1 A Walk Around the SQL Server 2012 Audit Feature Timothy P. McAliley Microsoft Premier Field Engineer SQL Server
2 Speaker Introduction: Timothy P. McAliley 14+ years in IT Currently work for Microsoft Premier Field Engineer SQL Server, Washington, DC. Previously Worked for: Symantec Football Fanatics (Jacksonville, FL) (High Volume e-commerce) ASM Research, Inc. (Fairfax, VA) (Defense Contractor) MCSA: SQL Server 2012, Windows Server 2012 MCSE: Data Platform, Server Infrastructure
3 Objective and Scope of this Presentation Overview of SQL Server 2012 Server and Database Auditing Demonstration of SQL Server Audit Configuration
4 Whom Would Hopefully Find This Most Useful Working in a an environment where auditing is a requirement Researching options for audit solutions Looking a for an overview to help get you started on trying the SQL Server Audit feature
5 Agenda Introduction to SQL Server Audit Configuring SQL Server Audit Audit Actions and Action Groups Defining Audit Targets Creating Audits Creating Server Audit Specifications Creating Database Audit Specifications Audit-related DMVs and System Views Demonstration Using SQL Server Audit Other Issues and Considerations Resources for More Information
6 Introduction to SQL Server Audit
7 Introduction to SQL Server Audit SQL Server Audit compared/in relation to Change Data Capture DML/DDL Audit Triggers C2 Auditing SQL Trace
8 Introduction to SQL Server Audit SQL Server Audit - A note on Performance Impact % increase in memory utilization % increase disk i/o % increase in cpu What is the Impact of Auditing? It Depends Synchronous /Asynchronous Scope of Audit Specifications Best Practice Test in Non-Production Environment Initiate/Sample with a Narrow Scope
9 Introduction to SQL Server Audit SQL Server Audit First introduced in SQL Server 2008 Event tracking and logging system based on Extended Events Full operation in Enterprise edition of SQL Server 2014 Fine-grained auditing (Database level) Basic auditing in other editions of SQL Server 2014 (Server level) Comprised of: Audits Server and Database Audit Specifications Actions and Action Groups Targets
10 Introduction to SQL Server Audit Improved Resilience On Audit Shut Down Server On Audit Log Failure: Continue On Audit Log Failure: Fail Operation Custom User Events sp_audit_write Ability to Determine T-SQL Method Used
11 Introduction to SQL Server Audit Leveraged by Extended Events - Is a lightweight operating system level eventing engine for servers outside of the SQL Engine Is designed to be able to process any type of event (auditable events) Can be integrated with Event Tracing for Windows (ETW) Extended Event Engine SQL Engine
12 Configuring SQL Server Audit
13 Configuring SQL Server Audit Configuring SQL Server Audit is a process: Create an audit and define the target Create an audit specification (server or database) Enable the audit and the audit specification Read the output events
14 Configuring SQL Server Audit Create Server Audit Configure Server or Database Audit Specification Enable Audit Specification Monitor and Review
15 Audit Actions and Action Groups
16 Audit Actions and Action Groups Audit actions are additional tasks that can be performed when events occur. Action groups are predefined sets of events that can be used instead of defining individual events. Categories of actions Server Database Audit Server audit state changes are always audited Action Groups Large number of predefined action groups for each audit category are provided Simplify setup and management of audits
17 Defining Audit Targets
18 Defining Audit Targets Results of an audit are sent to a target File 1 MB Minimum 2,147,483,647 TB Max Size or Disk Capacity if Unlimited is Configured Windows Application Event Log Windows Security Event Log Results must be reviewed and archived periodically Security of audit targets Be cautious with application log as any authenticated user can read it Writing to security event log requires the SQL Server service account to be added to "Generate Security Audits" policy
19 Creating Audits
20 Creating Audits Create Server Audit Configure Server or Database Audit Specification Enable Audit Specification Monitor and Review
21 Creating Audits Configuration Audit name Queue delay (in milliseconds) 0 = Synchronous On Audit Log Failure Audit destination Maximum rollover files Maximum file size (MB/GB/TB) Reserve disk space Maximum files Comment Name for the audit Amount in time before audit actions must be processed Continue Shut Down Server Fail Operation Audit Target; File or Event Log Maximum number of files to retain (only for files) Maximum size of each audit file Indicates whether disk space for the audit files should be reserved in advance Caps the number of audit files
22 Creating Audits Queue Delay - A bit more on configurations specifics: Specifies the amount of time in milliseconds that can elapse before audit actions are forced to be processed. A value of 0 indicates synchronous delivery. The default minimum value is 1000 (1 second). The maximum is 2,147,483,647 (2,147, seconds or 24 days, 20 hours, 31 minutes, seconds).
