a comparative analysis of auditing solutions in sql server
TRANSCRIPT
A Comparative Analysis of Auditing Solutions in SQL Server
or How The Hell Can I Tell Who's Messing With My Data
Audit
• A methodical examination or review of a condition or situation
Compliance
• Acting according to certain accepted standards
• Monitoring the extent of compliance with the standards and ethical codes at either an agency or sector level
Compliance
AssessmentPrioritizationAction plan
MonitoringValidationRemediation
PoliciesTraining Practices
Auditing in SQL
• User actions– data changes– Data read– Schema changes
• Security events– Logins– Server security activities
Audit Solutions Timeline
6.x
•Trace, DML Triggers
7
•Profiler
2000 •C
2
2005
•DDL triggers
2005
SP2
•Common criteria + logon triggers
2008
•SQL Audit, CDC, Change Tracking
Agenda
• Schema changes and Security Audit– Trace– SQL Audit– DDL Triggers (& Login Triggers)
• Data changes Audit– DML Triggers– Change Tracking– Change Data Capture (CDC)
• Third party tools– Idera SQL Compliance Manager
SQL Trace
• Versions Available: 6.x + (Profiler since 7)• Editions available:
All (Profiler not available in Express Edition)• What does it audit?
User Actions(who read, who wrote, who altered)Most of the events we can dream of: object access and management in any scope, security changes and events, logins (in addition to everything required for debugging, monitoring and performance tuning)
SQL TracePros• A one-stop mechanism to get tons of security related information.• No objects have to be altered or created.• Captures things that can’t be captured otherwise (DBCC, create/alter
trace, backup/restore) - until SQL Server 2008• Actions are ALWAYS audited (even if transaction was rolled back)
Cons• Data changes are not collected (can be collected with user defined
events, but this requires triggers and is complex to work out)• May be harder to filter and analyze for relevant events.• The syntax is complicated and harder to understand what we are
auditing (when not using profiler).• There is no guarantee the trace will run when the server starts, we
should take care of it (using a startup proc. Or agent job)
SQL Trace
• How to create– See Yaniv Etrogi’s UG 87 session in sqlserver.co.il
• How does it work?– Based on internal trace events
SQL Trace• Performance overhead– Minimal (when not used with Profiler)– 5 events, only profiler filtered out:
http://sqlblog.com/blogs/linchi_shea/archive/2007/08/01/trace-profiler-test.aspx
SQL Trace
• Interesting events to look for (Security):– Audit Schema Object Access– Audit Schema Object Management– Audit Schema Object GDR– Audit Schema Object Take Ownership– Audit Login Failed
SQL Trace
• Default trace– File growth, shrink– Mirroring state change– Errors and warnings– Fulltext crawl start/stop/abort– Object create/alter/drop– 17 audit events– Server memory change– 5 20mb file-rollover files
SQL Trace
• Blackbox trace– 5mb files (size and file-rollover file count can be
overridden after setup)– Saved to default data folder– Traces:• RPC Starting• Batch Starting• Exception• Attention (timeouts)
– No filters, no event/column configuration
C2 Audit
• Versions Available:2000+
• Editions available: All
• What does it audit?Failed and successful attempts to access statements and objects.
C2 Audit
Pros• Simple trace to set up (one checkbox)• Audits every action on every object within the SQL Server
instance.• No audit – no SQL Server. SQL Shuts down if it can’t write
audit information.Cons• Requires instance restart to enable/disable.• Not configurable in terms of events, columns, filters or file
size. It saves audit trail in 200mb files in the default data folder (any worse choice?) – can cause disk space problems
C2 Audit
• How to create
– or check the option in Server properties
EXEC sp_configure 'c2 audit mode', 1 GORECONFIGURE
C2 Audit
• Performance overhead– Like SQL trace (with audit 40 events, 45 columns
and no filters)
Common Criteria Compliance
• Versions Available:2005 SP2 +
• Editions available: Enterprise only
• What does it do?Enables elements that are required for the Common Criteria.
Common Criteria ComplianceCriteria Description
Residual Information Protection (RIP) Requires a memory allocation to be overwritten with a known pattern of bits before memory is reallocated to a new resource. (better security, worse performance)
The ability to view login statistics login auditing is enabled, information about the last successful login time, the last unsuccessful login time, and the number of attempts between the last successful and current login times is made available via sys.dm_exec_sessions
That column GRANT should not override table DENY
a table-level DENY takes precedence over a column-level GRANT (not default behavior)
Common Criteria Compliance
• How to create
– or check the option Server properties– Also requires to run a script that finishes
configuring SQL Server to comply with Common Criteria Evaluation Assurance Level 4+ (EAL4+)
EXEC sp_configure 'common criteria compliance enabled', 1 GORECONFIGURE
Common Criteria Compliance
• Performance overhead– Not tested.
