Enterprise Auditing with SQL Server Audit Colleen Morrow

About me  Colleen Morrow  SQL Server consultant at UpSearch  10+ years of SQL Server experience   Contributor to Tribal SQL 2

Agenda Why audit? Introduction to SQL Server Audit Defining audit requirements Implementing SQL Server Audit Handling audit data 3

Your company employs an outside firm to perform security audits Required by law to perform auditing Supplement a change management system Answer the question, “what changed?” Determine who’s accessing that sensitive data Determine what a particular login is being used for Why audit? 4

SQL Audit: Introduction  Built on Extended Events framework  Events recorded at permission-check time  Executes asynchronously or synchronously  Enjoys long walks on the beach 5

SQL Audit: Terminology Server Audit Database audit specification Server audit specification 6

What actions can you audit?  Objects object is created, altered or dropped object is accessed (e.g. DML, EXECUTE) ownership changes permission changes server objects, database objects, schema objects 7

What actions can you audit? (cont.)  Security principals are created, altered, or dropped database/server role is added or removed principal is added to or removed from a role. successful/failed logins password changes a password is changed for an application role 8

What actions can you audit? (cont.)  Databases a database is created, altered, or dropped. ownership changes permission changes  Backups backup/restore operations 9

What actions can you audit? (cont.)  Audits/Traces any audit is created, modified or deleted. any audit specification is created, modified, or deleted. any change to an audit is audited in that audit. statements that check for the ALTER TRACE permission. 10

What actions can you audit? (cont.)  Server state the SQL Server service state is modified  DBCC a principal issues any DBCC command  User Defined Events 11

What can’t you audit?  Temp tables #temp and ##temp tables not audited  Internal events E.g. locking, transaction log growth from large transactions 12

Where? How many servers? What version/editions? What? What events? What data for the event? How critical is it? Can you afford to miss any events? How will the data be viewed? Ad hoc? Formal report? How long should it be retained? Defining audit requirements 13

Example #1: Security in Azure To: Dan Wilson From: Stephanie Conroy Dan, Now that we’ve deployed the ordering system infrastructure to Azure virtual machines, I’m concerned about security. I want to make sure we’ve locked things down as much as possible. Is there any way to know who is or is trying to log into the database? Thanks much, Stephanie Conroy Network Manager AdventureWorks, Inc. 14

Audit requirements 15 Security Where?Single instance on Azure VM What? Logins, Logouts, Failed Logins; Login name, Event time, session duration, client hostname/IP How critical?Some event loss Viewed?Ad hoc report Retention?1 week

Demonstration Create Server Audit Read audit file

 fn_get_audit_file ( file_pattern,  { default | initial_file_name | NULL },  { default | audit_record_offset | NULL } ) file_pattern – the path and file name of the audit file(s) to be read; file name can be or include a wildcard. initial_file_name – first file to process; all subsequent files will also be processed. audit_record_offset – Used in conjunction with the initial file name to tell SQL Server where in that initial file to start. Reading audit data 17

Using fn_get_audit_file()  Select * from fn_get_audit_file (‘c:\MyAudits\Security*’ , ‘File 2’ , 7200 )  Select * from fn_get_audit_file (‘c:\MyAudits\Security*’ , ‘File 1’ , 9650 )  Select * from fn_get_audit_file (‘c:\MyAudits\Security*’ , NULL , NULL ) File 1File 2File

Example #2: Troubleshooting To: Dan Wilson From: Karen Berg Hey Dan, You know that audit you configured for to help us troubleshoot erroneous updates to ProductInventory? It’s a lot of data to sift through and really we’re only interested in updates to the Bin column. Any way you can refine the audit? Thanks, Karen Berg Application Specialist AdventureWorks, Inc. 19

20 Audit requirements Troubleshooting Where?Single database What? Updates to specific column Login/username, event time, statement or procedure How critical?No event loss Viewed?Ad hoc viewing Retention?No requirement

Demonstration User-defined events Synchronous auditing

Permissions check / Audit check Expand Event details Send to Audit Xevent session Record event Synchronous-icity AsyncSynchronous QUEUE_DELAY =

Performance Impact 23

Example #3: Change Management To: All IT Employees From: Jean Trenary As a result of AdventureWorks, Inc. becoming a publicly traded company, IT systems will be undergoing a yearly audit, to be conducted by an external firm. Part of this auditing process is a reconciliation between Production-level changes and change management tickets. To help facilitate the yearly audit, we are now requesting monthly reports from each Production environment listing all object changes during the previous month and the corresponding ticket number. Thank you, Jean Trenary Information Services Manager AdventureWorks, Inc. 24

Audit requirements 25 Change Management Where?All production databases What? Database object changes (DDL) Server, database, schema, object, login, event time, statement How critical?No event loss Viewed?Monthly/Annual report Retention?18 months

Demonstration Using PowerShell Managing audit data

Recap Why audit? Introduction to SQL Server Audit Defining audit requirements Implementing SQL Server Audit Handling audit data 27

QUESTIONS

Thank You This FREE SQL Saturday is brought to you courtesy of these sponsors, speakers and volunteers who staff this event

Please Support Our Sponsors SQL Saturday is made possible with the generous support of these sponsors. You can support them by opting-in and visiting them in the sponsor area.