI
Overview of auditing options
 C2 Auditing
 Common Criteria Compliance
 SQL Trace
 DDL/DML Triggers
 SQL Audit
C2 Auditing
 Introduced in SQL 2000
 Meets Department of Defense C2 security

requirements
 Configured at the server level
 Audit logs are stored in the SQL folder

structure
 Audit logs viewed through SQL Profiler or

fn_trace_gettable function
C2 Auditing Cons
 ALL events are defined and non-configurable
 Instance wide auditing
 Logs can ONLY be stored in default instance

data directory
 Rollover file size is non-configurable
 Inability to write to log file results in SQL shut

down
Enabling C2 Auditing
Common Criteria Compliance
 Introduced in SQL 2005
◦ SQL 05 SP1 Evaluation Assurance Level 1 (EAL1)
◦ SQL 05 SP2/SQL 08 EAL4++
 Does not include all C2 audit mode
functionality
 Includes

◦ Residual Information Protection (RIP)


◦ The ability to view login statistics
◦ Column GRANT should not override table DENY
Common Criteria Compliance Cons
 Requires Enterprise, Evaluation, or Developer
edition
 Does not incorporate all C2 audit mode

functionality
 Can degrade performance
 EAL4++ requires running additional scripts
Enabling Common Criteria
Compliance
SQL Trace
 Traces can be scripted or created through
profiler
 Traces are highly configurable and can be

selective
 Results saved to file or table
 Templates can be utilized
SQL Trace Cons
 Can degrade performance
 Trace scope can not be efficiently limited to

object (database) or action


 Programmatic limitations
Server Side Trace Demo
DDL/DML Triggers
 Capture DDL and most DML events
 Cons

◦ Can be expensive!
◦ Trigger fails-Transaction FAILS
◦ Can’t capture all events
DDL Trigger Demo
Introduction to SQL Audit
 What is SQL Audit
 SQL Audit Background
What is SQL Audit

 Introduced in SQL 2008


 Provides the ability to audit server, database,

and audit level events


 Internal to the SQL server
 Available in Enterprise, developer, and trial

editions
SQL Audit Background
 Uses extended events
 Created through T-SQL, PowerShell or SSMS
 Audits can have the following scopes:
◦ Server level
 Include server operations, Logon, Logoff, etc.
◦ Database level
 Database action, DML, or DDL
◦ Audit level
 Alter, Create, Drop, etc. audits
 Audits can be synchronous or asynchronous and logged
to
◦ File
◦ Windows application log
◦ Windows security log
 Full management, configuration, and administration
available through .NET using SMO
SQL Audit Objects
 Server Audit
 Server Level Audit Groups
 Database Level Audit Groups

