Auditing Data Access in SQL Server

29th SQL Night - Oct 1st ,2016

Pre

sen

ter

Info 1982 I started working with computers

1988 I started my professional career in computers industry.

1996 I started working with SQL Server 6.0

1998 I earned my first certification at Microsoft as Microsoft

Certified Solution Developer (3rd in Greece)

I started my career as Microsoft Certified Trainer (MCT)

with more than 25.000 hours of training until now!

2010 I became for first time Microsoft MVP on SQL Server

I created the SQL School Greece www.sqlschool.gr

2012 I became MCT Regional Lead by Microsoft Learning

Program.

2013 I was certified as MCSE : Data Platform & Business

Intelligence

Antonios ChatzipavlisDatabase Architect,

SQL Server Evangelist

MCT, MCSE, MCITP, MCPD, MCSD, MCDBA, MCSA, MCTS, MCAD, MCP, OCA, ITIL-F

Follo

w u

sin

soci

al m

edia

@antoniosch / @sqlschool

fb/sqlschoolgr

yt/c/SqlschoolGr

SQL School Greece group

Help

need

ed?

help@sqlschool.gr

Community News

Join

and

Learn

Sta

y In

volv

ed

Sign up for a free membership today at sqlpass.org.

Linked In: http://www.sqlpass.org/linkedin

Facebook: http://www.sqlpass.org/facebook

Twitter: @SQLPASS

PASS: http://www.sqlpass.org

Pre

senta

tion

Co

nte

nt

Auditing Data Access, why?

Use Common Criteria for auditing

Use SQL Trace for auditing

Use DML Triggers for auditing

Use Temporal tables for auditing

Implementing SQL Server Audit

Managing SQL Server Audit

Auditing Data Access,

why?

Why is auditing required?

What methods have you used for auditing?

What are the limitations of the methods you

have used?

Which standards that require auditing does

your organization need to comply with?

Audit Data Access, why?

Questions

Use

Common Criteria

for auditing

Ratified as an international standard by more

than 20 nation in 1999.

Supersedes C2 rating

ISO standard 15408

Common Criteria Auditing

Common Criteria

Compliance

Common Criteria compliance enabled option

Available in Enterprise Edition

Additional script must be run to comply with

Common Criteria Evaluation Assurance Level

4+ (EAL4+)

Use Common Criteria for auditing

SQL Server and

Common Criteria

Compliance

Use

SQL Trace

for auditing

Is used to trace commands sent to the server

Can be heavy on resources

Is run interactively

Can trace commands executions

Marked for deprecation in the future version of

SQL Server

Use SQL Trace for auditing

SQL Server Profiler

Event-driven monitoring tool

Configured through system stored procedures

Can be configured to capture user activity

Marked for deprecation in the future version of

SQL Server

Use SQL Trace for auditing

SQL Trace

Use

DML Triggers

for auditing

DML triggers for data modification

Logon triggers for tracking logons

DDL triggers for schema modification

Use DML Triggers for auditing

Triggers can provide

part of an auditing

solution

Performance impact

Ability to disable triggers

Lack of SELECT triggers

Trigger nesting issues

Complexities around trigger firing orders

Use DML Triggers for auditing

Limitations

Use

Temporal tables

for auditing

The Database Engine automatically records the

valid from/to dates of records in the database

as they are changed

Configured as part of the table definition; no

additional code required

Is SQL Server 2016 feature

Use Temporal tables for auditing

Auditing with

Temporal Tables

Cannot audit SELECT statements

INSERT, UPDATE and DELETE statements all

audited in the same way

History table will be in the same database

User tracking requires adding a column to the

table to hold SUSER_SNAME

Use Temporal tables for auditing

Limitations

Implementing

SQL Server Audit

SQL Server Audit is the primary auditing tool

in SQL Server

Track server and database level events on an

SQL Server instance

All editions of SQL Server supports server level

auditing

Database level auditing is available on

Enterprise, Developer and Evaluation edition

Based on an event-driven monitoring engine

called Extended Events

Implementing SQL Server Audit

Overview

Server Audit

Server Audit Specification

Database Audit Specification

Actions

Action Groups

Target

Implementing SQL Server Audit

Terminology

Defines where and how audited events are

logged

Each server audit specify:

Target

Queue delay

Action on failure

Server Audit

Definition

Server level

Database Level

Audit level

http://aka.ms/bak8rw

Audit Actions and Action Groups

Actions and action

groups are linked to

an audit with an audit

specification

Audit

Action groups to be included

State

Server Audit Specifications

Specify

Audit

Action Group

Actions on specific securable object

Can be filtered by specific database principals

State

Database Audit Specifications

Specify

sys.dm_audit_actions

sys.dm_audit_class_type_map

sys.dm_server_audit_status

Audit-Related DMVs and System Views

Audit DMVs

sys.server_audits

sys.server_file_audits

sys.server_audit_specifications

sys.server_audit_specifications_details

sys.database_audit_specifications

sys.audit_database_specification_details

Audit-Related DMVs and System Views

Audit System Views

Only database events may be audited

Plain SQL

Parameterized SQL

Stored Procedures

Login

Transaction Management

Audit logs are written to Store Tables

Auditing in Azure SQL Database

Configured through

Azure Portal or Azure

Powershell

They cannot be used to audit business logic

Add USER_DEFINED_AUDIT_GROUP to audit

specification

Call sp_audit_write strored procedure from

T-SQL code

EXEC sp_audit_write

@user_defined_event_id = 12,

@succeeded = 1,

@user_defined_information = N'User defined message';

Custom Audit Events

Allows you to create

custom audit entries

Managing

SQL Server Audit

Windows Event Log Target

Event Viewer

Binary File Target

sys.fn_get_audit_file

Retrieving Audit Data

The method to

retrieve audit data

depends on the target

that specified in audit

definition

This function takes three parameters:

the file pattern,

<path>\*

<path>\<audit name>_{GUID}

<path>\<file name>

the initial file name,

and the audit record offset

SELECT * FROM sys.fn_get_audit_file('X:\AuditFiles\*',default,default);

Binary File Targets

Audit files created by

SQL Server Audit can

be opened with the

sys.fn_get_audit_file

system table-valued

function

Because of this requirement, the record format

is limited in size by the rules related to

Windows event logging systems.

Character fields will be split into 4,000-

character chunks that may be spread across a

number of entries.

This means that a single event can generate

multiple audit entries and a sequence_number

column is provided to indicate the order of

multiple row entries.

Large Audit Records

The audit records

produced by SQL

Server Audit must be

formatted to fit in

system event logs, and

in files

You must disable audits and audit

specifications before you drop them, or make

any other changes to configuration.

Enabling and Disabling Auditing

Change the STATE

property to ON or

OFF

Audit GUID in restore scenarios

Audit GUID in mirroring scenarios

Performance impact of audit writes

If audit configuration prevents the instances

from starting, use the –f switch

If a database is restored to an instance that

does not support database audits, the audit is

ignored

Considerations for SQL Server Audit

There are several

potential issues to

consider with SQL

Server audit

Implementing SQL Server Audit

SELECT KNOWLEDGE FROM SQL SERVER

Copyright © 2016 SQLschool.gr. All right reserved. PRESENTER MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION