Auditing In SQL Server. SQL Saturday #486 - RVA Presented By Brad McKuhen

Auditing In SQL Server SQL Saturday #486 - RVA Presented By Brad McKuhen

Thank You Sponsors

About Me SQL Server DBA/Developer 13 years Lead DBA at Clutch Group Contact Me: Info at lakesidedba.com @bradmckuhen http://www.lakesidedba.com

"All it takes is one bad day to reduce the sanest man alive to lunacy...just one bad day."

From the top... Built In Logs C2 Common Criteria Compliance Default Trace Server Settings ExEv Server Audit Database Audit CDC TempDB Ransack WinMerge

Rotate Your Logs USE msdb ; -- agent log cycling must be run from MSDB EXEC dbo.sp_cycle_agent_errorlog ; -- both log cycling SP's are SYSADMIN role only EXEC sp_cycle_errorlog ; Image Credit: http://d2rormqr1qwzpz.cloudfront.net/photos/2013/02/01/44394-owl_head.jpg

Audit Using Your Logs

C2 - Setup From MSDN: Selecting this option will configure the server to record both failed and successful attempts to access statements and objects. -- turn it on sp_configure 'show advanced options', 1 ; RECONFIGURE WITH OVERRIDE ; sp_configure 'c2 audit mode', 1 ; RECONFIGURE WITH OVERRIDE ; All of them. Be very careful about using this. -- turn it off sp_configure 'c2 audit mode', 0 ; RECONFIGURE WITH OVERRIDE ; sp_configure 'show advanced options', 0 ; RECONFIGURE WITH OVERRIDE; A restart is required to implement this.

C2 - Results

C3 Common Criteria Compliance https://s-media-cache-ak0.pinimg.com/736x/b5/62/9a/b5629a9fc8a2de88160841a53384354f.jpg

C3 - Setup Criteria Residual Information Protection (RIP) The ability to view login statistics Description RIP requires a memory allocation to be overwritten with a known pattern of bits before memory is reallocated... Each time a user successfully logs in to SQL Server, information about the last successful login time, the last unsuccessful login time, and the number of attempts... is made available... query the sys.dm_exec_sessions DMV That column GRANT should not override table DENY After the common criteria compliance enabled option is enabled, a table-level DENY takes precedence over a column-level GRANT. When the option is not enabled, a column-level GRANT takes precedence over a table-level DENY. Important In addition to enabling the common criteria compliance enabled option, you also must download and run a script that finishes configuring SQL Server to comply with Common Criteria Evaluation Assurance Level 4+ (EAL4+). You can download this script from the Microsoft SQL Server Common Criteria Web site. https://msdn.microsoft.com/en-us/library/bb326650.aspx

C3 Common Criteria Compliance, Query

C3 Common Criteria Compliance, Results Tons More Information In This DMV Than We Can Cover

Default Trace - Setup SELECT * FROM sys.configurations WHERE configuration_id = 1568

Default Trace Get Results

Built In Logs C2 Common Criteria Compliance Default Trace Server Settings ExEv Server Audit Database Audit CDC TempDB Ransack WinMerge

Server Options - Setup

Extended Events - Setup CREATE EVENT SESSION [Get All Statements] ON SERVER ADD EVENT sqlserver.rpc_completed (ACTION(sqlos.task_time, sqlserver.database_id, sqlserver.database_name, sqlserver.is_system, sqlserver.nt_username, sqlserver.session_id, sqlserver.sql_text, sqlserver.username) WHERE ([sqlserver].[is_system] = (0))), ADD EVENT sqlserver.sql_batch_completed (ACTION(sqlos.task_time, sqlserver.database_id, sqlserver.database_name, sqlserver.is_system, sqlserver.nt_username, sqlserver.session_id, sqlserver.sql_text, sqlserver.username) WHERE ([sqlserver].[is_system] = (0))), ADD EVENT sqlserver.sql_statement_completed (ACTION(sqlos.task_time, sqlserver.database_id, sqlserver.database_name, sqlserver.is_system, sqlserver.nt_username, sqlserver.session_id, sqlserver.sql_text, sqlserver.username) WHERE ([sqlserver].[is_system] = (0))) ADD TARGET package0.event_file (SET filename = N'C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Log\Get All Statements.xel') WITH (STARTUP_STATE = ON) ALTER EVENT SESSION [Get All Statements] ON SERVER STATE = START;

Extended Events - Results One way, quite manual: SELECT CAST(event_data AS XML) event_data, * FROM sys.fn_xe_file_target_read_file ('C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Log\Get All Statements*.xel', NULL, NULL, NULL) Courtesy of https://www.brentozar.c om/archive/2014/03/ex tended-events-doesnthard/

