Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enterprise Auditing with SQL Server Audit

Published byGlenna Budiaman Modified over 5 years ago

Similar presentations

Presentation on theme: "Enterprise Auditing with SQL Server Audit"— Presentation transcript:

1 Enterprise Auditing with SQL Server Audit
Colleen Morrow, SQL Server Consultant, UpSearch

2 About me Colleen Morrow Principal consultant at UpSearch
MCSE: Data Platform 10+ years of SQL Server experience @ClevelandDBA

3 Agenda Why audit? Introduction to SQL Server Audit
Defining audit requirements Implementing SQL Server Audit Handling audit data

4 Why audit? Once upon a time… a cautionary tale

5 Why audit? Your company employs an outside firm to perform security audits Required by law to perform auditing Supplement a change management system Answer the question, “what changed?” Determine who’s accessing that sensitive data Determine what a particular login is being used for

6 SQL Audit: Introduction
2008+ Enterprise Edition* Built on Extended Events framework Very lightweight Events recorded at permission-check time Executes asynchronously or synchronously Enjoys long walks on the beach Built on the Extended Events framework minimal overhead, less than SQL Trace Events are recorded at the permission-check level Record when an event was even attempted Capture indirect activities, i.e. a stored procedure or view referencing a table being audited Executes asynchronously or synchronously

7 SQL Audit: Terminology
Server Audit Server audit specification Database audit specification Server Audit object - defines where the audit information goes. Audit Specification object - describes what gets audited. Database Audit Specification - audits events at the database level. For example, selecting from a certain table (or all tables), altering a stored procedure, etc. Server Audit Specification - captures events at the instance level, such as logging in, adding principals to server roles, etc. An audit specification can be associated with only one audit object. A server audit object can have one or more audit specifications assigned to it.

8 What actions can you audit?
Objects object is created, altered or dropped object is accessed (e.g. DML, EXECUTE) ownership changes permission changes server objects, database objects, schema objects

9 What actions can you audit? (cont.)
Security principals are created, altered, or dropped database/server role is added or removed principal is added to or removed from a role. successful/failed logins password changes a password is changed for an application role

10 What actions can you audit? (cont.)
Databases a database is created, altered, or dropped. ownership changes permission changes Backups backup/restore operations

11 What actions can you audit? (cont.)
Audits/Traces any audit is created, modified or deleted. any audit specification is created, modified, or deleted. any change to an audit is audited in that audit. statements that check for the ALTER TRACE permission.

12 What actions can you audit? (cont.)
Server state the SQL Server service state is modified DBCC a principal issues any DBCC command User Defined Events

13 What can’t you audit? Temp tables #temp and ##temp tables not audited
Internal events E.g. locking, transaction log growth from large transactions

14 Defining audit requirements
Where? How many servers? What version/editions? What? What events? What data for the event? How critical is it? Can you afford to miss any events? How will the data be viewed? Ad hoc? Formal report? How long should it be retained?

15 Example #1: Security in Azure
To: Dan Wilson From: Stephanie Conroy Dan, Now that we’ve deployed the ordering system infrastructure to Azure virtual machines, I’m concerned about security. I want to make sure we’ve locked things down as much as possible. Is there any way to know who is or is trying to log into the database? Thanks much, Stephanie Conroy Network Manager AdventureWorks, Inc.

16 Audit requirements Where? Single instance on Azure VM What?
Security Where? Single instance on Azure VM What? Logins, Logouts, Failed Logins; Login name, Event time, session duration, client hostname/IP How critical? Some event loss Viewed? Ad hoc report Retention? 1 week

17 Create Server Audit Read audit file
Demo Create Server Audit Read audit file

18 Reading audit data fn_get_audit_file ( file_pattern,
{ default | initial_file_name | NULL }, { default | audit_record_offset | NULL } ) file_pattern – the path and file name of the audit file(s) to be read; file name can be or include a wildcard. initial_file_name – first file to process; all subsequent files will also be processed. audit_record_offset – Used in conjunction with the initial file name to tell SQL Server where in that initial file to start. file_pattern – the path and file name of the audit file(s) to be read; file name can be or include a wildcard. initial_file_name – first file to process; all subsequent files will also be processed. audit_record_offset – Used in conjunction with the initial file name to tell SQL Server where in that initial file to start.

19 Using fn_get_audit_file()
Select * from fn_get_audit_file (‘c:\MyAudits\Security*’ , NULL , NULL ) Select * from fn_get_audit_file (‘c:\MyAudits\Security*’ , ‘File 2’ , 7200 ) Select * from fn_get_audit_file (‘c:\MyAudits\Security*’ , ‘File 1’ , 9650 ) File 1 File 2 File 3 7200 9650

20 Example #2: Troubleshooting
To: Dan Wilson From: Karen Berg Hey Dan, You know that audit you configured for to help us troubleshoot erroneous updates to ProductInventory? It’s a lot of data to sift through and really we’re only interested in updates to the Bin column. Any way you can refine the audit? Thanks, Karen Berg Application Specialist AdventureWorks, Inc.

