Auditing In SQL Server SQL Saturday #486 - RVA Presented By Brad McKuhen
Thank You Sponsors
About Me SQL Server DBA/Developer 13 years Lead DBA at Clutch Group Contact Me: Info at lakesidedba.com @bradmckuhen http://www.lakesidedba.com
"All it takes is one bad day to reduce the sanest man alive to lunacy...just one bad day."
From the top... Built In Logs C2 Common Criteria Compliance Default Trace Server Settings ExEv Server Audit Database Audit CDC TempDB Ransack WinMerge
Rotate Your Logs USE msdb ; -- agent log cycling must be run from MSDB EXEC dbo.sp_cycle_agent_errorlog ; -- both log cycling SP's are SYSADMIN role only EXEC sp_cycle_errorlog ; Image Credit: http://d2rormqr1qwzpz.cloudfront.net/photos/2013/02/01/44394-owl_head.jpg
Audit Using Your Logs
C2 - Setup From MSDN: Selecting this option will configure the server to record both failed and successful attempts to access statements and objects. -- turn it on sp_configure 'show advanced options', 1 ; RECONFIGURE WITH OVERRIDE ; sp_configure 'c2 audit mode', 1 ; RECONFIGURE WITH OVERRIDE ; All of them. Be very careful about using this. -- turn it off sp_configure 'c2 audit mode', 0 ; RECONFIGURE WITH OVERRIDE ; sp_configure 'show advanced options', 0 ; RECONFIGURE WITH OVERRIDE; A restart is required to implement this.
C2 - Results
C3 Common Criteria Compliance https://s-media-cache-ak0.pinimg.com/736x/b5/62/9a/b5629a9fc8a2de88160841a53384354f.jpg
C3 - Setup Criteria Residual Information Protection (RIP) The ability to view login statistics Description RIP requires a memory allocation to be overwritten with a known pattern of bits before memory is reallocated... Each time a user successfully logs in to SQL Server, information about the last successful login time, the last unsuccessful login time, and the number of attempts... is made available... query the sys.dm_exec_sessions DMV That column GRANT should not override table DENY After the common criteria compliance enabled option is enabled, a table-level DENY takes precedence over a column-level GRANT. When the option is not enabled, a column-level GRANT takes precedence over a table-level DENY. Important In addition to enabling the common criteria compliance enabled option, you also must download and run a script that finishes configuring SQL Server to comply with Common Criteria Evaluation Assurance Level 4+ (EAL4+). You can download this script from the Microsoft SQL Server Common Criteria Web site. https://msdn.microsoft.com/en-us/library/bb326650.aspx
C3 Common Criteria Compliance, Query
C3 Common Criteria Compliance, Results Tons More Information In This DMV Than We Can Cover
Default Trace - Setup SELECT * FROM sys.configurations WHERE configuration_id = 1568
Default Trace Get Results
Built In Logs C2 Common Criteria Compliance Default Trace Server Settings ExEv Server Audit Database Audit CDC TempDB Ransack WinMerge
Server Options - Setup
Extended Events - Setup CREATE EVENT SESSION [Get All Statements] ON SERVER ADD EVENT sqlserver.rpc_completed (ACTION(sqlos.task_time, sqlserver.database_id, sqlserver.database_name, sqlserver.is_system, sqlserver.nt_username, sqlserver.session_id, sqlserver.sql_text, sqlserver.username) WHERE ([sqlserver].[is_system] = (0))), ADD EVENT sqlserver.sql_batch_completed (ACTION(sqlos.task_time, sqlserver.database_id, sqlserver.database_name, sqlserver.is_system, sqlserver.nt_username, sqlserver.session_id, sqlserver.sql_text, sqlserver.username) WHERE ([sqlserver].[is_system] = (0))), ADD EVENT sqlserver.sql_statement_completed (ACTION(sqlos.task_time, sqlserver.database_id, sqlserver.database_name, sqlserver.is_system, sqlserver.nt_username, sqlserver.session_id, sqlserver.sql_text, sqlserver.username) WHERE ([sqlserver].[is_system] = (0))) ADD TARGET package0.event_file (SET filename = N'C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Log\Get All Statements.xel') WITH (STARTUP_STATE = ON) ALTER EVENT SESSION [Get All Statements] ON SERVER STATE = START;