Extended Events - Results

Extended Events - Results

Server Audit - Setup CREATE SERVER AUDIT [AuditForDemo] TO FILE (FILEPATH = 'C:\TEMP', MAXSIZE = 1 GB, MAX_ROLLOVER_FILES = 2, RESERVE_DISK_SPACE = OFF) WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE); CREATE SERVER AUDIT SPECIFICATION [ServerAuditSpecificationForDemo] FOR SERVER AUDIT [AuditForDemo] ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP), ADD (AUDIT_CHANGE_GROUP), ADD (BACKUP_RESTORE_GROUP), ADD (BROKER_LOGIN_GROUP); -- START THEM ALTER SERVER AUDIT [AuditForDemo] WITH (STATE = ON); ALTER SERVER AUDIT SPECIFICATION [ServerAuditSpecificationForDemo] WITH (STATE = ON);

DDL Tracked The Table CREATE DATABASE AuditSampleDB; --EXEC AuditSampleDB.dbo.sp_changedbowner 'contoso\ironman'; EXEC AuditSampleDB.dbo.sp_changedbowner 'sa'; USE AuditSampleDB; CREATE TABLE dbo.ddlevents (EventDate DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, EventType NVARCHAR(64), EventDDL NVARCHAR(MAX), EventXML XML, DatabaseName NVARCHAR(255), SchemaName NVARCHAR(255), ObjectName NVARCHAR(255), [ObjectID] INT, HostName VARCHAR(64), IPAddress VARCHAR(32), ProgramName NVARCHAR(255), LoginName NVARCHAR(255));

DDL Tracked The Trigger CREATE TRIGGER ddl_trig_alter_db ON ALL SERVER FOR ALTER_DATABASE, CREATE_DATABASE, DROP_DATABASE AS BEGIN DECLARE @WhatHappened XML; SELECT @WhatHappened = EVENTDATA(); DECLARE @ip VARCHAR(32) = (SELECT client_net_address FROM sys.dm_exec_connections WHERE session_id = @@SPID); INSERT AuditSampleDB.dbo.DDLEvents (EventType, EventDDL, EventXML, DatabaseName, SchemaName, ObjectName, HostName, IPAddress, ProgramName, LoginName) SELECT @WhatHappened.value('(/EVENT_INSTANCE/EventType)[1]', 'NVARCHAR(100)'), @WhatHappened.value('(/EVENT_INSTANCE/TSQLCommand)[1]', 'NVARCHAR(MAX)'), @WhatHappened, DB_NAME(), @WhatHappened.value('(/EVENT_INSTANCE/SchemaName)[1]', 'NVARCHAR(255)'), @WhatHappened.value('(/EVENT_INSTANCE/ObjectName)[1]', 'NVARCHAR(255)'), HOST_NAME(), @ip, PROGRAM_NAME(), SUSER_SNAME(); END

DDL Tracked

Tracking A User Via Audit - Setup

Tracking A User Via Audit - Results

Database Audit - Setup CREATE DATABASE SampleDB; USE [SampleDB] CREATE DATABASE AUDIT SPECIFICATION [DatabaseAuditSpecificationForDemo] FOR SERVER AUDIT [AuditForDemo] ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP), ADD (AUDIT_CHANGE_GROUP), ADD (BACKUP_RESTORE_GROUP), ADD (DATABASE_CHANGE_GROUP), ADD (DATABASE_LOUT_GROUP), ADD (DATABASE_OBJECT_ACCESS_GROUP), ADD (DATABASE_OBJECT_CHANGE_GROUP); ALTER DATABASE AUDIT SPECIFICATION [DatabaseAuditSpecificationForDemo] WITH (STATE = ON);

Database Audit Get Results SELECT CAST(additional_information AS XML) AS ADDLINFOXML, * FROM sys.fn_get_audit_file('c:\temp\auditfordemo_44582e17-a397-4882- B30F-946F27B0B262_0_131024426446730000.sqlaudit', DEFAULT, DEFAULT) WHERE database_name = 'AdventureWorks2014' ORDER BY EVENT_TIME DESC;

CDC - Setup

CDC Get Results

What about BBanner?

CDC Results, Post-BBanner

What s In TempDB? Example Setup

What s In TempDB? Get Results

Agent Ransack File Search

Agent Ransack File Search

WinMerge Folder Compare

WinMerge File Compare

Questions? Contact Me: Info at lakesidedba.com @bradmckuhen http://www.lakesidedba.com