Implementing Auditing in SQL Server
2 likes1,063 views
This document provides an overview of implementing SQL auditing in SQL Server. It discusses creating a server audit to define how audit data is stored, creating server audit specifications to capture server-level events, and creating database audit specifications to capture database-level events for specific objects and principals. Examples are provided of creating audits using SQL Server Management Studio and Transact-SQL.
![$dbServer= new-Object Microsoft.SqlServer.Management.Smo.Server("(local)")
$dbAudit= New-Object Microsoft.SqlServer.Management.Smo.Audit($dbServer, "Test Audit")
$dbAudit.DestinationType= [Microsoft.SqlServer.Management.Smo.AuditDestinationType]'File'
$dbAudit.FilePath= "C:Audit"
$dbAudit.Create()
$dbAudit.Enable()](https://image.slidesharecdn.com/implementingauditinginsqlserver-140923095942-phpapp02/85/Implementing-Auditing-in-SQL-Server-29-320.jpg)
More Related Content
What's hot (20)
Similar to Implementing Auditing in SQL Server (20)
Recently uploaded (20)
Implementing Auditing in SQL Server
- 1. David Dye
- 2. Introduction What is Auditing Overview of auditing options Introduction to SQL Audit SQL Audit Objects Implementing SQL Audit Audit
- 3. David Dye [email protected] HTTP://WWW.SQLSAFETY.COM
- 4. Tracking and logging of events ◦Security events ◦DDL events ◦DML events ◦Data access events Often required by oversight or governance ◦HIPPA ◦SOX ◦PCI
- 5. C2 Auditing Common Criteria Compliance SQL Trace DDL/DML Triggers SQL Audit
- 6. Introduced in SQL 2000 Meets Department of Defense C2 security requirements Configured at the server level Audit logs are stored in the SQL folder structure Audit logs viewed through SQL Profiler or fn_trace_gettablefunction
- 7. ALL events are defined and non-configurable Instance wide auditing Logs can ONLY be stored in default instance data directory Rollover file size is non-configurable Inability to write to log file results in SQL shut down
- 9. Introduced in SQL 2005 ◦SQL 05 SP1 Evaluation Assurance Level 1 (EAL1) ◦SQL 05 SP2/SQL 08 EAL4++ Does not include all C2 audit mode functionality Includes ◦Residual Information Protection (RIP) ◦The ability to view login statistics ◦Column GRANT should not override table DENY
- 10. Requires Enterprise, Evaluation, or Developer edition Does not incorporate all C2 audit mode functionality Can degrade performance EAL4++ requires running additional scripts
- 12. Traces can be scripted or created through profiler Traces are highly configurable and can be selective Results saved to file or table Templates can be utilized
- 13. Can degrade performance Trace scope can not be efficiently limited to object (database) or action Programmatic limitations
- 15. Capture DDL and most DML events Cons ◦Can be expensive! ◦Trigger fails-Transaction FAILS ◦Can’t capture all events
- 17. What is SQL Audit SQL Audit Background
- 18. Introduced in SQL 2008 Provides the ability to audit server, database, and audit level events Internal to the SQL server Available in Enterprise, developer, and trial editions
- 19. Uses extended events Created through T-SQL, PowerShell or SSMS Audits can have the following scopes: ◦Server level Include server operations, Logon, Logoff, etc. ◦Database level Database action, DML, or DDL ◦Audit level Alter, Create, Drop, etc. audits Audits can be synchronous or asynchronous and logged to ◦File ◦Windows application log ◦Windows security log Full management, configuration, and administration available through .NET using SMO
- 20. Server Audit Server Level Audit Groups Database Level Audit Groups ◦Database Level Audit Actions Audit Level Specification Groups
- 21. 1.Created in the master database •First audit object to be created •Defines How the audit will be stored File Max file size (2mb is default and 2,147,483,647 TB is max) Max number of rollover files (unlimited is default) Reserved disk space (reserves the max. file space unless this is unlimited) Application log Security log Synchronous or asynchronous State of the SQL service on failure to maintain audit
