7/9/2009

A Comparative Analysis of
Auditing Solutions in SQL Server
or
How The Hell Can I Tell Who's Messing With My Data

Audit
• A methodical examination or review of a
condition or situation

1
 7/9/2009

Compliance
• Acting according to certain accepted
standards
• Monitoring the extent of compliance with the
standards and ethical codes at either an
agency or sector level

Compliance

Assessment Policies Monitoring

Prioritization Training Validation
Action plan Practices Remediation

2
 7/9/2009

Auditing in SQL
• User actions
– data changes
– Data read
– Schema changes
• Security events
– Logins
– Server security activities

Audit Solutions Timeline

6.x • Trace, DML Triggers

7 • Profiler

2000
• C2

2005
• DDL triggers

2005 SP2 • Common criteria + logon triggers

2008
• SQL Audit, CDC, Change Tracking

3
 7/9/2009

Agenda
• Schema changes and Security Audit
– Trace
– SQL Audit
– DDL Triggers (& Login Triggers)
• Data changes Audit
– DML Triggers
– Change Tracking
– Change Data Capture (CDC)
• Third party tools
– Idera SQL Compliance Manager

SQL Trace
• Versions Available:
6.x + (Profiler since 7)
• Editions available:
All (Profiler not available in Express Edition)
• What does it audit?
User Actions
(who read, who wrote, who altered)
Most of the events we can dream of: object access and
management in any scope, security changes and
events, logins (in addition to everything required for
debugging, monitoring and performance tuning)

4
 7/9/2009

SQL Trace
Pros
• A one-stop mechanism to get tons of security related information.
• No objects have to be altered or created.
• Captures things that can’t be captured otherwise (DBCC,
create/alter trace, backup/restore) - until SQL Server 2008
• Actions are ALWAYS audited (even if transaction was rolled back)

Cons
• Data changes are not collected (can be collected with user defined
events, but this requires triggers and is complex to work out)
• May be harder to filter and analyze for relevant events.
• The syntax is complicated and harder to understand what we are
auditing (when not using profiler).
• There is no guarantee the trace will run when the server starts, we
should take care of it (using a startup proc. Or agent job)

SQL Trace
• How to create
– See Yaniv Etrogi’s UG 87 session in sqlserver.co.il
• How does it work?
– Based on internal trace events

5
 7/9/2009

SQL Trace
• Performance overhead
– Minimal (when not used with Profiler)
– 5 events, only profiler filtered out:

http://sqlblog.com/blogs/linchi_shea/archive/2007/08/01/trace-profiler-test.aspx

SQL Trace
• Interesting events to look for (Security):
– Audit Schema Object Access
– Audit Schema Object Management
– Audit Schema Object GDR
– Audit Schema Object Take Ownership
– Audit Login Failed

6
 7/9/2009

SQL Trace
• Default trace
– File growth, shrink
– Mirroring state change
– Errors and warnings
– Fulltext crawl start/stop/abort
– Object create/alter/drop
– 17 audit events
– Server memory change
– 5 20mb file-rollover files

SQL Trace
• Blackbox trace
– 5mb files (size and file-rollover file count can be
overridden after setup)
– Saved to default data folder
– Traces:
• RPC Starting
• Batch Starting
• Exception
• Attention (timeouts)
– No filters, no event/column configuration

7
 7/9/2009

C2 Audit
• Versions Available:
2000+
• Editions available:
All
• What does it audit?
Failed and successful attempts to access
statements and objects.

C2 Audit
Pros
• Simple trace to set up (one checkbox)
• Audits every action on every object within the SQL
Server instance.
• No audit – no SQL Server. SQL Shuts down if it can’t
write audit information.
Cons
• Requires instance restart to enable/disable.
• Not configurable in terms of events, columns, filters or
file size. It saves audit trail in 200mb files in the default
data folder (any worse choice?) – can cause disk space
problems

8
 7/9/2009

C2 Audit
• How to create
EXEC sp_configure 'c2
'c2 audit mode', 1
GO
RECONFIGURE

– or check the option in Server properties

C2 Audit
• Performance overhead
– Like SQL trace (with audit 40 events, 45 columns
and no filters)

9

Common Criteria Compliance
• Versions Available:
2005 SP2 +
• Editions available:
Enterprise only
• What does it do?
Enables elements that are required for the
Common Criteria.
Common Criteria Compliance
Criteria
Residual Information Protection (RIP)
The ability to view login statistics
That column GRANT should not override
table DENY
7/9/2009
Description
Requires a memory allocation to be
overwritten with a known pattern of bits
before memory is reallocated to a new
resource. (better security, worse
performance)
login auditing is enabled, information
about the last successful login time, the
last unsuccessful login time, and the
number of attempts between the last
successful and current login times is made
available via sys.dm_exec_sessions
a table-level DENY takes precedence over
a column-level GRANT
(not default behavior)
10
 7/9/2009

Common Criteria Compliance

• How to create
EXEC sp_configure 'common criteria compliance enabled',
', 1
GO
RECONFIGURE

– or check the option Server properties

– Also requires to run a script that finishes
configuring SQL Server to comply with Common
Criteria Evaluation Assurance Level 4+ (EAL4+)

Common Criteria Compliance

• Performance overhead
– Not tested.

11
 7/9/2009

SQL Audit
• Versions Available:
2008
• Editions available:
Enterprise only
• What does it audit?
Audit user actions
(who read, who wrote, who altered)
Unlike SQL Trace, SQL Audit is meant to provide
full auditing capabilities and only auditing
capabilities

SQL Audit
• How does it work?
– SQL Server Audit is a brand new audit mechanism.
– Different set of events for server scope and database
scope.
– Based on Extended Events
– Tightly bound to DBMS engine - implemented by
hooking the internal permissions checks
– Can output to
• File
• Windows Application Log
• Windows Security Log
– Can be synchronous or asynchronous (default)

12
 7/9/2009

SQL Audit
• Sample Event groups:
– Server scope:
• SUCCESSFUL_LOGIN_GROUP
• FAILED_LOGIN_GROUP
• LOGIN_CHANGE_PASSWORD_GROUP
• DBCC_GROUP
– Database scope:
• SCHEMA_OBJECT_CHANGE_GROUP
• DATABASE_OWNERSHIP_CHANGE_GROUP
• DATABASE_PERMISSION_CHANGE_GROUP

SQL Audit
Pros
• A one-stop mechanism to get tons of security related information.
• Captures things that can’t be captured otherwise (DBCC, create/alter
trace, backup/restore)
• Easy to set up, filter in any granularity of objects, actions and users.
• Performs even better than a trace
• Actions are ALWAYS audited (even if transaction was rolled back)
• Many options of output – can be combined with System Center
Operations Manager (formerly known as MOM)
• Can be configured to shutdown the server if fails to audit.

Cons
• Data changes are not collected
• Audit data saved to sqlaudit file or event log and not to a table.

13
 7/9/2009

SQL Audit
• How to create
USE master
CREATE SERVER AUDIT audit1
audit1 TO FILE
(FILEPATH = '\
'\\srv\
srv\adt')

USE hr_db
CREATE DATABASE AUDIT SPECIFICATION hr_dbspec FOR
SERVER AUDIT audit1
audit1
ADD(SELECT,UPDATE,INSERT,DELETE ON hr.salary by dbo)
dbo)

--and
--and enable the audit & audit specification

SQL Audit
• How to read
SELECT * FROM fn_get_audit_file('E:
fn_get_audit_file('E:\
('E:\SqlAudits\
SqlAudits\*',
default, default)

14
 7/9/2009

SQL Audit
• Performance overhead
– Lower than Profiler!
120

100

80

Base Time
60 SQL Trace
SQL Audit
40

20

0
1 2 3 4 5

http://msdn.microsoft.com/en-us/library/dd392015.aspx

SQL Audit
• Tips:
– It’s disabled by default – don’t forget to enable it
after you set it up.
– Just like with DCL statements we can use database
or schema scopes. For example:
SELECT ON DATABASE::MyDB
UPDATE ON SCHEMA::HR
– Can output to application/security log
(look for event ID 33205)

15
 7/9/2009

DDL Triggers
• Versions Available:
2005+ (logon triggers in 2005 SP2+)
• Editions available:
All
• What does it audit?
Tracks object changes in server, database and
schema levels + login events

DDL Triggers
Pros
• Useful for auditing but can also be used to act on
DDL statements (i.e. ROLLBACK)
• Can have lots of logic within it (we write all the
code)
Cons
• Transaction bound (if change is done within
transaction, the audit can be rolled back as well)
• Requires code and object generation.
• The tracking table (if exists) needs to be
managed.

16
 7/9/2009

DDL Triggers
• How to create, prerequisites
– Logon triggers require 2005 SP2+

CREATE TRIGGER [name]

ON [DATABASE] / [ALL SERVER]
FOR [DDL_DATABASE_LEVEL_EVENTS]
AS ...

– Use EVENTDATA() function to get information

DDL Triggers
• Performance overhead
– Slightly higher than trace
– Depends on the statements inside the trigger.

17
 7/9/2009

DML Triggers
• Versions Available:
Any
• Editions available:
All
• What does it audit?
Audit data changes in a table + security
information.

DML Triggers
Pros
• Useful for auditing but can also be used to act on DML
statements (i.e. ROLLBACK)
• Can have lots of logic within it (we write all the code)
• Can combine security information and data changes
Cons
• Transaction bound (change is done within transaction,
the audit can be rolled back as well, if trigger fails,
transaction is doomed)
• Requires code and object generation.
• The tracking table (if exists) needs to be managed.

18
 7/9/2009

DML Triggers
• How to create
CREATE TRIGGER [name] ON { table | view }
[ WITH <dml_trigger_option
<dml_trigger_option>
dml_trigger_option> ]
{ FOR | AFTER | INSTEAD OF }
{[ INSERT ][,][ UPDATE ][,][ DELETE ] }
AS ...