SQL Audit
• Versions Available:2008
• Editions available: Enterprise only
• What does it audit?Audit user actions (who read, who wrote, who altered)Unlike SQL Trace, SQL Audit is meant to provide full auditing capabilities and only auditing capabilities
SQL Audit
• How does it work?– SQL Server Audit is a brand new audit mechanism.– Different set of events for server scope and database
scope.– Based on Extended Events– Tightly bound to DBMS engine - implemented by
hooking the internal permissions checks– Can output to
• File• Windows Application Log• Windows Security Log
– Can be synchronous or asynchronous (default)
SQL Audit
• Sample Event groups:– Server scope:• SUCCESSFUL_LOGIN_GROUP• FAILED_LOGIN_GROUP• LOGIN_CHANGE_PASSWORD_GROUP• DBCC_GROUP
– Database scope:• SCHEMA_OBJECT_CHANGE_GROUP• DATABASE_OWNERSHIP_CHANGE_GROUP• DATABASE_PERMISSION_CHANGE_GROUP
SQL AuditPros• A one-stop mechanism to get tons of security related information.• Captures things that can’t be captured otherwise (DBCC, create/alter trace,
backup/restore)• Easy to set up, filter in any granularity of objects, actions and users.• Performs even better than a trace• Actions are ALWAYS audited (even if transaction was rolled back)• Many options of output – can be combined with System Center Operations
Manager (formerly known as MOM)• Can be configured to shutdown the server if fails to audit.
Cons• Data changes are not collected• Audit data saved to sqlaudit file or event log and not to a table.
SQL Audit
• How to create
USE master CREATE SERVER AUDIT audit1 TO FILE
(FILEPATH = '\\srv\adt')
USE hr_db CREATE DATABASE AUDIT SPECIFICATION hr_dbspec FOR SERVER AUDIT audit1 ADD(SELECT,UPDATE,INSERT,DELETE ON hr.salary by dbo)
--and enable the audit & audit specification
SQL Audit
• How to read
SELECT * FROM fn_get_audit_file('E:\SqlAudits\*', default, default)
SQL Audit• Performance overhead– Lower than Profiler!
http://msdn.microsoft.com/en-us/library/dd392015.aspx
1 2 3 4 50
20
40
60
80
100
120
Base TimeSQL TraceSQL Audit
SQL Audit
• Tips:– It’s disabled by default – don’t forget to enable it
after you set it up.– Just like with DCL statements we can use database
or schema scopes. For example:SELECT ON DATABASE::MyDBUPDATE ON SCHEMA::HR– Can output to application/security log
(look for event ID 33205)
DDL Triggers
• Versions Available:2005+ (logon triggers in 2005 SP2+)
• Editions available: All
• What does it audit?Tracks object changes in server, database and schema levels + login events
DDL Triggers
Pros• Useful for auditing but can also be used to act on
DDL statements (i.e. ROLLBACK)• Can have lots of logic within it (we write all the
code)Cons• Transaction bound (if change is done within
transaction, the audit can be rolled back as well)• Requires code and object generation.• The tracking table (if exists) needs to be managed.
DDL Triggers
• How to create, prerequisites– Logon triggers require 2005 SP2+
– Use EVENTDATA() function to get information
CREATE TRIGGER [name]ON [DATABASE] / [ALL SERVER]FOR [DDL_DATABASE_LEVEL_EVENTS]AS ...
DDL Triggers• Performance overhead– Slightly higher than trace– Depends on the statements inside the trigger.
DML Triggers
• Versions Available:Any
• Editions available: All
• What does it audit?Audit data changes in a table + security information.
DML Triggers
Pros• Useful for auditing but can also be used to act on DML
statements (i.e. ROLLBACK)• Can have lots of logic within it (we write all the code)• Can combine security information and data changesCons• Transaction bound (change is done within transaction, the
audit can be rolled back as well, if trigger fails, transaction is doomed)
• Requires code and object generation.• The tracking table (if exists) needs to be managed.
DML Triggers
• How to create
– Use deleted and inserted table to retrieve changed data.– Use built in functions like Suser_sname() to get security
information.– Use the UPDATE (column) function to check if a column
changed or COLUMNS_UPDATED ( ) to check which columns have changed.
CREATE TRIGGER [name] ON { table | view } [ WITH <dml_trigger_option> ] { FOR | AFTER | INSTEAD OF } {[ INSERT ][,][ UPDATE ][,][ DELETE ] } AS ...