21 Audit requirements Where? Single database What?
Troubleshooting Where? Single database What? Updates to specific column Login/username, event time, statement or procedure How critical? No event loss Viewed? Ad hoc viewing Retention? No requirement

22 User-defined events Synchronous auditing
Demo User-defined events Synchronous auditing

23 Synchronous-icity Permissions check / Audit check Expand Event details
Send to Audit Xevent session Record event QUEUE_DELAY = 1000 Synchronous Async

24 Performance Impact NOTE: Graphs and chart colours provided are examples. You may add your own graphs and select your own colours, if you see this necessary.

25 Example #3: Change Management
To: All IT Employees From: Jean Trenary As a result of AdventureWorks, Inc. becoming a publicly traded company, IT systems will be undergoing a yearly audit, to be conducted by an external firm. Part of this auditing process is a reconciliation between Production-level changes and change management tickets. To help facilitate the yearly audit, we are now requesting monthly reports from each Production environment listing all object changes during the previous month and the corresponding ticket number. Thank you, Jean Trenary Information Services Manager AdventureWorks, Inc.

26 Audit requirements Where? All production databases What?
Change Management Where? All production databases What? Database object changes (DDL) Server, database, schema, object, login, event time, statement How critical? No event loss Viewed? Monthly/Annual report Retention? 18 months

27 Using PowerShell Managing audit data
Demo Using PowerShell Managing audit data

28 Permissions Creating audits or server audit specifications
ALTER ANY SERVER AUDIT or the CONTROL SERVER permission Creating database audit specification ALTER ANY DATABASE AUDIT permission or the ALTER or CONTROL permission on the database Viewing audit logs CONTROL SERVER permission

29 Recap Why audit? Introduction to SQL Server Audit
Defining audit requirements Implementing SQL Server Audit Handling audit data

30 Questions?

31 Thank You

Download ppt "Enterprise Auditing with SQL Server Audit"

Similar presentations

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
Auditing Database DDL Changes with SQLVer. About PASS The PASS community encompasses everyone who uses the Microsoft SQL Server or Business Intelligence.

Auditing Database DDL Changes with SQLVer. About PASS The PASS community encompasses everyone who uses the Microsoft SQL Server or Business Intelligence.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Chapter 4 SQL. SQL server Microsoft SQL Server is a client/server database management system. Microsoft SQL Server is a client/server database management.

Chapter 4 SQL. SQL server Microsoft SQL Server is a client/server database management system. Microsoft SQL Server is a client/server database management.
Information storage: Introduction of database 10/7/2004 Xiangming Mu.

Information storage: Introduction of database 10/7/2004 Xiangming Mu.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Database Technical Session By: Prof. Adarsh Patel.

Database Technical Session By: Prof. Adarsh Patel.
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.

Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.

MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
© Wiley Inc. 2006. All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.

© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Learningcomputer.com SQL Server 2008 – Administration, Maintenance and Job Automation.

Learningcomputer.com SQL Server 2008 – Administration, Maintenance and Job Automation.
Module 14 Configuring Security for SQL Server Agent.

Module 14 Configuring Security for SQL Server Agent.
Module 5: Upgrading to SQL Server 7.0. Overview Planning an Upgrade Preparing to Upgrade Verifying the Upgrade Setting a Compatibility Level.

Module 5: Upgrading to SQL Server 7.0. Overview Planning an Upgrade Preparing to Upgrade Verifying the Upgrade Setting a Compatibility Level.
Roles & privileges privilege A user privilege is a right to execute a particular type of SQL statement, or a right to access another user's object. The.

Roles & privileges privilege A user privilege is a right to execute a particular type of SQL statement, or a right to access another user's object. The.
Introduction to Oracle. Oracle History 1979 Oracle Release 2 1986 client/server relational database 1989 Oracle 6 1997 Oracle 8 (object relational) 1999.

Introduction to Oracle. Oracle History 1979 Oracle Release client/server relational database 1989 Oracle Oracle 8 (object relational) 1999.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 9 Auditing Database Activities.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 9 Auditing Database Activities.
1 Chapter Overview Defining Operators Creating Jobs Configuring Alerts Creating a Database Maintenance Plan Creating Multiserver Jobs.

1 Chapter Overview Defining Operators Creating Jobs Configuring Alerts Creating a Database Maintenance Plan Creating Multiserver Jobs.
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.

Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.

Similar presentations

Ads by Google