Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Comparative Analysis Of Auditing Solutions In Sql Server


Published on

Published in: Technology
  • Thanks for shareing this informative slideshare ! In my environment to audit SQL server changes, I use LepideAuditor for SQL server( ). It helps me to track all critical changes even at granular level with real time auditing.
    Are you sure you want to  Yes  No
    Your message goes here

A Comparative Analysis Of Auditing Solutions In Sql Server

  1. 1. A Comparative Analysis of Auditing Solutions in SQL Server or How The Hell Can I Tell Who&apos;s Messing With My Data<br />
  2. 2. Audit<br />A methodical examination or review of a condition or situation<br />
  3. 3. Compliance<br />Acting according to certain accepted standards<br />Monitoring the extent of compliance with the standards and ethical codes at either an agency or sector level<br />
  4. 4. Compliance<br />
  5. 5. Auditing in SQL<br />User actions<br />data changes<br />Data read<br />Schema changes<br />Security events<br />Logins<br />Server security activities<br />
  6. 6. Audit Solutions Timeline<br />
  7. 7. Agenda<br />Schema changes and Security Audit<br />Trace<br />SQL Audit<br />DDL Triggers (& Login Triggers)<br />Data changes Audit<br />DML Triggers<br />Change Tracking<br />Change Data Capture (CDC)<br />Third party tools<br />Idera SQL Compliance Manager<br />
  8. 8. SQL Trace<br />Versions Available:<br />6.x + (Profiler since 7)<br />Editions available: <br /> All (Profiler not available in Express Edition)<br />What does it audit?<br /> User Actions<br /> (who read, who wrote, who altered)<br /> Most of the events we can dream of: object access and management in any scope, security changes and events, logins (in addition to everything required for debugging, monitoring and performance tuning)<br />
  9. 9. SQL Trace<br />Pros<br />A one-stop mechanism to get tons of security related information.<br />No objects have to be altered or created.<br />Captures things that can’t be captured otherwise (DBCC, create/alter trace, backup/restore) - until SQL Server 2008<br />Actions are ALWAYS audited (even if transaction was rolled back)<br />Cons<br />Data changes are not collected (can be collected with user defined events, but this requires triggers and is complex to work out)<br />May be harder to filter and analyze for relevant events.<br />The syntax is complicated and harder to understand what we are auditing (when not using profiler).<br />There is no guarantee the trace will run when the server starts, we should take care of it (using a startup proc. Or agent job)<br />
  10. 10. SQL Trace<br />How to create<br />See YanivEtrogi’s UG 87 session in<br />How does it work?<br />Based on internal trace events<br />
  11. 11. SQL Trace<br />Performance overhead<br />Minimal (when not used with Profiler)<br />5 events, only profiler filtered out:<br /><br />
  12. 12. SQL Trace<br />Interesting events to look for (Security):<br />Audit Schema Object Access<br />Audit Schema Object Management<br />Audit Schema Object GDR<br />Audit Schema Object Take Ownership<br />Audit Login Failed<br />
  13. 13. SQL Trace<br />Default trace<br />File growth, shrink<br />Mirroring state change<br />Errors and warnings<br />Fulltext crawl start/stop/abort<br />Object create/alter/drop<br />17 audit events<br />Server memory change<br />5 20mb file-rollover files<br />
  14. 14. SQL Trace<br />Blackbox trace<br />5mb files (size and file-rollover file count can be overridden after setup)<br />Saved to default data folder<br />Traces:<br />RPC Starting<br />Batch Starting<br />Exception<br />Attention (timeouts)<br />No filters, no event/column configuration<br />
  15. 15. C2 Audit<br />Versions Available:<br /> 2000+<br />Editions available: <br /> All<br />What does it audit?<br /> Failed and successful attempts to access statements and objects.<br />
  16. 16. C2 Audit<br />Pros<br />Simple trace to set up (one checkbox)<br />Audits every action on every object within the SQL Server instance.<br />No audit – no SQL Server. SQL Shuts down if it can’t write audit information.<br />Cons<br />Requires instance restart to enable/disable.<br />Not configurable in terms of events, columns, filters or file size. It saves audit trail in 200mb files in the default data folder (any worse choice?) – can cause disk space problems<br />
  17. 17. C2 Audit<br />How to create<br />or check the option in Server properties<br />EXEC sp_configure &apos;c2 audit mode&apos;, 1 <br />GO<br />RECONFIGURE<br />
  18. 18. C2 Audit<br />Performance overhead<br />Like SQL trace (with audit 40 events, 45 columns and no filters)<br />
  19. 19. Common Criteria Compliance<br />Versions Available:<br /> 2005 SP2 +<br />Editions available: <br /> Enterprise only<br />What does it do?<br /> Enables elements that are required for the Common Criteria.<br />
  20. 20. Common Criteria Compliance<br />
  21. 21. Common Criteria Compliance<br />How to create<br />or check the option Server properties<br />Also requires to run a script that finishes configuring SQL Server to comply with Common Criteria Evaluation Assurance Level 4+ (EAL4+)<br />EXEC sp_configure &apos;common criteria compliance enabled&apos;, 1 <br />GO<br />RECONFIGURE<br />
  22. 22. Common Criteria Compliance<br />Performance overhead<br />Not tested.<br />
  23. 23. SQL Audit<br />Versions Available:<br />2008<br />Editions available: <br /> Enterprise only<br />What does it audit?<br /> Audit user actions <br /> (who read, who wrote, who altered)<br /> Unlike SQL Trace, SQL Audit is meant to provide full auditing capabilities and only auditing capabilities<br />
  24. 24. SQL Audit<br />How does it work?<br />SQL Server Audit is a brand new audit mechanism.<br />Different set of events for server scope and database scope.<br />Based on Extended Events<br />Tightly bound to DBMS engine - implemented by hooking the internal permissions checks<br />Can output to<br />File<br />Windows Application Log<br />Windows Security Log<br />Can be synchronous or asynchronous (default)<br />
  26. 26. SQL Audit<br />Pros<br />A one-stop mechanism to get tons of security related information.<br />Captures things that can’t be captured otherwise (DBCC, create/alter trace, backup/restore)<br />Easy to set up, filter in any granularity of objects, actions and users.<br />Performs even better than a trace<br />Actions are ALWAYS audited (even if transaction was rolled back)<br />Many options of output – can be combined with System Center Operations Manager (formerly known as MOM)<br />Can be configured to shutdown the server if fails to audit.<br />Cons<br />Data changes are not collected<br />Audit data saved to sqlaudit file or event log and not to a table.<br />
  27. 27. SQL Audit<br />How to create<br />USE master <br />CREATE SERVER AUDIT audit1 TO FILE <br /> (FILEPATH = &apos;rvadt&apos;)<br />USE hr_db<br />CREATE DATABASE AUDIT SPECIFICATION hr_dbspec FOR SERVER AUDIT audit1 <br />ADD(SELECT,UPDATE,INSERT,DELETE ON hr.salary by dbo) <br />--and enable the audit & audit specification<br />
  28. 28. SQL Audit<br />How to read<br />SELECT * FROM fn_get_audit_file(&apos;E:SqlAudits*&apos;, default, default)<br />
  29. 29. SQL Audit<br />Performance overhead<br />Lower than Profiler!<br /><br />
  30. 30. SQL Audit<br />Tips:<br />It’s disabled by default – don’t forget to enable it after you set it up.<br />Just like with DCL statements we can use database or schema scopes. For example:<br />SELECT ON DATABASE::MyDB<br />UPDATE ON SCHEMA::HR<br />Can output to application/security log (look for event ID 33205)<br />
  31. 31. DDL Triggers<br />Versions Available:<br /> 2005+ (logon triggers in 2005 SP2+)<br />Editions available: <br /> All<br />What does it audit?<br /> Tracks object changes in server, database and schema levels + login events<br />
  32. 32. DDL Triggers<br />Pros<br />Useful for auditing but can also be used to act on DDL statements (i.e. ROLLBACK)<br />Can have lots of logic within it (we write all the code)<br />Cons<br />Transaction bound (if change is done within transaction, the audit can be rolled back as well)<br />Requires code and object generation.<br />The tracking table (if exists) needs to be managed.<br />
  33. 33. DDL Triggers<br />How to create, prerequisites<br />Logon triggers require 2005 SP2+<br />Use EVENTDATA() function to get information<br />CREATE TRIGGER [name]<br />ON [DATABASE] / [ALL SERVER]<br />FOR [DDL_DATABASE_LEVEL_EVENTS]<br />AS ...<br />
  34. 34. DDL Triggers<br />Performance overhead<br />Slightly higher than trace<br />Depends on the statements inside the trigger.<br />
  35. 35. DML Triggers<br />Versions Available:<br /> Any<br />Editions available: <br /> All<br />What does it audit?<br /> Audit data changes in a table + security information.<br />
