Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304.
-
Upload
barry-davidson -
Category
Documents
-
view
218 -
download
0
Transcript of Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304.
Auditing in Microsoft SQL Server 2008
Il-Sung LeeSenior Program ManagerMicrosoft CorporationDAT304
Agenda
What’s changed since SQL Server 2005?Why should I use SQL Server Audit?What is the performance impact?Can I protect the Audit log from the DBA?What happens if Audit fails to write?What do I do if the server fails to start because of SQL Server Audit?Anything else I should know?
What’s changed sinceSQL Server 2005?
We now have a dedicated, security auditing feature.
Auditing Database Activity
SQL Server 2005SQL TraceDDL/DML TriggersThird-party tools to read transaction logsNo management tools support
SQL Server 2008SQL Server Audit
SQL Server Audit
Audit now a 1st Class Server Object• Native DDL for Audit configuration and management• Security supportCreate an Audit object to automatically log actions to:
FileWindows Application LogWindows Security Log
Ability to define granular Audit Actions of Users or Roles on DB objects
Audit SpecificationsAudit
Security Event Log
Application Event Log File system
0..1Server audit specification per Audit object
0..1DB audit specificationper database per Audit object
CREATE SERVER AUDIT SPECIFICATION SvrACTO SERVER AUDIT PCI_Audit ADD (FAILED_LOGIN_GROUP);
CREATE DATABASE AUDIT SPECIFICATION AuditACTO SERVER AUDIT PCI_Audit ADD (SELECT ON Customers BY public)
Server Audit Specification
Server Audit ActionServer Audit Action
Server Audit ActionServer Audit Action
Server Audit Action
Database Audit ComponentsDatabase Audit
ComponentsDatabase Audit ComponentsDatabase Audit
Specification
Database Audit ActionDatabase Audit Action
Database Audit ActionDatabase Audit Action
Database Audit Action
File
Why should I use SQL Server Audit?
For performance, security, flexibility, and other
good reasons!“We already have strict limits on who can see the data, and we use SQL Server 2008 auditing to verify this,” says Gerald Schinagl, Project Manager and Systems Architect for the Sports Database at Austrian Broadcasting Corporation Radio & Television (ORF).
Reasons to Use SQL Server Audit
Faster than SQL TraceLeverages high performance eventing infrastructure Granular auditingRuns within engine
More secureMore choices for audit targetAutomatically records changes to Audit statePersists state between restarts
Parity with SQL Server 2005 Audit GenerationConfiguration and management in SSMSIntegration with Policy-Based Management
Enabling SQL Server Auditdemo
What is the performance impact?
Depends…
Audit Performance
Depends upon:The workloadWhat’s being audited
Comparison of SQL Server Audit against SQL Trace for 5 different typical customer workloads…
SQL Server Audit vs SQL Trace
Workload 1 Workload 2 Workload 3 Workload 4 Workload 5
13.3
41.3
5.1
63.4
3.6
15.9
101.9
6.3
76.6
4.7814.1
55.9
5.6
68.13
4
Customer Workload Performance
Base Time (min) SQL Trace (min) SQL Server Audit (min)
Can I protect the Audit log from the DBA?
Yes.“We’re seeing more audit requests in the industry, and they often want us to demonstrate the ability to document who has accessed what data,” says Umut Nazlica, Manager of Open Systems Databases at Garanti Technology. “This was something that was extremely hard to do without third-party tools prior to SQL Server 2008. With Enhanced Auditing, we will be able to provide granular information including when and by whom each data change was made.”
Protecting Audit Data
Windows Security Log• “Tamper-proof” log• DBA cannot clear log (assuming not an Administrator)• System Center Operations Manager Audit Collection Service
Copy Audit logs to secure location• Directory or share inaccessible by service account or DBA• Audit logs files are shared-read and cannot be tampered with while active• Possible momentary exposure if using multiple logs
Combination of the two• Audit “tamper” activity to Security Log, e.g., DBA modifying Audit• All other Audit events are sent to file
What happens if Audit fails to write?
