Transcript Powerpoint

Enterprise Auditing with SQL
Server Audit
Colleen Morrow
About me
 Colleen Morrow
 SQL Server consultant at
UpSearch
 10+ years of SQL Server
experience
 http://colleenmorrow.com
 @ClevelandDBA
 Contributor to Tribal SQL
2
Agenda
•
•
•
•
•
3
Why audit?
Introduction to SQL Server Audit
Defining audit requirements
Implementing SQL Server Audit
Handling audit data
Why audit?
• Your company employs an outside firm to perform
security audits
• Required by law to perform auditing
• Supplement a change management system
• Answer the question, “what changed?”
• Determine who’s accessing that sensitive data
• Determine what a particular login is being used for
4
SQL Audit: Introduction

Built on Extended Events
framework
Events recorded at
permission-check time
Executes asynchronously or
synchronously
Enjoys long walks on the
beach



5
SQL Audit: Terminology
Server Audit
Server audit
specification
Database
audit
specification
6
Database
audit
specification
Database
audit
specification
What actions can you audit?

•
•
•
•
•
7
Objects
object is created, altered or dropped
object is accessed (e.g. DML, EXECUTE)
ownership changes
permission changes
server objects, database objects, schema objects
What actions can you audit? (cont.)

•
•
•
•
•
•
8
Security
principals are created, altered, or dropped
database/server role is added or removed
principal is added to or removed from a role.
successful/failed logins
password changes
a password is changed for an application role
What actions can you audit? (cont.)

•
•
•
Databases
a database is created, altered, or dropped.
ownership changes
permission changes
 Backups
• backup/restore operations
9
What actions can you audit? (cont.)

•
•
•
•
10
Audits/Traces
any audit is created, modified or deleted.
any audit specification is created, modified, or deleted.
any change to an audit is audited in that audit.
statements that check for the ALTER TRACE permission.
What actions can you audit? (cont.)
 Server state
• the SQL Server service state is modified
 DBCC
• a principal issues any DBCC command
 User Defined Events
11
What can’t you audit?
 Temp tables
• #temp and ##temp tables not audited
 Internal events
• E.g. locking, transaction log growth from large
transactions
12
Defining audit requirements
Where?
• How many servers? What version/editions?
What?
• What events? What data for the event?
How critical is it?
• Can you afford to miss any events?
How will the data be viewed?
• Ad hoc? Formal report?
How long should it be retained?
13
Example #1: Security in Azure
To: Dan Wilson
From: Stephanie Conroy
Dan,
Now that we’ve deployed the ordering system infrastructure to Azure virtual machines, I’m
concerned about security. I want to make sure we’ve locked things down as much as possible.
Is there any way to know who is or is trying to log into the database?
Thanks much,
Stephanie Conroy
Network Manager
AdventureWorks, Inc.
14
Audit requirements
Security
Where?
Single instance on Azure VM
What?
Logins, Logouts, Failed Logins;
Login name, Event time, session duration, client hostname/IP
How critical?
Some event loss
Viewed?
Ad hoc report
Retention?
1 week
15
Demonstration
Create Server Audit
Read audit file
Reading audit data
 fn_get_audit_file ( file_pattern,
 { default | initial_file_name | NULL },

{ default | audit_record_offset | NULL } )
• file_pattern – the path and file name of the audit file(s) to be read;
file name can be or include a wildcard.
• initial_file_name – first file to process; all subsequent files will also
be processed.
• audit_record_offset – Used in conjunction with the initial file name
to tell SQL Server where in that initial file to start.
17
Using fn_get_audit_file()




Select * from fn_get_audit_file (‘c:\MyAudits\Security*’
(‘c:\MyAudits\Security*’
, ‘File 1’
2’
,
, NULL
7200 )
9650
, NULL )
File 1
File 2
File 3
7200
9650
18
Example #2: Troubleshooting
To: Dan Wilson
From: Karen Berg
Hey Dan,
You know that audit you configured for to help us troubleshoot erroneous updates to
ProductInventory? It’s a lot of data to sift through and really we’re only interested in updates to
the Bin column. Any way you can refine the audit?
Thanks,
Karen Berg
Application Specialist
AdventureWorks, Inc.
19
Audit requirements
Troubleshooting
Where?
Single database
What?
Updates to specific column
Login/username, event time, statement or procedure
How critical?
No event loss
Viewed?
Ad hoc viewing
Retention?
No requirement
20
Demonstration
User-defined events
Synchronous auditing
Synchronous-icity
QUEUE_DELAY = 1000
0
Permissions
check /
Audit check
Expand Event
details
Synchronous
22
Send to Audit
Xevent session
Record
event
Async
Performance Impact
100
1400
1200
1000
800
600
400
200
0
80
60
40
20
0
% Processor Time
23
1270
1197
327
Transactions/sec
Example #3: Change Management
To: All IT Employees
From: Jean Trenary
As a result of AdventureWorks, Inc. becoming a publicly traded company, IT systems will be
undergoing a yearly audit, to be conducted by an external firm. Part of this auditing process is
a reconciliation between Production-level changes and change management tickets. To help
facilitate the yearly audit, we are now requesting monthly reports from each Production
environment listing all object changes during the previous month and the corresponding ticket
number.
Thank you,
Jean Trenary
Information Services Manager
AdventureWorks, Inc.
24
Audit requirements
Change Management
Where?
All production databases
What?
Database object changes (DDL)
Server, database, schema, object, login, event time, statement
How critical?
No event loss
Viewed?
Monthly/Annual report
Retention?
18 months
25
Demonstration
Using PowerShell
Managing audit data
Recap
•
•
•
•
•
27
Why audit?
Introduction to SQL Server Audit
Defining audit requirements
Implementing SQL Server Audit
Handling audit data
QUESTIONS
Thank You
This FREE SQL Saturday is brought to you courtesy of these sponsors,
speakers and volunteers who staff this event
Please Support Our Sponsors
SQL Saturday is made possible with the generous support of these sponsors.
You can support them by opting-in and visiting them in the sponsor area.