  36. 36. DML Triggers<br />Pros<br />Useful for auditing but can also be used to act on DML statements (i.e. ROLLBACK)<br />Can have lots of logic within it (we write all the code)<br />Can combine security information and data changes<br />Cons<br />Transaction bound (change is done within transaction, the audit can be rolled back as well, if trigger fails, transaction is doomed)<br />Requires code and object generation.<br />The tracking table (if exists) needs to be managed.<br />
  37. 37. DML Triggers<br />How to create<br />Use deleted and inserted table to retrieve changed data.<br />Use built in functions like Suser_sname() to get security information.<br />Use the UPDATE (column) function to check if a column changed or COLUMNS_UPDATED ( ) to check which columns have changed.<br />CREATE TRIGGER [name] ON { table | view }<br /> [ WITH &lt;dml_trigger_option&gt; ]<br /> { FOR | AFTER | INSTEAD OF } <br /> {[ INSERT ][,][ UPDATE ][,][ DELETE ] }<br />AS ...<br />
  38. 38. DML Triggers<br />Performance overhead<br />Depends on the statements inside the trigger.<br />
  39. 39. Change Tracking<br />Versions Available:<br />2008<br />Editions available: <br /> All<br />What does it audit?<br />Audits the fact that a certain row has changed and using what action (Insert, Update or Delete):<br />Which rows have changed in a user table?<br />Has a row changed?<br />
  40. 40. Change Tracking<br />How to create, prerequisites<br />Should be enabled in the database and then on the table<br />Table must have a primary key or a unique index.<br />How does it work?<br />Synchronous – if a problem occurs in the change tracking, the transaction is rolled back.<br />Creates internal tables that have columns to store the primary key value, action performed (insert, update, delete) ,optional columns updated bitmap, version of the change.<br />A version in a DB level.<br />Has a retention period that cleans the internal tables.<br />Built-in functions to retrieve changes and versions.<br />
  41. 41. Change Tracking<br />Performance overhead<br />More IO: The incremental performance overhead that is associated with using change tracking on a table is similar to the overhead incurred when an index is created for a table and needs to be maintained.<br />
  42. 42. Change Tracking<br />Pros<br />No need to develop complex procedures for tracking changes<br />Doesn’t take a lot of disk space<br />Synchronous<br />Auto cleanup tasks<br />Cons<br />Doesn’t keep historical data<br />Doesn’t keep security information<br />Usually used with snapshot isolation level which cause performance to drop<br />Affects the system IO<br />
  43. 43. Change Tracking<br />Remarks<br />When change tracking is enabled, there are restrictions on the DDL that can be performed on a table being tracked. The most notable restriction is that the primary key cannot be altered in any way.<br />Switching a partition fails if one or both of the tables has change tracking enabled.<br />
  44. 44. Change Data Capture (CDC)<br />Versions Available:<br />2008<br />Editions available: <br /> Enterprise Only<br />What does it Audit?<br /> Audits all the changes on all rows in a table on specific columns.<br />
  45. 45. CDC<br />How does it work?<br />Asynchronous<br />Uses log reader (like transactional replication)<br />Creates schema and tables<br />Performance overhead<br />A lot of disk space<br />More IO<br />
  46. 46. CDC<br />Pros<br />Asynchronous<br />Has the option to choose what to monitor.<br />Keeps data history<br />Has a cleaning mechanism<br />Cons<br />A lot of disk space<br />More IO<br />Can cause log truncation problem<br />
  47. 47. CDC vs. Change Tracking<br /><br />
  48. 48. Audit Tools in SQL - Summary<br />
  49. 49. Audit Tools in SQL - Summary<br />What about…<br />Archive and retention of audit data<br />Reporting<br />Alerting<br />Threshold definition (alert only after 10 failed logins in 5 minutes)<br />Aggregations<br />Audit the auditor<br />
  50. 50. Idera Compliance Manager<br />Examples<br />
  51. 51. References<br />Auditing in SQL server 2008 -<br />SQL Server 2008 Improves Auditing, Change Tracking -<br />Tracking Changes in Your Enterprise Database by Paul S. Randal -<br />SQL Server 2005 Security Overview for Database Administrators -<br />SQL Server 2005 security best practices white paper -<br />SQL Server 2008 Compliance Guide -<br />