Auditing Data Access in SQL Server
-
Upload
antonios-chatzipavlis -
Category
Technology
-
view
329 -
download
2
Transcript of Auditing Data Access in SQL Server
Auditing Data Access in SQL Server
29th SQL Night - Oct 1st ,2016
Pre
sen
ter
Info 1982 I started working with computers
1988 I started my professional career in computers industry.
1996 I started working with SQL Server 6.0
1998 I earned my first certification at Microsoft as Microsoft
Certified Solution Developer (3rd in Greece)
I started my career as Microsoft Certified Trainer (MCT)
with more than 25.000 hours of training until now!
2010 I became for first time Microsoft MVP on SQL Server
I created the SQL School Greece www.sqlschool.gr
2012 I became MCT Regional Lead by Microsoft Learning
Program.
2013 I was certified as MCSE : Data Platform & Business
Intelligence
Antonios ChatzipavlisDatabase Architect,
SQL Server Evangelist
MCT, MCSE, MCITP, MCPD, MCSD, MCDBA, MCSA, MCTS, MCAD, MCP, OCA, ITIL-F
Follo
w u
sin
soci
al m
edia
@antoniosch / @sqlschool
fb/sqlschoolgr
yt/c/SqlschoolGr
SQL School Greece group
Community News
Join
and
Learn
Sta
y In
volv
ed
Sign up for a free membership today at sqlpass.org.
Linked In: http://www.sqlpass.org/linkedin
Facebook: http://www.sqlpass.org/facebook
Twitter: @SQLPASS
PASS: http://www.sqlpass.org
Pre
senta
tion
Co
nte
nt
Auditing Data Access, why?
Use Common Criteria for auditing
Use SQL Trace for auditing
Use DML Triggers for auditing
Use Temporal tables for auditing
Implementing SQL Server Audit
Managing SQL Server Audit
Auditing Data Access,
why?
Why is auditing required?
What methods have you used for auditing?
What are the limitations of the methods you
have used?
Which standards that require auditing does
your organization need to comply with?
Audit Data Access, why?
Questions
Use
Common Criteria
for auditing
Ratified as an international standard by more
than 20 nation in 1999.
Supersedes C2 rating
ISO standard 15408
Common Criteria Auditing
Common Criteria
Compliance
Common Criteria compliance enabled option
Available in Enterprise Edition
Additional script must be run to comply with
Common Criteria Evaluation Assurance Level
4+ (EAL4+)
Use Common Criteria for auditing
SQL Server and
Common Criteria
Compliance
Use
SQL Trace
for auditing
Is used to trace commands sent to the server
Can be heavy on resources
Is run interactively
Can trace commands executions
Marked for deprecation in the future version of
SQL Server
Use SQL Trace for auditing
SQL Server Profiler
Event-driven monitoring tool
Configured through system stored procedures
Can be configured to capture user activity
Marked for deprecation in the future version of
SQL Server
Use SQL Trace for auditing
SQL Trace
Use
DML Triggers
for auditing
DML triggers for data modification
Logon triggers for tracking logons
DDL triggers for schema modification
Use DML Triggers for auditing
Triggers can provide
part of an auditing
solution
Performance impact
Ability to disable triggers
Lack of SELECT triggers
Trigger nesting issues
Complexities around trigger firing orders
Use DML Triggers for auditing
Limitations
Use
Temporal tables
for auditing
The Database Engine automatically records the
valid from/to dates of records in the database
as they are changed
Configured as part of the table definition; no
additional code required
Is SQL Server 2016 feature
Use Temporal tables for auditing
Auditing with
Temporal Tables
Cannot audit SELECT statements
INSERT, UPDATE and DELETE statements all
audited in the same way
History table will be in the same database
User tracking requires adding a column to the
table to hold SUSER_SNAME
Use Temporal tables for auditing
Limitations
Implementing
SQL Server Audit
SQL Server Audit is the primary auditing tool
in SQL Server
Track server and database level events on an
SQL Server instance
All editions of SQL Server supports server level
auditing
Database level auditing is available on
Enterprise, Developer and Evaluation edition
Based on an event-driven monitoring engine
called Extended Events
Implementing SQL Server Audit
Overview
Server Audit
Server Audit Specification
Database Audit Specification
Actions
Action Groups
Target
Implementing SQL Server Audit
Terminology
Defines where and how audited events are
logged
Each server audit specify:
Target
Queue delay
Action on failure
Server Audit
Definition
Server level
Database Level
Audit level
http://aka.ms/bak8rw
Audit Actions and Action Groups
Actions and action
groups are linked to
an audit with an audit
specification
Audit
Action groups to be included
State
Server Audit Specifications
Specify
Audit
Action Group
Actions on specific securable object
Can be filtered by specific database principals
State
Database Audit Specifications
Specify
sys.dm_audit_actions
sys.dm_audit_class_type_map
sys.dm_server_audit_status
Audit-Related DMVs and System Views
Audit DMVs
sys.server_audits
sys.server_file_audits
sys.server_audit_specifications
sys.server_audit_specifications_details
sys.database_audit_specifications
sys.audit_database_specification_details
Audit-Related DMVs and System Views
Audit System Views
Only database events may be audited
Plain SQL
Parameterized SQL
Stored Procedures
Login
Transaction Management
Audit logs are written to Store Tables
Auditing in Azure SQL Database
Configured through
Azure Portal or Azure
Powershell
They cannot be used to audit business logic
Add USER_DEFINED_AUDIT_GROUP to audit
specification
Call sp_audit_write strored procedure from
T-SQL code
EXEC sp_audit_write
@user_defined_event_id = 12,
@succeeded = 1,
@user_defined_information = N'User defined message';
Custom Audit Events
Allows you to create
custom audit entries
Managing
SQL Server Audit
Windows Event Log Target
Event Viewer
Binary File Target
sys.fn_get_audit_file
Retrieving Audit Data
The method to
retrieve audit data
depends on the target
that specified in audit
definition
This function takes three parameters:
the file pattern,
<path>\*
<path>\<audit name>_{GUID}
<path>\<file name>
the initial file name,
and the audit record offset
SELECT * FROM sys.fn_get_audit_file('X:\AuditFiles\*',default,default);
Binary File Targets
Audit files created by
SQL Server Audit can
be opened with the
sys.fn_get_audit_file
system table-valued
function
Because of this requirement, the record format
is limited in size by the rules related to
Windows event logging systems.
Character fields will be split into 4,000-
character chunks that may be spread across a
number of entries.
This means that a single event can generate
multiple audit entries and a sequence_number
column is provided to indicate the order of
multiple row entries.
Large Audit Records
The audit records
produced by SQL
Server Audit must be
formatted to fit in
system event logs, and
in files
You must disable audits and audit
specifications before you drop them, or make
any other changes to configuration.
Enabling and Disabling Auditing
Change the STATE
property to ON or
OFF
Audit GUID in restore scenarios
Audit GUID in mirroring scenarios
Performance impact of audit writes
If audit configuration prevents the instances
from starting, use the –f switch
If a database is restored to an instance that
does not support database audits, the audit is
ignored
Considerations for SQL Server Audit
There are several
potential issues to
consider with SQL
Server audit
Implementing SQL Server Audit
SELECT KNOWLEDGE FROM SQL SERVER
Copyright © 2016 SQLschool.gr. All right reserved. PRESENTER MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION