Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Comparative Analysis Of Auditing Solutions In Sql Server

10,016 views

Published on

Published in: Technology
  • Thanks for shareing this informative slideshare ! In my environment to audit SQL server changes, I use LepideAuditor for SQL server(http://www.lepide.com/sql-server-audit/ ). It helps me to track all critical changes even at granular level with real time auditing.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

A Comparative Analysis Of Auditing Solutions In Sql Server

  1. 1. A Comparative Analysis of Auditing Solutions in SQL Server or How The Hell Can I Tell Who&apos;s Messing With My Data<br />
  2. 2. Audit<br />A methodical examination or review of a condition or situation<br />
  3. 3. Compliance<br />Acting according to certain accepted standards<br />Monitoring the extent of compliance with the standards and ethical codes at either an agency or sector level<br />
  4. 4. Compliance<br />
  5. 5. Auditing in SQL<br />User actions<br />data changes<br />Data read<br />Schema changes<br />Security events<br />Logins<br />Server security activities<br />
  6. 6. Audit Solutions Timeline<br />
  7. 7. Agenda<br />Schema changes and Security Audit<br />Trace<br />SQL Audit<br />DDL Triggers (& Login Triggers)<br />Data changes Audit<br />DML Triggers<br />Change Tracking<br />Change Data Capture (CDC)<br />Third party tools<br />Idera SQL Compliance Manager<br />
  8. 8. SQL Trace<br />Versions Available:<br />6.x + (Profiler since 7)<br />Editions available: <br /> All (Profiler not available in Express Edition)<br />What does it audit?<br /> User Actions<br /> (who read, who wrote, who altered)<br /> Most of the events we can dream of: object access and management in any scope, security changes and events, logins (in addition to everything required for debugging, monitoring and performance tuning)<br />
  9. 9. SQL Trace<br />Pros<br />A one-stop mechanism to get tons of security related information.<br />No objects have to be altered or created.<br />Captures things that can’t be captured otherwise (DBCC, create/alter trace, backup/restore) - until SQL Server 2008<br />Actions are ALWAYS audited (even if transaction was rolled back)<br />Cons<br />Data changes are not collected (can be collected with user defined events, but this requires triggers and is complex to work out)<br />May be harder to filter and analyze for relevant events.<br />The syntax is complicated and harder to understand what we are auditing (when not using profiler).<br />There is no guarantee the trace will run when the server starts, we should take care of it (using a startup proc. Or agent job)<br />
  10. 10. SQL Trace<br />How to create<br />See YanivEtrogi’s UG 87 session in sqlserver.co.il<br />How does it work?<br />Based on internal trace events<br />
  11. 11. SQL Trace<br />Performance overhead<br />Minimal (when not used with Profiler)<br />5 events, only profiler filtered out:<br />http://sqlblog.com/blogs/linchi_shea/archive/2007/08/01/trace-profiler-test.aspx<br />
  12. 12. SQL Trace<br />Interesting events to look for (Security):<br />Audit Schema Object Access<br />Audit Schema Object Management<br />Audit Schema Object GDR<br />Audit Schema Object Take Ownership<br />Audit Login Failed<br />
  13. 13. SQL Trace<br />Default trace<br />File growth, shrink<br />Mirroring state change<br />Errors and warnings<br />Fulltext crawl start/stop/abort<br />Object create/alter/drop<br />17 audit events<br />Server memory change<br />5 20mb file-rollover files<br />
  14. 14. SQL Trace<br />Blackbox trace<br />5mb files (size and file-rollover file count can be overridden after setup)<br />Saved to default data folder<br />Traces:<br />RPC Starting<br />Batch Starting<br />Exception<br />Attention (timeouts)<br />No filters, no event/column configuration<br />
  15. 15. C2 Audit<br />Versions Available:<br /> 2000+<br />Editions available: <br /> All<br />What does it audit?<br /> Failed and successful attempts to access statements and objects.<br />
  16. 16. C2 Audit<br />Pros<br />Simple trace to set up (one checkbox)<br />Audits every action on every object within the SQL Server instance.<br />No audit – no SQL Server. SQL Shuts down if it can’t write audit information.<br />Cons<br />Requires instance restart to enable/disable.<br />Not configurable in terms of events, columns, filters or file size. It saves audit trail in 200mb files in the default data folder (any worse choice?) – can cause disk space problems<br />
  17. 17. C2 Audit<br />How to create<br />or check the option in Server properties<br />EXEC sp_configure &apos;c2 audit mode&apos;, 1 <br />GO<br />RECONFIGURE<br />
