Escolar Documentos
Profissional Documentos
Cultura Documentos
A Comparative Analysis of
Auditing Solutions in SQL Server
or
How The Hell Can I Tell Who's Messing With My Data
Audit
• A methodical examination or review of a
condition or situation
1
7/9/2009
Compliance
• Acting according to certain accepted
standards
• Monitoring the extent of compliance with the
standards and ethical codes at either an
agency or sector level
Compliance
2
7/9/2009
Auditing in SQL
• User actions
– data changes
– Data read
– Schema changes
• Security events
– Logins
– Server security activities
7 • Profiler
2000
• C2
2005
• DDL triggers
2008
• SQL Audit, CDC, Change Tracking
3
7/9/2009
Agenda
• Schema changes and Security Audit
– Trace
– SQL Audit
– DDL Triggers (& Login Triggers)
• Data changes Audit
– DML Triggers
– Change Tracking
– Change Data Capture (CDC)
• Third party tools
– Idera SQL Compliance Manager
SQL Trace
• Versions Available:
6.x + (Profiler since 7)
• Editions available:
All (Profiler not available in Express Edition)
• What does it audit?
User Actions
(who read, who wrote, who altered)
Most of the events we can dream of: object access and
management in any scope, security changes and
events, logins (in addition to everything required for
debugging, monitoring and performance tuning)
4
7/9/2009
SQL Trace
Pros
• A one-stop mechanism to get tons of security related information.
• No objects have to be altered or created.
• Captures things that can’t be captured otherwise (DBCC,
create/alter trace, backup/restore) - until SQL Server 2008
• Actions are ALWAYS audited (even if transaction was rolled back)
Cons
• Data changes are not collected (can be collected with user defined
events, but this requires triggers and is complex to work out)
• May be harder to filter and analyze for relevant events.
• The syntax is complicated and harder to understand what we are
auditing (when not using profiler).
• There is no guarantee the trace will run when the server starts, we
should take care of it (using a startup proc. Or agent job)
SQL Trace
• How to create
– See Yaniv Etrogi’s UG 87 session in sqlserver.co.il
• How does it work?
– Based on internal trace events
5
7/9/2009
SQL Trace
• Performance overhead
– Minimal (when not used with Profiler)
– 5 events, only profiler filtered out:
http://sqlblog.com/blogs/linchi_shea/archive/2007/08/01/trace-profiler-test.aspx
SQL Trace
• Interesting events to look for (Security):
– Audit Schema Object Access
– Audit Schema Object Management
– Audit Schema Object GDR
– Audit Schema Object Take Ownership
– Audit Login Failed
6
7/9/2009
SQL Trace
• Default trace
– File growth, shrink
– Mirroring state change
– Errors and warnings
– Fulltext crawl start/stop/abort
– Object create/alter/drop
– 17 audit events
– Server memory change
– 5 20mb file-rollover files
SQL Trace
• Blackbox trace
– 5mb files (size and file-rollover file count can be
overridden after setup)
– Saved to default data folder
– Traces:
• RPC Starting
• Batch Starting
• Exception
• Attention (timeouts)
– No filters, no event/column configuration
7
7/9/2009
C2 Audit
• Versions Available:
2000+
• Editions available:
All
• What does it audit?
Failed and successful attempts to access
statements and objects.
C2 Audit
Pros
• Simple trace to set up (one checkbox)
• Audits every action on every object within the SQL
Server instance.
• No audit – no SQL Server. SQL Shuts down if it can’t
write audit information.
Cons
• Requires instance restart to enable/disable.
• Not configurable in terms of events, columns, filters or
file size. It saves audit trail in 200mb files in the default
data folder (any worse choice?) – can cause disk space
problems
8
7/9/2009
C2 Audit
• How to create
EXEC sp_configure 'c2
'c2 audit mode', 1
GO
RECONFIGURE
C2 Audit
• Performance overhead
– Like SQL trace (with audit 40 events, 45 columns
and no filters)
9
7/9/2009
10
7/9/2009
11
7/9/2009
SQL Audit
• Versions Available:
2008
• Editions available:
Enterprise only
• What does it audit?
Audit user actions
(who read, who wrote, who altered)
Unlike SQL Trace, SQL Audit is meant to provide
full auditing capabilities and only auditing
capabilities
SQL Audit
• How does it work?
– SQL Server Audit is a brand new audit mechanism.
– Different set of events for server scope and database
scope.
– Based on Extended Events
– Tightly bound to DBMS engine - implemented by
hooking the internal permissions checks
– Can output to
• File
• Windows Application Log
• Windows Security Log
– Can be synchronous or asynchronous (default)
12
7/9/2009
SQL Audit
• Sample Event groups:
– Server scope:
• SUCCESSFUL_LOGIN_GROUP
• FAILED_LOGIN_GROUP
• LOGIN_CHANGE_PASSWORD_GROUP
• DBCC_GROUP
– Database scope:
• SCHEMA_OBJECT_CHANGE_GROUP
• DATABASE_OWNERSHIP_CHANGE_GROUP
• DATABASE_PERMISSION_CHANGE_GROUP
SQL Audit
Pros
• A one-stop mechanism to get tons of security related information.
• Captures things that can’t be captured otherwise (DBCC, create/alter
trace, backup/restore)
• Easy to set up, filter in any granularity of objects, actions and users.
• Performs even better than a trace
• Actions are ALWAYS audited (even if transaction was rolled back)
• Many options of output – can be combined with System Center
Operations Manager (formerly known as MOM)
• Can be configured to shutdown the server if fails to audit.
Cons
• Data changes are not collected
• Audit data saved to sqlaudit file or event log and not to a table.