- 22. 1.References the server audit defining how audit data is stored •Created to record server level audit actions 1.SUCCESSFUL_LOGIN_GROUP 2.LOGOUT_GROUP 3.FAILED_LOGIN_GROUP 4.LOGIN_CHANGE_PASSWORD_GROUP 5.APPLICATION_ROLE_CHANGE_PASSWORD_GROUP 6.SERVER_ROLE_MEMBER_CHANGE_GROUP 7.DATABASE_ROLE_MEMBER_CHANGE_GROUP 8.BACKUP_RESTORE_GROUP 9.DBCC_GROUP 10.SERVER_OPERATION_GROUP 11.DATABASE_OPERATION_GROUP 12.AUDIT_ CHANGE_GROUP 13.SERVER_STATE_CHANGE_GROUP 14.SERVER_OBJECT_CHANGE_GROUP 15.SERVER_PRINCIPAL_CHANGE_GROUP 16.DATABASE_CHANGE_GROUP 17.DATABASE_OBJECT_CHANGE_GROUP 18.DATABASE_PRINCIPAL_CHANGE_GROUP 19.SCHEMA_OBJECT_CHANGE_GROUP 20.SERVER_PRINCIPAL_IMPERSONATION_GROUP 21.DATABASE_PRINCIPAL_IMPERSONATION_GROUP 22.SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP 23.DATABASE_OWNERSHIP_CHANGE_GROUP 24.DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP 25.SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP 26.SERVER_PERMISSION_CHANGE_GROUP 27.SERVER_OBJECT_PERMISSION_CHANGE_GROUP 28.DATABASE_PERMISSION_CHANGE_GROUP 29.DATABASE_OBJECT_PERMISSION_CHANGE_GROUP 30.SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP 31.DATABASE_OBJECT_ACCESS_GROUP 32.SCHEMA_OBJECT_ACCESS_GROUP 33.BROKER_LOGIN_GROUP 34.DATABASE_MIRRORING_LOGIN_GROUP 35.TRACE_CHANGE_GROUP
- 23. 1.References the server audit defining how audit data is stored •Created to record database level audit actions 1.DATABASE_ROLE_MEMBER_CHANGE_GROUP 2.DATABASE_OPERATION_GROUP 3.DATABASE_CHANGE_GROUP 4.DATABASE_OBJECT_CHANGE_GROUP 5.DATABASE_PRINCIPAL_CHANGE_GROUP 6.SCHEMA_OBJECT_CHANGE_GROUP 7.DATABASE_PRINCIPAL_IMPERSONATION_GROUP 8.DATABASE_OWNERSHIP_CHANGE_GROUP 9.DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP 10.SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP 11.DATABASE_PERMISSION_CHANGE_GROUP 12.DATABASE_OBJECT_PERMISSION_CHANGE_GROUP 13.SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP 14.DATABASE_OBJECT_ACCESS_GROUP 15.SCHEMA_OBJECT_ACCESS_GROUP
- 24. 1.References the server audit defining how audit data is stored •Created to record database level actions 1.SELECT 2.UPDATE 3.INSERT 4.DELETE 5.EXECUTE 6.RECEIVE 7.REFERENCES
- 25. 1.References the server audit defining how audit data is stored •Created to record audit level action groups 1.AUDIT_ CHANGE_GROUP •CREATE SERVER AUDIT •ALTER SERVER AUDIT •DROP SERVER AUDIT •CREATE SERVER AUDIT SPECIFICATION •ALTER SERVER AUDIT SPECIFICATION •DROP SERVER AUDIT SPECIFICATION •CREATE DATABASE AUDIT SPECIFICATION •ALTER DATABASE AUDIT SPECIFICATION •DROP DATABASE AUDIT SPECIFICATION
- 26. Creating Server Audit ◦Demo Using SSMS Creating Audit Specification ◦Demo Using SSMS Creating Server Specification ◦Demo T-SQL Creating Database Specification ◦Demo T-SQL Working with Audit Logs
- 27. 1.Implementing a SQL audit begins with the server audit •Defines: •How audit is saved •Synchronous/Asynchronous •What happens on failure
- 28. 1.Create server audit 1.Using SSMS 2.Write to application log 3.Synchronous 4.Stop sqlservice on failure
- 29. $dbServer= new-Object Microsoft.SqlServer.Management.Smo.Server("(local)") $dbAudit= New-Object Microsoft.SqlServer.Management.Smo.Audit($dbServer, "Test Audit") $dbAudit.DestinationType= [Microsoft.SqlServer.Management.Smo.AuditDestinationType]'File' $dbAudit.FilePath= "C:Audit" $dbAudit.Create() $dbAudit.Enable()
- 30. 1.SQL audit specification is created at the server level •Audits all audit events •Utilizes a server audit
- 31. 1.Create audit specification 1.Using SSMS 2.Using server audit 3.All Audit_Changeevents
- 32. 1.Implementing a SQL audit begins with the server audit •Defines: •What server audit will be used •The database level events to be audited
- 33. 1.Create database audit specification 1.Using T-SQL 2.Using server audit 3.SELECT and INSERT events on Person.Personby dbo 4.SELECT events on HumanResources.Employeeby public