  18. 18. C2 Audit<br />Performance overhead<br />Like SQL trace (with audit 40 events, 45 columns and no filters)<br />
  19. 19. Common Criteria Compliance<br />Versions Available:<br /> 2005 SP2 +<br />Editions available: <br /> Enterprise only<br />What does it do?<br /> Enables elements that are required for the Common Criteria.<br />
  20. 20. Common Criteria Compliance<br />
  21. 21. Common Criteria Compliance<br />How to create<br />or check the option Server properties<br />Also requires to run a script that finishes configuring SQL Server to comply with Common Criteria Evaluation Assurance Level 4+ (EAL4+)<br />EXEC sp_configure &apos;common criteria compliance enabled&apos;, 1 <br />GO<br />RECONFIGURE<br />
  22. 22. Common Criteria Compliance<br />Performance overhead<br />Not tested.<br />
  23. 23. SQL Audit<br />Versions Available:<br />2008<br />Editions available: <br /> Enterprise only<br />What does it audit?<br /> Audit user actions <br /> (who read, who wrote, who altered)<br /> Unlike SQL Trace, SQL Audit is meant to provide full auditing capabilities and only auditing capabilities<br />
  24. 24. SQL Audit<br />How does it work?<br />SQL Server Audit is a brand new audit mechanism.<br />Different set of events for server scope and database scope.<br />Based on Extended Events<br />Tightly bound to DBMS engine - implemented by hooking the internal permissions checks<br />Can output to<br />File<br />Windows Application Log<br />Windows Security Log<br />Can be synchronous or asynchronous (default)<br />
  25. 25. SQL Audit<br />Sample Event groups:<br />Server scope:<br />SUCCESSFUL_LOGIN_GROUP<br />FAILED_LOGIN_GROUP<br />LOGIN_CHANGE_PASSWORD_GROUP<br />DBCC_GROUP<br />Database scope:<br />SCHEMA_OBJECT_CHANGE_GROUP<br />DATABASE_OWNERSHIP_CHANGE_GROUP<br />DATABASE_PERMISSION_CHANGE_GROUP<br />
  26. 26. SQL Audit<br />Pros<br />A one-stop mechanism to get tons of security related information.<br />Captures things that can’t be captured otherwise (DBCC, create/alter trace, backup/restore)<br />Easy to set up, filter in any granularity of objects, actions and users.<br />Performs even better than a trace<br />Actions are ALWAYS audited (even if transaction was rolled back)<br />Many options of output – can be combined with System Center Operations Manager (formerly known as MOM)<br />Can be configured to shutdown the server if fails to audit.<br />Cons<br />Data changes are not collected<br />Audit data saved to sqlaudit file or event log and not to a table.<br />
  27. 27. SQL Audit<br />How to create<br />USE master <br />CREATE SERVER AUDIT audit1 TO FILE <br /> (FILEPATH = &apos;rvadt&apos;)<br />USE hr_db<br />CREATE DATABASE AUDIT SPECIFICATION hr_dbspec FOR SERVER AUDIT audit1 <br />ADD(SELECT,UPDATE,INSERT,DELETE ON hr.salary by dbo) <br />--and enable the audit & audit specification<br />
  28. 28. SQL Audit<br />How to read<br />SELECT * FROM fn_get_audit_file(&apos;E:SqlAudits*&apos;, default, default)<br />
  29. 29. SQL Audit<br />Performance overhead<br />Lower than Profiler!<br />http://msdn.microsoft.com/en-us/library/dd392015.aspx<br />
  30. 30. SQL Audit<br />Tips:<br />It’s disabled by default – don’t forget to enable it after you set it up.<br />Just like with DCL statements we can use database or schema scopes. For example:<br />SELECT ON DATABASE::MyDB<br />UPDATE ON SCHEMA::HR<br />Can output to application/security log (look for event ID 33205)<br />
  31. 31. DDL Triggers<br />Versions Available:<br /> 2005+ (logon triggers in 2005 SP2+)<br />Editions available: <br /> All<br />What does it audit?<br /> Tracks object changes in server, database and schema levels + login events<br />
  32. 32. DDL Triggers<br />Pros<br />Useful for auditing but can also be used to act on DDL statements (i.e. ROLLBACK)<br />Can have lots of logic within it (we write all the code)<br />Cons<br />Transaction bound (if change is done within transaction, the audit can be rolled back as well)<br />Requires code and object generation.<br />The tracking table (if exists) needs to be managed.<br />
  33. 33. DDL Triggers<br />How to create, prerequisites<br />Logon triggers require 2005 SP2+<br />Use EVENTDATA() function to get information<br />CREATE TRIGGER [name]<br />ON [DATABASE] / [ALL SERVER]<br />FOR [DDL_DATABASE_LEVEL_EVENTS]<br />AS ...<br />
  34. 34. DDL Triggers<br />Performance overhead<br />Slightly higher than trace<br />Depends on the statements inside the trigger.<br />
  35. 35. DML Triggers<br />Versions Available:<br /> Any<br />Editions available: <br /> All<br />What does it audit?<br /> Audit data changes in a table + security information.<br />