◦ Database Level Audit Actions


 Audit Level Specification Groups
Server Audit
1. Created in the master database
• First audit object to be created
• Defines
 How the audit will be stored
 File
 Max file size (2mb is default and 2,147,483,647 TB is
max)
 Max number of rollover files (unlimited is default)
 Reserved disk space (reserves the max. file space unless
this is unlimited)
 Application log
 Security log
 Synchronous or asynchronous
 State of the SQL service on failure to maintain audit
Server Level Audit Action Groups
1. References the server audit defining how audit data is stored
• Created to record server level audit actions
1.SUCCESSFUL_LOGIN_GROUP
2.LOGOUT_GROUP
3.FAILED_LOGIN_GROUP
4.LOGIN_CHANGE_PASSWORD_GROUP
5.APPLICATION_ROLE_CHANGE_PASSWORD_GROUP
6.SERVER_ROLE_MEMBER_CHANGE_GROUP
7.DATABASE_ROLE_MEMBER_CHANGE_GROUP
8.BACKUP_RESTORE_GROUP
9.DBCC_GROUP
10.
SERVER_OPERATION_GROUP
11.
DATABASE_OPERATION_GROUP
12.
AUDIT_ CHANGE_GROUP
13.
SERVER_STATE_CHANGE_GROUP
14.
SERVER_OBJECT_CHANGE_GROUP
15.
SERVER_PRINCIPAL_CHANGE_GROUP
16.
DATABASE_CHANGE_GROUP
17.
DATABASE_OBJECT_CHANGE_GROUP
18.
DATABASE_PRINCIPAL_CHANGE_GROUP
19.
SCHEMA_OBJECT_CHANGE_GROUP
20.
SERVER_PRINCIPAL_IMPERSONATION_GROUP
21.
DATABASE_PRINCIPAL_IMPERSONATION_GROUP
22.
SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP
23.
DATABASE_OWNERSHIP_CHANGE_GROUP
24.
DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
25.
SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
26.
SERVER_PERMISSION_CHANGE_GROUP
27.
SERVER_OBJECT_PERMISSION_CHANGE_GROUP
28.
DATABASE_PERMISSION_CHANGE_GROUP
29.
DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
30.
SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
31.
DATABASE_OBJECT_ACCESS_GROUP
32.
SCHEMA_OBJECT_ACCESS_GROUP
33.
BROKER_LOGIN_GROUP
34.
DATABASE_MIRRORING_LOGIN_GROUP
35.
TRACE_CHANGE_GROUP
Database Level Audit Action Groups
1. References the server audit defining how audit data is stored
• Created to record database level audit actions
1.DATABASE_ROLE_MEMBER_CHANGE_GROUP
2.DATABASE_OPERATION_GROUP
3.DATABASE_CHANGE_GROUP
4.DATABASE_OBJECT_CHANGE_GROUP
5.DATABASE_PRINCIPAL_CHANGE_GROUP
6.SCHEMA_OBJECT_CHANGE_GROUP
7.DATABASE_PRINCIPAL_IMPERSONATION_GROUP
8.DATABASE_OWNERSHIP_CHANGE_GROUP
9.DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
10.SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
11.DATABASE_PERMISSION_CHANGE_GROUP
12.DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
13.SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
14.DATABASE_OBJECT_ACCESS_GROUP
15.SCHEMA_OBJECT_ACCESS_GROUP
Database Level Audit Actions
1. References the server audit defining how audit data is
stored
• Created to record database level actions
1.SELECT
2.UPDATE
3.INSERT
4.DELETE
5.EXECUTE
6.RECEIVE
7.REFERENCES
Audit Level Audit Actions
1. References the server audit defining how audit data is
stored
• Created to record audit level action groups
1.AUDIT_ CHANGE_GROUP
• CREATE SERVER AUDIT
• ALTER SERVER AUDIT
• DROP SERVER AUDIT
• CREATE SERVER AUDIT SPECIFICATION
• ALTER SERVER AUDIT SPECIFICATION
• DROP SERVER AUDIT SPECIFICATION
• CREATE DATABASE AUDIT SPECIFICATION
• ALTER DATABASE AUDIT SPECIFICATION
• DROP DATABASE AUDIT SPECIFICATION
Implementing SQL Audit
 Creating Server Audit
◦ Demo Using SSMS
 Creating Audit Specification
◦ Demo Using SSMS
 Creating Server Specification
◦ Demo T-SQL
 Creating Database Specification
◦ Demo T-SQL
 Working with Audit Logs
Creating Server Audit
1. Implementing a SQL audit begins with the
server audit
• Defines:
• How audit is saved
• Synchronous/Asynchronous
• What happens on failure
Demo Creating Server Audit
1. Create server audit
1.Using SSMS
2.Write to application log
3. Synchronous
4.Stop sql service on failure
PowerShell Creating Server Audit
$dbServer = new-Object
Microsoft.SqlServer.Management.Smo.Server("(l
ocal)")
$dbAudit = New-Object
Microsoft.SqlServer.Management.Smo.Audit($db
Server, "Test Audit")
$dbAudit.DestinationType =
[Microsoft.SqlServer.Management.Smo.AuditDes
tinationType]'File'
$dbAudit.FilePath = "C:\Audit"
$dbAudit.Create()
$dbAudit.Enable()
Creating Audit Specification
1. SQLaudit specification is created at the server
level
• Audits all audit events
• Utilizes a server audit
Demo Creating Audit Specification
1. Create audit specification
1.Using SSMS
2.Using server audit
3. All Audit_Change events
Creating Database Audit Specification
1. Implementing a SQL audit begins with the
server audit
• Defines:
• What server audit will be used
• The database level events to be audited
Demo Creating Database Audit
Specification
1. Create database audit specification
1.Using T-SQL
2.Using server audit
3. SELECT and INSERT events on Person.Person by dbo
4.SELECT events on HumanResources.Employee by
public

You might also like