This document provides an overview of implementing SQL auditing in SQL Server. It discusses creating a server audit to define how audit data is stored, creating server audit specifications to capture server-level events, and creating database audit specifications to capture database-level events for specific objects and principals. Examples are provided of creating audits using SQL Server Management Studio and Transact-SQL.
6. Introduced in SQL 2000
Meets Department of Defense C2 security requirements
Configured at the server level
Audit logs are stored in the SQL folder structure
Audit logs viewed through SQL Profiler or fn_trace_gettablefunction
7. ALL events are defined and non-configurable
Instance wide auditing
Logs can ONLY be stored in default instance data directory
Rollover file size is non-configurable
Inability to write to log file results in SQL shut down
8.
9. Introduced in SQL 2005
◦SQL 05 SP1 Evaluation Assurance Level 1 (EAL1)
◦SQL 05 SP2/SQL 08 EAL4++
Does not include all C2 audit mode functionality
Includes
◦Residual Information Protection (RIP)
◦The ability to view login statistics
◦Column GRANT should not override table DENY
10. Requires Enterprise, Evaluation, or Developer edition
Does not incorporate all C2 audit mode functionality
Can degrade performance
EAL4++ requires running additional scripts
11.
12. Traces can be scripted or created through profiler
Traces are highly configurable and can be selective
Results saved to file or table
Templates can be utilized
13. Can degrade performance
Trace scope can not be efficiently limited to object (database) or action
Programmatic limitations
14.
15. Capture DDL and most DML events
Cons
◦Can be expensive!
◦Trigger fails-Transaction FAILS
◦Can’t capture all events
18. Introduced in SQL 2008
Provides the ability to audit server, database, and audit level events
Internal to the SQL server
Available in Enterprise, developer, and trial editions
19. Uses extended events
Created through T-SQL, PowerShell or SSMS
Audits can have the following scopes:
◦Server level
Include server operations, Logon, Logoff, etc.
◦Database level
Database action, DML, or DDL
◦Audit level
Alter, Create, Drop, etc. audits
Audits can be synchronous or asynchronous and logged to
◦File
◦Windows application log
◦Windows security log
Full management, configuration, and administration available through .NET using SMO
20. Server Audit
Server Level Audit Groups
Database Level Audit Groups
◦Database Level Audit Actions
Audit Level Specification Groups
21. 1.Created in the master database
•First audit object to be created
•Defines
How the audit will be stored
File
Max file size (2mb is default and 2,147,483,647 TB is max)
Max number of rollover files (unlimited is default)
Reserved disk space (reserves the max. file space unless this is unlimited)
Application log
Security log
Synchronous or asynchronous
State of the SQL service on failure to maintain audit
22. 1.References the server audit defining how audit data is stored
•Created to record server level audit actions
1.SUCCESSFUL_LOGIN_GROUP
2.LOGOUT_GROUP
3.FAILED_LOGIN_GROUP
4.LOGIN_CHANGE_PASSWORD_GROUP
5.APPLICATION_ROLE_CHANGE_PASSWORD_GROUP
6.SERVER_ROLE_MEMBER_CHANGE_GROUP
7.DATABASE_ROLE_MEMBER_CHANGE_GROUP
8.BACKUP_RESTORE_GROUP
9.DBCC_GROUP
10.SERVER_OPERATION_GROUP
11.DATABASE_OPERATION_GROUP
12.AUDIT_ CHANGE_GROUP
13.SERVER_STATE_CHANGE_GROUP
14.SERVER_OBJECT_CHANGE_GROUP
15.SERVER_PRINCIPAL_CHANGE_GROUP
16.DATABASE_CHANGE_GROUP
17.DATABASE_OBJECT_CHANGE_GROUP
18.DATABASE_PRINCIPAL_CHANGE_GROUP
19.SCHEMA_OBJECT_CHANGE_GROUP
20.SERVER_PRINCIPAL_IMPERSONATION_GROUP
21.DATABASE_PRINCIPAL_IMPERSONATION_GROUP
22.SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP
23.DATABASE_OWNERSHIP_CHANGE_GROUP
24.DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
25.SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
26.SERVER_PERMISSION_CHANGE_GROUP
27.SERVER_OBJECT_PERMISSION_CHANGE_GROUP
28.DATABASE_PERMISSION_CHANGE_GROUP
29.DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
30.SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
31.DATABASE_OBJECT_ACCESS_GROUP
32.SCHEMA_OBJECT_ACCESS_GROUP
33.BROKER_LOGIN_GROUP
34.DATABASE_MIRRORING_LOGIN_GROUP
35.TRACE_CHANGE_GROUP
23. 1.References the server audit defining how audit data is stored
•Created to record database level audit actions
1.DATABASE_ROLE_MEMBER_CHANGE_GROUP
2.DATABASE_OPERATION_GROUP
3.DATABASE_CHANGE_GROUP
4.DATABASE_OBJECT_CHANGE_GROUP
5.DATABASE_PRINCIPAL_CHANGE_GROUP
6.SCHEMA_OBJECT_CHANGE_GROUP
7.DATABASE_PRINCIPAL_IMPERSONATION_GROUP
8.DATABASE_OWNERSHIP_CHANGE_GROUP
9.DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
10.SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
11.DATABASE_PERMISSION_CHANGE_GROUP
12.DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
13.SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
14.DATABASE_OBJECT_ACCESS_GROUP
15.SCHEMA_OBJECT_ACCESS_GROUP
24. 1.References the server audit defining how audit data is stored
•Created to record database level actions
1.SELECT
2.UPDATE
3.INSERT
4.DELETE
5.EXECUTE
6.RECEIVE
7.REFERENCES
25. 1.References the server audit defining how audit data is stored
•Created to record audit level action groups
1.AUDIT_ CHANGE_GROUP
•CREATE SERVER AUDIT
•ALTER SERVER AUDIT
•DROP SERVER AUDIT
•CREATE SERVER AUDIT SPECIFICATION
•ALTER SERVER AUDIT SPECIFICATION
•DROP SERVER AUDIT SPECIFICATION
•CREATE DATABASE AUDIT SPECIFICATION
•ALTER DATABASE AUDIT SPECIFICATION
•DROP DATABASE AUDIT SPECIFICATION
26. Creating Server Audit
◦Demo Using SSMS
Creating Audit Specification
◦Demo Using SSMS
Creating Server Specification
◦Demo T-SQL
Creating Database Specification
◦Demo T-SQL
Working with Audit Logs
27. 1.Implementing a SQL audit begins with the server audit
•Defines:
•How audit is saved
•Synchronous/Asynchronous
•What happens on failure
28. 1.Create server audit
1.Using SSMS
2.Write to application log
3.Synchronous
4.Stop sqlservice on failure
32. 1.Implementing a SQL audit begins with the server audit
•Defines:
•What server audit will be used
•The database level events to be audited
33. 1.Create database audit specification
1.Using T-SQL
2.Using server audit
3.SELECT and INSERT events on Person.Personby dbo
4.SELECT events on HumanResources.Employeeby public