  36. 36. DML Triggers<br />Pros<br />Useful for auditing but can also be used to act on DML statements (i.e. ROLLBACK)<br />Can have lots of logic within it (we write all the code)<br />Can combine security information and data changes<br />Cons<br />Transaction bound (change is done within transaction, the audit can be rolled back as well, if trigger fails, transaction is doomed)<br />Requires code and object generation.<br />The tracking table (if exists) needs to be managed.<br />
  37. 37. DML Triggers<br />How to create<br />Use deleted and inserted table to retrieve changed data.<br />Use built in functions like Suser_sname() to get security information.<br />Use the UPDATE (column) function to check if a column changed or COLUMNS_UPDATED ( ) to check which columns have changed.<br />CREATE TRIGGER [name] ON { table | view }<br /> [ WITH &lt;dml_trigger_option&gt; ]<br /> { FOR | AFTER | INSTEAD OF } <br /> {[ INSERT ][,][ UPDATE ][,][ DELETE ] }<br />AS ...<br />
  38. 38. DML Triggers<br />Performance overhead<br />Depends on the statements inside the trigger.<br />
  39. 39. Change Tracking<br />Versions Available:<br />2008<br />Editions available: <br /> All<br />What does it audit?<br />Audits the fact that a certain row has changed and using what action (Insert, Update or Delete):<br />Which rows have changed in a user table?<br />Has a row changed?<br />
  40. 40. Change Tracking<br />How to create, prerequisites<br />Should be enabled in the database and then on the table<br />Table must have a primary key or a unique index.<br />How does it work?<br />Synchronous – if a problem occurs in the change tracking, the transaction is rolled back.<br />Creates internal tables that have columns to store the primary key value, action performed (insert, update, delete) ,optional columns updated bitmap, version of the change.<br />A version in a DB level.<br />Has a retention period that cleans the internal tables.<br />Built-in functions to retrieve changes and versions.<br />
  41. 41. Change Tracking<br />Performance overhead<br />More IO: The incremental performance overhead that is associated with using change tracking on a table is similar to the overhead incurred when an index is created for a table and needs to be maintained.<br />
  42. 42. Change Tracking<br />Pros<br />No need to develop complex procedures for tracking changes<br />Doesn’t take a lot of disk space<br />Synchronous<br />Auto cleanup tasks<br />Cons<br />Doesn’t keep historical data<br />Doesn’t keep security information<br />Usually used with snapshot isolation level which cause performance to drop<br />Affects the system IO<br />
  43. 43. Change Tracking<br />Remarks<br />When change tracking is enabled, there are restrictions on the DDL that can be performed on a table being tracked. The most notable restriction is that the primary key cannot be altered in any way.<br />Switching a partition fails if one or both of the tables has change tracking enabled.<br />
  44. 44. Change Data Capture (CDC)<br />Versions Available:<br />2008<br />Editions available: <br /> Enterprise Only<br />What does it Audit?<br /> Audits all the changes on all rows in a table on specific columns.<br />
  45. 45. CDC<br />How does it work?<br />Asynchronous<br />Uses log reader (like transactional replication)<br />Creates schema and tables<br />Performance overhead<br />A lot of disk space<br />More IO<br />
  46. 46. CDC<br />Pros<br />Asynchronous<br />Has the option to choose what to monitor.<br />Keeps data history<br />Has a cleaning mechanism<br />Cons<br />A lot of disk space<br />More IO<br />Can cause log truncation problem<br />
  47. 47. CDC vs. Change Tracking<br />http://technet.microsoft.com/en-us/magazine/2008.11.sql.aspx?pr=blog<br />
  48. 48. Audit Tools in SQL - Summary<br />
  49. 49. Audit Tools in SQL - Summary<br />What about…<br />Archive and retention of audit data<br />Reporting<br />Alerting<br />Threshold definition (alert only after 10 failed logins in 5 minutes)<br />Aggregations<br />Audit the auditor<br />
  50. 50. Idera Compliance Manager<br />Examples<br />
  51. 51. References<br />Auditing in SQL server 2008 - http://msdn.microsoft.com/en-us/library/dd392015.aspx<br />SQL Server 2008 Improves Auditing, Change Tracking - http://www.directionsonmicrosoft.com/sample/DOMIS/update/2008/11nov/1108ss2iac.htm<br />Tracking Changes in Your Enterprise Database by Paul S. Randal - http://technet.microsoft.com/en-us/magazine/2008.11.sql.aspx?pr=blog<br />SQL Server 2005 Security Overview for Database Administrators - http://www.microsoft.com/sqlserver/2008/en/us/wp-sql-2008-security.aspx<br />SQL Server 2005 security best practices white paper - http://www.microsoft.com/sqlserver/2005/en/us/white-papers.aspx<br />SQL Server 2008 Compliance Guide - http://www.microsoft.com/downloads/details.aspx?FamilyId=6E1021DD-65B9-41C2-8385-438028F5ACC2&displaylang=en<br />

×