Extended Events - Results One way, quite manual: SELECT CAST(event_data AS XML) event_data, * FROM sys.fn_xe_file_target_read_file ('C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Log\Get All Statements*.xel', NULL, NULL, NULL) Courtesy of https://www.brentozar.c om/archive/2014/03/ex tended-events-doesnthard/
Extended Events - Results
Extended Events - Results
Server Audit - Setup CREATE SERVER AUDIT [AuditForDemo] TO FILE (FILEPATH = 'C:\TEMP', MAXSIZE = 1 GB, MAX_ROLLOVER_FILES = 2, RESERVE_DISK_SPACE = OFF) WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE); CREATE SERVER AUDIT SPECIFICATION [ServerAuditSpecificationForDemo] FOR SERVER AUDIT [AuditForDemo] ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP), ADD (AUDIT_CHANGE_GROUP), ADD (BACKUP_RESTORE_GROUP), ADD (BROKER_LOGIN_GROUP); -- START THEM ALTER SERVER AUDIT [AuditForDemo] WITH (STATE = ON); ALTER SERVER AUDIT SPECIFICATION [ServerAuditSpecificationForDemo] WITH (STATE = ON);
DDL Tracked The Table CREATE DATABASE AuditSampleDB; --EXEC AuditSampleDB.dbo.sp_changedbowner 'contoso\ironman'; EXEC AuditSampleDB.dbo.sp_changedbowner 'sa'; USE AuditSampleDB; CREATE TABLE dbo.ddlevents (EventDate DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, EventType NVARCHAR(64), EventDDL NVARCHAR(MAX), EventXML XML, DatabaseName NVARCHAR(255), SchemaName NVARCHAR(255), ObjectName NVARCHAR(255), [ObjectID] INT, HostName VARCHAR(64), IPAddress VARCHAR(32), ProgramName NVARCHAR(255), LoginName NVARCHAR(255));
DDL Tracked The Trigger CREATE TRIGGER ddl_trig_alter_db ON ALL SERVER FOR ALTER_DATABASE, CREATE_DATABASE, DROP_DATABASE AS BEGIN DECLARE @WhatHappened XML; SELECT @WhatHappened = EVENTDATA(); DECLARE @ip VARCHAR(32) = (SELECT client_net_address FROM sys.dm_exec_connections WHERE session_id = @@SPID); INSERT AuditSampleDB.dbo.DDLEvents (EventType, EventDDL, EventXML, DatabaseName, SchemaName, ObjectName, HostName, IPAddress, ProgramName, LoginName) SELECT @WhatHappened.value('(/EVENT_INSTANCE/EventType)[1]', 'NVARCHAR(100)'), @WhatHappened.value('(/EVENT_INSTANCE/TSQLCommand)[1]', 'NVARCHAR(MAX)'), @WhatHappened, DB_NAME(), @WhatHappened.value('(/EVENT_INSTANCE/SchemaName)[1]', 'NVARCHAR(255)'), @WhatHappened.value('(/EVENT_INSTANCE/ObjectName)[1]', 'NVARCHAR(255)'), HOST_NAME(), @ip, PROGRAM_NAME(), SUSER_SNAME(); END
DDL Tracked
Tracking A User Via Audit - Setup
Tracking A User Via Audit - Results
Database Audit - Setup CREATE DATABASE SampleDB; USE [SampleDB] CREATE DATABASE AUDIT SPECIFICATION [DatabaseAuditSpecificationForDemo] FOR SERVER AUDIT [AuditForDemo] ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP), ADD (AUDIT_CHANGE_GROUP), ADD (BACKUP_RESTORE_GROUP), ADD (DATABASE_CHANGE_GROUP), ADD (DATABASE_LOUT_GROUP), ADD (DATABASE_OBJECT_ACCESS_GROUP), ADD (DATABASE_OBJECT_CHANGE_GROUP); ALTER DATABASE AUDIT SPECIFICATION [DatabaseAuditSpecificationForDemo] WITH (STATE = ON);
Database Audit Get Results SELECT CAST(additional_information AS XML) AS ADDLINFOXML, * FROM sys.fn_get_audit_file('c:\temp\auditfordemo_44582e17-a397-4882- B30F-946F27B0B262_0_131024426446730000.sqlaudit', DEFAULT, DEFAULT) WHERE database_name = 'AdventureWorks2014' ORDER BY EVENT_TIME DESC;
CDC - Setup
CDC Get Results
What about BBanner?
CDC Results, Post-BBanner
What s In TempDB? Example Setup
What s In TempDB? Get Results
Agent Ransack File Search
Agent Ransack File Search
WinMerge Folder Compare
WinMerge File Compare
Questions? Contact Me: Info at lakesidedba.com @bradmckuhen http://www.lakesidedba.com