Depends again…
Audit Write Failure (shutdown)
Shut down server on audit log failure
Audit Write Failure (non-shutdown)Audit Events Buffered• Audit buffer size varies but is around 4MB (equivalent to at least
170 events, depending upon statement text)
Server Blocks Activity Generating Audit Event• Does not effect other Audits• Blocks until buffer space freed or audit disabled
Audit Session Turned Off• Buffered data is discarded and error written to errorlog• Continue trying to write future events to Audit log• If failure during creation of handle to file/Window log session, manual
restart of Audit session required
Buffer filled
System error
What do I do if the server fails to start because of SQL Server Audit?
Start the server in single-user mode
Starting the Server
Option 1
•Correct source of error
•E.g., file system full
Option 2
•Single-user mode, “-m”
•Audit is active but shutdown-on-failure behavior deactivated
•Audit Admin can fix Audit configuration
Option 3
•Minimal configuration mode, “-f”
•Audit disabled but Audit DDL can still be issued.
Using SQL Server Audit with Policy-Based Management
demo
Anything else I should know?
Just a few things.
Other Things You Should Know
Enterprise onlyParameterized queriesAudit Xevent Sessions may not be manipulated by Xevent DDL.Audit logs are not encryptedAudit events are fired with permission checksWriting to files are much faster than to event log
Other Things You Should Know
Both Audit and Audit Specifications have STATE parameters
Can only change state outside user transactionAll other audit changes can be done in a transaction, but with Audit or Audit Specification OFF
Creating an Audit Collectordemo
Securely and Easily Track DB Activity
Consider SQL Server Audit for all security auditing requirementsCarefully devise a strategy for what needs to be audited and where to send the audit information based on security and performance needsMonitor administrator activity and prevent tampering of the logs
question & answer
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Related Content
DAT15-HOL: Using Microsoft SQL Server 2008 Policy-Based Management to Set Policies and Help Ensure Compliance
DAT02-INT: Protecting Your Data Using Encryption in Microsoft SQL Server
DAT02-HOL: Implementing Database Compliance Scenarios
Track Resources
Understanding SQL Server Audit http://msdn.microsoft.com/en-us/library/cc280386.aspx
Auditing in SQL Server 2008 whitepaper http://msdn.microsoft.com/en-us/library/dd392015.aspx
SQL Server Security homepagehttp://www.microsoft.com/sqlserver/2008/en/us/security.aspx
SQL Server Security bloghttp://blogs.msdn.com/sqlsecurity/
Administering Servers by Using Policy-Based Managementhttp://msdn.microsoft.com/en-us/library/bb510667.aspx
SQL Server Community Resources
Become a FREE PASS Member: www.sqlpass.org/RegisterforSQLPASS.aspxLearn more about the PASS organization www.sqlpass.org/
Additional Community ResourcesSQL Server Community Center www.microsoft.com/sqlserver/2008/en/us/community-center.aspxTechNet Community for IT Professionalshttp://technet.microsoft.com/en-us/sqlserver/bb671048.aspxDeveloper Center http://msdn.microsoft.com/en-us/sqlserver/bb671064.aspxSQL Server 2008 Learning Portalhttp://www.microsoft.com/learning/sql/2008/default.mspx
• Connect: Local Chapters, Special Interest Groups, Online Community• Share: PASSPort Social Networking, Community Connection Event• Learn: PASS Summit Annual Conference, Technical Articles, Webcasts
• More about the PASS organization www.sqlpass.org/
The Professional Association for SQL Server (PASS) is an independent, not-for-profit association, dedicated to supporting, educating, and promoting the Microsoft SQL Server community.
SQL Server Word of the Day
POLICY-BASEDMANAGEMENT
Monday, May 11
*Game cards may be picked up at the SQL Server booths in the TLC
Complete an evaluation on CommNet and enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.