23 Creating Audits On Audit Log Failure - Continue - A bit more on configurations specifics: SQL Server operations continue. Audit records are not retained. The audit continues to attempt to log events and will resume if the failure condition is resolved. Selecting the Continue option can allow unaudited activity which could violate your security policies. Select this option when continuing operation of the Database Engine is more important than maintaining a complete audit. This is the default selection.
24 Creating Audits On Audit Log Failure Shut Down Server - A bit more on configurations specifics: Forces a server shut down when the server instance writing to the target cannot write data to the audit target. The login issuing this must have the SHUTDOWN permission. If the logon does not have this permission, this function will fail and an error message will be raised. No audited events occur. Select this option when an audit failure could compromise the security or integrity of the system
25 Creating Audits On Audit Log Failure Fail Operation- A bit more on configurations specifics: In cases where the SQL Server Audit cannot write to the audit log this option causes database actions to fail if they would otherwise cause audited events. No audited events occur. Actions which do not cause audited events can continue. The audit continues to attempt to log events and will resume if the failure condition is resolved. Select this option when maintaining a complete audit is more important than full access to the Database Engine.
26 Creating Audits Audit File Maximum Limit -A bit more on configurations specifics: Maximum rollover files Specifies that, when the maximum number of audit files is reached, the oldest audit files are overwritten by new file content. Maximum files Specifies that, when the maximum number of audit files is reached, any action that causes additional audit events to be generated will fail with an error. Unlimited check box When the Unlimited check box under Maximum rollover files is selected, there is no limit imposed on the number of audit files that will be created. The Unlimited check box is selected by default and applies to both the Maximum rollover files and Maximum files selections. Number of files box Specifies the number of audit files to be created, up to 2,147,483,647. This option is only available if Unlimited is unchecked.
27 Creating Audits Maximum File Size -A bit more on configurations specifics: Specifies the maximum size for an audit file in either megabytes (MB), gigabytes (GB), or terabytes (TB). You can specify between 1024 MB and 2,147,483,647 TB. Selecting the Unlimited check box does not place a limit on the size of the file. Specifying a value lower than 1024 MB will fail, returning an error. The Unlimited check box is selected by default.
28 Creating Audits Reserve Disk Space - A bit more on configurations specifics: Specifies that space is pre-allocated on the disk equal to the specified maximum file size. This setting can only be used if the Unlimited check box under Maximum file size is not selected. This check box is not selected by default.
29 Creating Server Audit Specifications
30 Creating Server Audit Specifications Create Server Audit Configure Server Audit Specification Enable Audit Specification Monitor and Review
31 Creating Server Audit Specifications Define the actions that should be audited and the Audit that the results should be sent to Can be configured in GUI or T-SQL CREATE SERVER AUDIT SPECIFICATION FailedLoginSpec FOR SERVER AUDIT Audit ADD (FAILED_LOGIN_GROUP);
32 Creating Server Audit Specifications Choose a server audit if you want to monitor the following: Actions that impact the entire server Actions that monitor changes across all databases Actions that monitor changes to schemas to all databases Server Audit Specifications reside in Master DB
33 Creating Database Audit Specifications
34 Creating Server Audit Specifications Create Server Audit Configure Database Audit Specification Enable Audit Specification Monitor and Review
35 Creating Database Audit Specifications Define the actions that should be audited and the Audit that the results should be sent to Can be configured in GUI or T-SQL CREATE DATABASE AUDIT SPECIFICATION BackupRestoreSpec FOR SERVER AUDIT Audit ADD (BACKUP_RESTORE_GROUP);
36 Creating Database Audit Specifications Choose database audit specifications if you want to monitor: Actions specific to a database, object, or schema Specific actions of a principal within a database Specific actions (SELECT, DELETE, UPDATE, and other Data Manipulation Language [DML] statements) within a database Database Audit Specifications Reside in Audited Database
37 Audit-related DMVs and System Views
38 Audit-related DMVs and System Views SQL Server provides a set of DMVs and system views for managing SQL Server Audit Audit-related DMVs sys.dm_server_audit_status sys.dm_audit_actions sys.dm_audit_class_type_map Audit-related System Views sys.server_audits sys.server_file_audits sys.server_audit_specifications sys.server_audit_specification_details sys.database_audit_specifications sys.database_audit_specification_details
39 Demonstration Using SQL Server Audit
40 Demonstration Using SQL Server Audit In this demonstration you will see how to: Create a SQL Server Audit and define its target Create and enable a database audit specification Create an auditable event and view the event in the Windows Event Viewer View the results of a file-based audit
41 Demonstration Using SQL Server Audit Create Server Audit Configure Server or Database Audit Specification Enable Audit Specification Monitor and Review
42 Other Issues and Considerations Audit Volume Auditing and Encryption Features, including auditing, behave the same with or without Transparent Data Encryption (TDE) Multi-Server Auditing with System Center Operations Manager, Audit Collection Services (ACS) Integration with 3 rd Party Auditing Tools Enforce with SQL Server Policy Management
43 Other Issues and Considerations Attaching Attaching a database that has an audit specification and specifies a GUID that does not exist on the server will cause an orphaned audit specification. Because an audit with a matching GUID does not exist on the server instance, no audit events will be recorded. To correct this situation, use the ALTER DATABASE AUDIT SPECIFICATION command to connect the orphaned audit specification to an existing server audit. Or, use the CREATE SERVER AUDIT command to create a new server audit with the specified GUID. You can attach a database that has an audit specification defined on it to another edition of SQL Server that does not support SQL Server audit, such as SQL Server Express but it will not record audit events.
44 Other Issues and Considerations Mirroring/AG A database that has a database audit specification defined and that uses database mirroring will include the database audit specification. To work correctly on the mirrored SQL instance, the following items must be configured: The mirror server must have an audit with the same GUID to enable the database audit specification to write audit records. This can be configured by using the command CREATE AUDIT WITH GUID= <GUID from source Server Audit>. For binary file targets, the mirror server service account must have appropriate permissions to the location where the audit trail is being written. For Windows event log targets, the security policy on the computer where the mirror server is located must allow for service account access to the security or application event log.
45 Other Issues and Considerations Permissions - Any authenticated user can read records sent to the Windows Application Log Writing to the Windows Security log requires the SQL Server service account to be added to the Generate security audits policy Access to Files For Auditors
46 Other Issues and Considerations Permissions - To Create/Alter/Drop Server Audit: the ALTER ANY SERVER AUDIT or the CONTROL SERVER To Creat/Alter/Drop Database Audit: ALTER ANY DATABASE AUDIT permission or the ALTER or CONTROL permission on the database To View Catalogs (one of the following): Membership in the sysadmin fixed server role. The CONTROL SERVER permission. The VIEW SERVER STATE permission. The ALTER ANY AUDIT permission. The VIEW AUDIT STATE permission (gives only the principal access to the sys.server_audits catalog view). To Use DMVs: VIEW SERVER STATE or ALTER ANY AUDIT
47 Resources for More Information
48 Resources for More Information SQL Server Common Criteria Site: Introducing SQL Server Extended Events Understanding SQL Server Audit SQL Server Audit Action Groups and Actions SQL Server Audit (Database Engine)
49 SQL Server 2012 Certifications Microsoft Certified Solutions Associate (MCSA) for SQL Server 2012 Microsoft Certified Solutions Expert: Data Platform Microsoft Certified Solutions Expert: Business Intelligence
50 Summary Introduction to SQL Server Audit Configuring SQL Server Audit Audit Actions and Action Groups Defining Audit Targets Creating Audits Creating Server Audit Specifications Creating Database Audit Specifications Audit-related DMVs and System Views Demonstration Using SQL Server Audit Other Issues and Considerations Resources for More Information
51 MCSA SQL Server 2012 MCSA: SQL Server : Querying Microsoft SQL Server : Administering Microsoft SQL Server 2012 Databases 10777: Implementing a Data Warehouse with Microsoft SQL Server 2012 MCSA: SQL Server 2012 Exam (10774) Exam (10775) Exam (10777) Querying Microsoft SQL Server 2012 Administering Microsoft SQL Server 2012 Databases Implementing a Data Warehouse with Microsoft SQL Server 2012 Course Outline for MCSA: SQL Server
52 MCSE Data Platform Course Outline for MCSE: Data Platform
53 MCSE Business Intelligence Course Outline for MCSE: Business Intelligence
54 Q & A NETCOM ( )