This document provides an overview of implementing SQL auditing in SQL Server. It discusses creating a server audit to define how audit data is stored, creating server audit specifications to capture server-level events, and creating database audit specifications to capture database-level events for specific objects and principals. Examples are provided of creating audits using SQL Server Management Studio and Transact-SQL.

1. David Dye

2. Introduction
What is Auditing
Overview of auditing options
Introduction to SQL Audit
SQL Audit Objects
Implementing SQL Audit
Audit

3. David Dye
ddye@capecoral.net
HTTP://WWW.SQLSAFETY.COM

4. Tracking and logging of events
◦Security events
◦DDL events
◦DML events
◦Data access events
Often required by oversight or governance
◦HIPPA
◦SOX
◦PCI

5. C2 Auditing
Common Criteria Compliance
SQL Trace
DDL/DML Triggers
SQL Audit

6. Introduced in SQL 2000
Meets Department of Defense C2 security requirements
Configured at the server level
Audit logs are stored in the SQL folder structure
Audit logs viewed through SQL Profiler or fn_trace_gettablefunction

7. ALL events are defined and non-configurable
Instance wide auditing
Logs can ONLY be stored in default instance data directory
Rollover file size is non-configurable
Inability to write to log file results in SQL shut down

9. Introduced in SQL 2005
◦SQL 05 SP1 Evaluation Assurance Level 1 (EAL1)
◦SQL 05 SP2/SQL 08 EAL4++
Does not include all C2 audit mode functionality
Includes
◦Residual Information Protection (RIP)
◦The ability to view login statistics
◦Column GRANT should not override table DENY

10. Requires Enterprise, Evaluation, or Developer edition
Does not incorporate all C2 audit mode functionality
Can degrade performance
EAL4++ requires running additional scripts

12. Traces can be scripted or created through profiler
Traces are highly configurable and can be selective
Results saved to file or table
Templates can be utilized

13. Can degrade performance
Trace scope can not be efficiently limited to object (database) or action
Programmatic limitations

15. Capture DDL and most DML events
Cons
◦Can be expensive!
◦Trigger fails-Transaction FAILS
◦Can’t capture all events

17. What is SQL Audit
SQL Audit Background

18. Introduced in SQL 2008
Provides the ability to audit server, database, and audit level events
Internal to the SQL server
Available in Enterprise, developer, and trial editions

19. Uses extended events
Created through T-SQL, PowerShell or SSMS
Audits can have the following scopes:
◦Server level
Include server operations, Logon, Logoff, etc.
◦Database level
Database action, DML, or DDL
◦Audit level
Alter, Create, Drop, etc. audits
Audits can be synchronous or asynchronous and logged to
◦File
◦Windows application log
◦Windows security log
Full management, configuration, and administration available through .NET using SMO

20. Server Audit
Server Level Audit Groups
Database Level Audit Groups
◦Database Level Audit Actions
Audit Level Specification Groups

21. 1.Created in the master database
•First audit object to be created
•Defines
How the audit will be stored
File
Max file size (2mb is default and 2,147,483,647 TB is max)
Max number of rollover files (unlimited is default)
Reserved disk space (reserves the max. file space unless this is unlimited)
Application log
Security log
Synchronous or asynchronous
State of the SQL service on failure to maintain audit

22. 1.References the server audit defining how audit data is stored
•Created to record server level audit actions
1.SUCCESSFUL_LOGIN_GROUP
2.LOGOUT_GROUP
3.FAILED_LOGIN_GROUP
4.LOGIN_CHANGE_PASSWORD_GROUP
5.APPLICATION_ROLE_CHANGE_PASSWORD_GROUP
6.SERVER_ROLE_MEMBER_CHANGE_GROUP
7.DATABASE_ROLE_MEMBER_CHANGE_GROUP
8.BACKUP_RESTORE_GROUP
9.DBCC_GROUP
10.SERVER_OPERATION_GROUP
11.DATABASE_OPERATION_GROUP
12.AUDIT_ CHANGE_GROUP
13.SERVER_STATE_CHANGE_GROUP
14.SERVER_OBJECT_CHANGE_GROUP
15.SERVER_PRINCIPAL_CHANGE_GROUP
16.DATABASE_CHANGE_GROUP
17.DATABASE_OBJECT_CHANGE_GROUP
18.DATABASE_PRINCIPAL_CHANGE_GROUP
19.SCHEMA_OBJECT_CHANGE_GROUP
20.SERVER_PRINCIPAL_IMPERSONATION_GROUP
21.DATABASE_PRINCIPAL_IMPERSONATION_GROUP
22.SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP
23.DATABASE_OWNERSHIP_CHANGE_GROUP
24.DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
25.SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
26.SERVER_PERMISSION_CHANGE_GROUP
27.SERVER_OBJECT_PERMISSION_CHANGE_GROUP
28.DATABASE_PERMISSION_CHANGE_GROUP
29.DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
30.SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
31.DATABASE_OBJECT_ACCESS_GROUP
32.SCHEMA_OBJECT_ACCESS_GROUP
33.BROKER_LOGIN_GROUP
34.DATABASE_MIRRORING_LOGIN_GROUP
35.TRACE_CHANGE_GROUP

23. 1.References the server audit defining how audit data is stored
•Created to record database level audit actions
1.DATABASE_ROLE_MEMBER_CHANGE_GROUP
2.DATABASE_OPERATION_GROUP
3.DATABASE_CHANGE_GROUP
4.DATABASE_OBJECT_CHANGE_GROUP
5.DATABASE_PRINCIPAL_CHANGE_GROUP
6.SCHEMA_OBJECT_CHANGE_GROUP
7.DATABASE_PRINCIPAL_IMPERSONATION_GROUP
8.DATABASE_OWNERSHIP_CHANGE_GROUP
9.DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
10.SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
11.DATABASE_PERMISSION_CHANGE_GROUP
12.DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
13.SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
14.DATABASE_OBJECT_ACCESS_GROUP
15.SCHEMA_OBJECT_ACCESS_GROUP

24. 1.References the server audit defining how audit data is stored
•Created to record database level actions
1.SELECT
2.UPDATE
3.INSERT
4.DELETE
5.EXECUTE
6.RECEIVE
7.REFERENCES

25. 1.References the server audit defining how audit data is stored
•Created to record audit level action groups
1.AUDIT_ CHANGE_GROUP
•CREATE SERVER AUDIT
•ALTER SERVER AUDIT
•DROP SERVER AUDIT
•CREATE SERVER AUDIT SPECIFICATION
•ALTER SERVER AUDIT SPECIFICATION
•DROP SERVER AUDIT SPECIFICATION
•CREATE DATABASE AUDIT SPECIFICATION
•ALTER DATABASE AUDIT SPECIFICATION
•DROP DATABASE AUDIT SPECIFICATION

26. Creating Server Audit
◦Demo Using SSMS
Creating Audit Specification
◦Demo Using SSMS
Creating Server Specification
◦Demo T-SQL
Creating Database Specification
◦Demo T-SQL
Working with Audit Logs

27. 1.Implementing a SQL audit begins with the server audit
•Defines:
•How audit is saved
•Synchronous/Asynchronous
•What happens on failure

28. 1.Create server audit
1.Using SSMS
2.Write to application log
3.Synchronous
4.Stop sqlservice on failure

29. $dbServer= new-Object Microsoft.SqlServer.Management.Smo.Server("(local)")
$dbAudit= New-Object Microsoft.SqlServer.Management.Smo.Audit($dbServer, "Test Audit")
$dbAudit.DestinationType= [Microsoft.SqlServer.Management.Smo.AuditDestinationType]'File'
$dbAudit.FilePath= "C:Audit"
$dbAudit.Create()
$dbAudit.Enable()

30. 1.SQL audit specification is created at the server level
•Audits all audit events
•Utilizes a server audit

31. 1.Create audit specification
1.Using SSMS
2.Using server audit
3.All Audit_Changeevents

32. 1.Implementing a SQL audit begins with the server audit
•Defines:
•What server audit will be used
•The database level events to be audited

33. 1.Create database audit specification
1.Using T-SQL
2.Using server audit
3.SELECT and INSERT events on Person.Personby dbo
4.SELECT events on HumanResources.Employeeby public