David Dye

 Introduction
 What is Auditing
 Overview of auditing options
 Introduction to SQL Audit
 SQL Audit Objects
 Implementing SQL Audit
 Audit
 David Dye

 ddye@capecoral.net
 HTTP://WWW.SQLSAFETY.COM
 Tracking and logging of events
◦ Security events
◦ DDL events
◦ DML events
◦ Data access events
 Often required by oversight or governance
◦ HIPPA
◦ SOX
◦ PCI
 C2 Auditing
 Common Criteria Compliance
 SQL Trace
 DDL/DML Triggers
 SQL Audit
 Introduced in SQL 2000
 Meets Department of Defense C2 security
requirements
 Configured at the server level
 Audit logs are stored in the SQL folder
structure
 Audit logs viewed through SQL Profiler or
fn_trace_gettable function
 ALL events are defined and non-configurable
 Instance wide auditing
 Logs can ONLY be stored in default instance
data directory
 Rollover file size is non-configurable
 Inability to write to log file results in SQL shut
down
 Introduced in SQL 2005
◦ SQL 05 SP1 Evaluation Assurance Level 1 (EAL1)
◦ SQL 05 SP2/SQL 08 EAL4++
 Does not include all C2 audit mode
functionality
 Includes
◦ Residual Information Protection (RIP)
◦ The ability to view login statistics
◦ Column GRANT should not override table DENY
 Requires Enterprise, Evaluation, or Developer
edition
 Does not incorporate all C2 audit mode
functionality
 Can degrade performance
 EAL4++ requires running additional scripts
 Traces can be scripted or created through
profiler
 Traces are highly configurable and can be
selective
 Results saved to file or table
 Templates can be utilized
 Can degrade performance
 Trace scope can not be efficiently limited to
object (database) or action
 Programmatic limitations
 Capture DDL and most DML events
 Cons
◦ Can be expensive!
◦ Trigger fails-Transaction FAILS
◦ Can’t capture all events
 What is SQL Audit
 SQL Audit Background
 Introduced in SQL 2008
 Provides the ability to audit server, database,
and audit level events
 Internal to the SQL server
 Available in Enterprise, developer, and trial
editions
 Uses extended events
 Created through T-SQL, PowerShell or SSMS
 Audits can have the following scopes:
◦ Server level
 Include server operations, Logon, Logoff, etc.
◦ Database level
 Database action, DML, or DDL
◦ Audit level
 Alter, Create, Drop, etc. audits
 Audits can be synchronous or asynchronous and
logged to
◦ File
◦ Windows application log
◦ Windows security log
 Full management, configuration, and
administration available through .NET using SMO
 Server Audit
 Server Level Audit Groups
 Database Level Audit Groups
◦ Database Level Audit Actions
 Audit Level Specification Groups
1. Created in the master database
• First audit object to be created
• Defines
 How the audit will be stored
 File
 Max file size (2mb is default and 2,147,483,647 TB is
max)
 Max number of rollover files (unlimited is default)
 Reserved disk space (reserves the max. file space
unless this is unlimited)
 Application log
 Security log
 Synchronous or asynchronous
 State of the SQL service on failure to maintain audit
1. References the server audit defining how audit data is stored
• Created to record server level audit actions
1. SUCCESSFUL_LOGIN_GROUP
2. LOGOUT_GROUP
3. FAILED_LOGIN_GROUP
4. LOGIN_CHANGE_PASSWORD_GROUP
5. APPLICATION_ROLE_CHANGE_PASSWORD_GROUP
6. SERVER_ROLE_MEMBER_CHANGE_GROUP
7. DATABASE_ROLE_MEMBER_CHANGE_GROUP
8. BACKUP_RESTORE_GROUP
9. DBCC_GROUP
10. SERVER_OPERATION_GROUP
11. DATABASE_OPERATION_GROUP
12. AUDIT_ CHANGE_GROUP