DML Triggers• Performance overhead– Depends on the statements inside the trigger.
Change Tracking
• Versions Available: 2008• Editions available:
All• What does it audit?• Audits the fact that a certain row has changed and
using what action (Insert, Update or Delete):– Which rows have changed in a user table?– Has a row changed?
Change Tracking
• How to create, prerequisites– Should be enabled in the database and then on the table– Table must have a primary key or a unique index.
• How does it work?– Synchronous – if a problem occurs in the change tracking, the
transaction is rolled back.– Creates internal tables that have columns to store the primary
key value, action performed (insert, update, delete) ,optional columns updated bitmap, version of the change.
– A version in a DB level.– Has a retention period that cleans the internal tables.– Built-in functions to retrieve changes and versions.
Change Tracking
• Performance overhead– More IO: The incremental performance overhead
that is associated with using change tracking on a table is similar to the overhead incurred when an index is created for a table and needs to be maintained.
Change Tracking
• Pros – No need to develop complex procedures for tracking changes– Doesn’t take a lot of disk space– Synchronous– Auto cleanup tasks
• Cons– Doesn’t keep historical data– Doesn’t keep security information– Usually used with snapshot isolation level which cause
performance to drop– Affects the system IO
Change Tracking
• Remarks– When change tracking is enabled, there are
restrictions on the DDL that can be performed on a table being tracked. The most notable restriction is that the primary key cannot be altered in any way.
– Switching a partition fails if one or both of the tables has change tracking enabled.
Change Data Capture (CDC)
• Versions Available: 2008• Editions available:
Enterprise Only• What does it Audit?
Audits all the changes on all rows in a table on specific columns.
CDC
• How does it work?– Asynchronous– Uses log reader (like transactional replication)– Creates schema and tables
• Performance overhead– A lot of disk space– More IO
CDC
• Pros– Asynchronous– Has the option to choose what to monitor.– Keeps data history– Has a cleaning mechanism
• Cons– A lot of disk space– More IO– Can cause log truncation problem
CDC vs. Change TrackingFeature Change Tracking Change Data Capture
Synchronous Yes No
Requires SQL Agent No Yes
Forces full logging of some bulk operations
No Yes
Prevents log truncation No Yes, until log records harvested
Requires snapshot isolation Recommended No
Requires separate tables to store tracking data
Yes Yes
Allows placement of tracking tables
No Yes
Potential for space consumption issues
Some Lots
Automatic cleanup process Yes Yes
Restrictions on DDL Yes No
http://technet.microsoft.com/en-us/magazine/2008.11.sql.aspx?pr=blog
Audit Tools in SQL - SummaryName What audits? How? Uses performance Versions
EditionsSQL Trace All actions but
dataServer trace technology, not sync
Security, actions, debug, performance
Low overhead 6.X +
DML triggers
Data changes Triggers, sync Data changes (audit trail)
Can cause performance problems.
All
Change Tracking
Data changes Built-in mechanism, sync
Sync DB Like maintaining another NCIX
2008
CDC Data changes and history
Log reader, async
Load DWH, audit trail
A lot of disk space, more IO
2008 Ent
DDL triggers
Schema changes
Internal events mechanism, sync
Track schema changes, change management and more
Depends on the code within the trigger
2005
SQL Audit All user actions based on EXEvents, sync and async
Audit security actions
Very low 2008 Ent
Audit Tools in SQL - Summary
• What about…– Archive and retention of audit data– Reporting– Alerting– Threshold definition (alert only after 10 failed
logins in 5 minutes)– Aggregations– Audit the auditor
Idera Compliance Manager
• Examples
References• Auditing in SQL server 2008 -
http://msdn.microsoft.com/en-us/library/dd392015.aspx• SQL Server 2008 Improves Auditing, Change Tracking -
http://www.directionsonmicrosoft.com/sample/DOMIS/update/2008/11nov/1108ss2iac.htm
• Tracking Changes in Your Enterprise Database by Paul S. Randal - http://technet.microsoft.com/en-us/magazine/2008.11.sql.aspx?pr=blog
• SQL Server 2005 Security Overview for Database Administrators - http://www.microsoft.com/sqlserver/2008/en/us/wp-sql-2008-security.aspx
• SQL Server 2005 security best practices white paper - http://www.microsoft.com/sqlserver/2005/en/us/white-papers.aspx
• SQL Server 2008 Compliance Guide - http://www.microsoft.com/downloads/details.aspx?FamilyId=6E1021DD-65B9-41C2-8385-438028F5ACC2&displaylang=en