– Use deleted and inserted table to retrieve changed

data.
– Use built in functions like Suser_sname() to get
security information.
– Use the UPDATE (column) function to check if a
column changed or COLUMNS_UPDATED ( ) to check
which columns have changed.

DML Triggers
• Performance overhead
– Depends on the statements inside the trigger.

19
 7/9/2009

Change Tracking
• Versions Available:
2008
• Editions available:
All
• What does it audit?
• Audits the fact that a certain row has changed
and using what action (Insert, Update or Delete):
– Which rows have changed in a user table?
– Has a row changed?

Change Tracking
• How to create, prerequisites
– Should be enabled in the database and then on the table
– Table must have a primary key or a unique index.

• How does it work?

– Synchronous – if a problem occurs in the change tracking,
the transaction is rolled back.
– Creates internal tables that have columns to store the
primary key value, action performed (insert, update,
delete) ,optional columns updated bitmap, version of the
change.
– A version in a DB level.
– Has a retention period that cleans the internal tables.
– Built-in functions to retrieve changes and versions.

20
 7/9/2009

Change Tracking
• Performance overhead
– More IO: The incremental performance overhead
that is associated with using change tracking on a
table is similar to the overhead incurred when an
index is created for a table and needs to be
maintained.

Change Tracking
• Pros
– No need to develop complex procedures for tracking
changes
– Doesn’t take a lot of disk space
– Synchronous
– Auto cleanup tasks
• Cons
– Doesn’t keep historical data
– Doesn’t keep security information
– Usually used with snapshot isolation level which cause
performance to drop
– Affects the system IO

21
 7/9/2009

Change Tracking
• Remarks
– When change tracking is enabled, there are
restrictions on the DDL that can be performed on
a table being tracked. The most notable restriction
is that the primary key cannot be altered in any
way.
– Switching a partition fails if one or both of the
tables has change tracking enabled.

Change Data Capture (CDC)

• Versions Available:
2008
• Editions available:
Enterprise Only
• What does it Audit?
Audits all the changes on all rows in a table on
specific columns.

22
 7/9/2009

CDC
• How does it work?
– Asynchronous
– Uses log reader (like transactional replication)
– Creates schema and tables
• Performance overhead
– A lot of disk space
– More IO

CDC
• Pros
– Asynchronous
– Has the option to choose what to monitor.
– Keeps data history
– Has a cleaning mechanism
• Cons
– A lot of disk space
– More IO
– Can cause log truncation problem

23
 7/9/2009

CDC vs. Change Tracking

Feature Change Tracking Change Data Capture

Synchronous Yes No

Requires SQL Agent No Yes

Forces full logging of some No Yes

bulk operations
Prevents log truncation No Yes, until log records
harvested
Requires snapshot isolation Recommended No

Requires separate tables to Yes Yes

store tracking data
Allows placement of No Yes
tracking tables
Potential for space Some Lots
consumption issues
Automatic cleanup process Yes Yes

Restrictions on DDL Yes No

http://technet.microsoft.com/en-us/magazine/2008.11.sql.aspx?pr=blog

Audit Tools in SQL - Summary

Name What audits? How? Uses performance Versions
Editions
SQL Trace All actions but Server trace Security, actions, Low overhead 6.X +
data technology, not debug, performance
sync
DML Data changes Triggers, sync Data changes (audit Can cause All
triggers trail) performance
problems.
Change Data changes Built-in Sync DB Like 2008
Tracking mechanism, maintaining
sync another NCIX
CDC Data changes Log reader, Load DWH, audit A lot of disk 2008 Ent
and history async trail space, more IO
DDL Schema Internal events Track schema Depends on 2005
triggers changes mechanism, changes, change the code
sync management and within the
more trigger
SQL Audit All user actions based on Audit security Very low 2008 Ent
EXEvents, sync actions
and async

24
 7/9/2009

Audit Tools in SQL - Summary

• What about…
– Archive and retention of audit data
– Reporting
– Alerting
– Threshold definition (alert only after 10 failed
logins in 5 minutes)
– Aggregations
– Audit the auditor

Idera Compliance Manager

• Examples

25
 7/9/2009

References
• Auditing in SQL server 2008 - http://msdn.microsoft.com/en-
us/library/dd392015.aspx
• SQL Server 2008 Improves Auditing, Change Tracking -
http://www.directionsonmicrosoft.com/sample/DOMIS/update/2008/11n
ov/1108ss2iac.htm
• Tracking Changes in Your Enterprise Database by Paul S. Randal -
http://technet.microsoft.com/en-us/magazine/2008.11.sql.aspx?pr=blog
• SQL Server 2005 Security Overview for Database Administrators -
http://www.microsoft.com/sqlserver/2008/en/us/wp-sql-2008-
security.aspx
• SQL Server 2005 security best practices white paper -
http://www.microsoft.com/sqlserver/2005/en/us/white-papers.aspx
• SQL Server 2008 Compliance Guide -
http://www.microsoft.com/downloads/details.aspx?FamilyId=6E1021DD-
65B9-41C2-8385-438028F5ACC2&displaylang=en

26