13. SERVER_STATE_CHANGE_GROUP
14. SERVER_OBJECT_CHANGE_GROUP
15. SERVER_PRINCIPAL_CHANGE_GROUP
16. DATABASE_CHANGE_GROUP
17. DATABASE_OBJECT_CHANGE_GROUP
18. DATABASE_PRINCIPAL_CHANGE_GROUP
19. SCHEMA_OBJECT_CHANGE_GROUP
20. SERVER_PRINCIPAL_IMPERSONATION_GROUP
21. DATABASE_PRINCIPAL_IMPERSONATION_GROUP
22. SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP
23. DATABASE_OWNERSHIP_CHANGE_GROUP
24. DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
25. SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
26. SERVER_PERMISSION_CHANGE_GROUP
27. SERVER_OBJECT_PERMISSION_CHANGE_GROUP
28. DATABASE_PERMISSION_CHANGE_GROUP
29. DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
30. SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
31. DATABASE_OBJECT_ACCESS_GROUP
32. SCHEMA_OBJECT_ACCESS_GROUP
33. BROKER_LOGIN_GROUP
34. DATABASE_MIRRORING_LOGIN_GROUP
35. TRACE_CHANGE_GROUP
1. References the server audit defining how audit data is
stored
• Created to record database level audit actions
1.DATABASE_ROLE_MEMBER_CHANGE_GROUP
2.DATABASE_OPERATION_GROUP
3.DATABASE_CHANGE_GROUP
4.DATABASE_OBJECT_CHANGE_GROUP
5.DATABASE_PRINCIPAL_CHANGE_GROUP
6.SCHEMA_OBJECT_CHANGE_GROUP
7.DATABASE_PRINCIPAL_IMPERSONATION_GROUP
8.DATABASE_OWNERSHIP_CHANGE_GROUP
9.DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
10.SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
11.DATABASE_PERMISSION_CHANGE_GROUP
12.DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
13.SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
14.DATABASE_OBJECT_ACCESS_GROUP
15.SCHEMA_OBJECT_ACCESS_GROUP
1. References the server audit defining how audit data is
stored
• Created to record database level actions
1.SELECT
2.UPDATE
3.INSERT
4.DELETE
5.EXECUTE
6.RECEIVE
7.REFERENCES
1. References the server audit defining how audit data is
stored
• Created to record audit level action groups
1.AUDIT_ CHANGE_GROUP
• CREATE SERVER AUDIT
• ALTER SERVER AUDIT
• DROP SERVER AUDIT
• CREATE SERVER AUDIT SPECIFICATION
• ALTER SERVER AUDIT SPECIFICATION
• DROP SERVER AUDIT SPECIFICATION
• CREATE DATABASE AUDIT SPECIFICATION
• ALTER DATABASE AUDIT SPECIFICATION
• DROP DATABASE AUDIT SPECIFICATION
 Creating Server Audit
◦ Demo Using SSMS
 Creating Audit Specification
◦ Demo Using SSMS
 Creating Server Specification
◦ Demo T-SQL
 Creating Database Specification
◦ Demo T-SQL
 Working with Audit Logs
1. Implementing a SQL audit begins with the
server audit
• Defines:
• How audit is saved
• Synchronous/Asynchronous
• What happens on failure
1. Create server audit
1.Using SSMS
2.Write to application log
3. Synchronous
4.Stop sql service on failure
$dbServer = new-Object
Microsoft.SqlServer.Management.Smo.Server("(l
ocal)")
$dbAudit = New-Object
Microsoft.SqlServer.Management.Smo.Audit($db
Server, "Test Audit")
$dbAudit.DestinationType =
[Microsoft.SqlServer.Management.Smo.AuditDes
tinationType]'File'
$dbAudit.FilePath = "C:\Audit"
$dbAudit.Create()
$dbAudit.Enable()
1. SQLaudit specification is created at the server
level
• Audits all audit events
• Utilizes a server audit
1. Create audit specification
1.Using SSMS
2.Using server audit
3. All Audit_Change events
1.Implementing a SQL audit begins with the
server audit
• Defines:
• What server audit will be used
• The database level events to be audited
1. Create database audit specification
1.Using T-SQL
2.Using server audit
3. SELECT and INSERT events on Person.Person by dbo
4.SELECT events on HumanResources.Employee by
public