13
7/9/2009
SQL Audit
• How to create
USE master
CREATE SERVER AUDIT audit1
audit1 TO FILE
(FILEPATH = '\
'\\srv\
srv\adt')
USE hr_db
CREATE DATABASE AUDIT SPECIFICATION hr_dbspec FOR
SERVER AUDIT audit1
audit1
ADD(SELECT,UPDATE,INSERT,DELETE ON hr.salary by dbo)
dbo)
--and
--and enable the audit & audit specification
SQL Audit
• How to read
SELECT * FROM fn_get_audit_file('E:
fn_get_audit_file('E:\
('E:\SqlAudits\
SqlAudits\*',
default, default)
14
7/9/2009
SQL Audit
• Performance overhead
– Lower than Profiler!
120
100
80
Base Time
60 SQL Trace
SQL Audit
40
20
0
1 2 3 4 5
http://msdn.microsoft.com/en-us/library/dd392015.aspx
SQL Audit
• Tips:
– It’s disabled by default – don’t forget to enable it
after you set it up.
– Just like with DCL statements we can use database
or schema scopes. For example:
SELECT ON DATABASE::MyDB
UPDATE ON SCHEMA::HR
– Can output to application/security log
(look for event ID 33205)
15
7/9/2009
DDL Triggers
• Versions Available:
2005+ (logon triggers in 2005 SP2+)
• Editions available:
All
• What does it audit?
Tracks object changes in server, database and
schema levels + login events
DDL Triggers
Pros
• Useful for auditing but can also be used to act on
DDL statements (i.e. ROLLBACK)
• Can have lots of logic within it (we write all the
code)
Cons
• Transaction bound (if change is done within
transaction, the audit can be rolled back as well)
• Requires code and object generation.
• The tracking table (if exists) needs to be
managed.
16
7/9/2009
DDL Triggers
• How to create, prerequisites
– Logon triggers require 2005 SP2+
DDL Triggers
• Performance overhead
– Slightly higher than trace
– Depends on the statements inside the trigger.
17
7/9/2009
DML Triggers
• Versions Available:
Any
• Editions available:
All
• What does it audit?
Audit data changes in a table + security
information.
DML Triggers
Pros
• Useful for auditing but can also be used to act on DML
statements (i.e. ROLLBACK)
• Can have lots of logic within it (we write all the code)
• Can combine security information and data changes
Cons
• Transaction bound (change is done within transaction,
the audit can be rolled back as well, if trigger fails,
transaction is doomed)
• Requires code and object generation.
• The tracking table (if exists) needs to be managed.
18
7/9/2009
DML Triggers
• How to create
CREATE TRIGGER [name] ON { table | view }
[ WITH <dml_trigger_option
<dml_trigger_option>
dml_trigger_option> ]
{ FOR | AFTER | INSTEAD OF }
{[ INSERT ][,][ UPDATE ][,][ DELETE ] }
AS ...
DML Triggers
• Performance overhead
– Depends on the statements inside the trigger.
19
7/9/2009
Change Tracking
• Versions Available:
2008
• Editions available:
All
• What does it audit?
• Audits the fact that a certain row has changed
and using what action (Insert, Update or Delete):
– Which rows have changed in a user table?
– Has a row changed?
Change Tracking
• How to create, prerequisites
– Should be enabled in the database and then on the table
– Table must have a primary key or a unique index.
20
7/9/2009
Change Tracking
• Performance overhead
– More IO: The incremental performance overhead
that is associated with using change tracking on a
table is similar to the overhead incurred when an
index is created for a table and needs to be
maintained.
Change Tracking
• Pros
– No need to develop complex procedures for tracking
changes
– Doesn’t take a lot of disk space
– Synchronous
– Auto cleanup tasks
• Cons
– Doesn’t keep historical data
– Doesn’t keep security information
– Usually used with snapshot isolation level which cause
performance to drop
– Affects the system IO
21
7/9/2009
Change Tracking
• Remarks
– When change tracking is enabled, there are
restrictions on the DDL that can be performed on
a table being tracked. The most notable restriction
is that the primary key cannot be altered in any
way.
– Switching a partition fails if one or both of the
tables has change tracking enabled.
22
7/9/2009
CDC
• How does it work?
– Asynchronous
– Uses log reader (like transactional replication)
– Creates schema and tables
• Performance overhead
– A lot of disk space
– More IO
CDC
• Pros
– Asynchronous
– Has the option to choose what to monitor.
– Keeps data history
– Has a cleaning mechanism
• Cons
– A lot of disk space
– More IO
– Can cause log truncation problem
23
7/9/2009
Synchronous Yes No
http://technet.microsoft.com/en-us/magazine/2008.11.sql.aspx?pr=blog
24
7/9/2009
25
7/9/2009
References
• Auditing in SQL server 2008 - http://msdn.microsoft.com/en-
us/library/dd392015.aspx
• SQL Server 2008 Improves Auditing, Change Tracking -
http://www.directionsonmicrosoft.com/sample/DOMIS/update/2008/11n
ov/1108ss2iac.htm
• Tracking Changes in Your Enterprise Database by Paul S. Randal -
http://technet.microsoft.com/en-us/magazine/2008.11.sql.aspx?pr=blog
• SQL Server 2005 Security Overview for Database Administrators -
http://www.microsoft.com/sqlserver/2008/en/us/wp-sql-2008-
security.aspx
• SQL Server 2005 security best practices white paper -
http://www.microsoft.com/sqlserver/2005/en/us/white-papers.aspx
• SQL Server 2008 Compliance Guide -
http://www.microsoft.com/downloads/details.aspx?FamilyId=6E1021DD-
65B9-41C2-8385-438028F5ACC2&displaylang=en
26