Auditing in Microsoft SQL Server 2012 Il-Sung Lee Program Manager Microsoft Corporation DBI407

Audit supported on all SKUsImproved ResilienceUser-Defined Audit EventRecord FilteringT-SQL Stack Information

SQL Server Express 6

Select… Rollback 7

Audit Log hr.viewsalaryhr.viewsalary hr.payrollhr.payroll exec hr.viewsalary select salary from hr.payroll

demo T-SQL Stack Information

exec sp_audit_write 1234, 1, @user_defined_info Audit Log

demo User-Defined Audit Event

CREATE SERVER AUDIT audit_name TO { [ FILE ( [,...n ]) ] | APPLICATION_LOG | SECURITY_LOG } [ WITH ( [,...n ] ) ] [ FILTER = ] } … ::= { [ NOT ] | {( ) } [ { AND | OR } [ NOT ] { | ( ) } ] [,...n ] }

demo Record Filtering

Workload 1Workload 2Workload 3Workload 4Workload 5 11 dbs, ranging from 1.94 MB to MB. 755 tables with average of 2761 rows 1,219,234 stmts executed. 2 dbs ranging from 64 MB to MB 35 tables with average of 49,141 rows 1,633,557 stmts executed 3 dbs ranging from 1.94 MB to MB 154 tables with average of 586 rows, Here is the activity 585,400 stmts executed 1 db at MB 84 tables with average of 144,245 rows 3,435,303 stmts executed. 1 db at MB 152 tables with average of 4,108 rows 296,642 stmts executed.

Windows Security Log “Tamper-proof” log DBA cannot clear log (assuming not an Administrator) System Center Operations Manager Audit Collection Service Copy Audit logs to secure location Directory or share inaccessible by service account or DBA Audit logs files are shared-read and cannot be tampered with while active Possible momentary exposure if using multiple logs Combination of the two Audit “tamper” activity to Security Log, e.g., DBA modifying Audit All other Audit events are sent to file

Audit Events Buffered Audit buffer size varies but is around 4MB (equivalent to at least 170 events, depending upon statement text) Server Blocks New Activity Generating Audit Event Does not effect other Audits Blocks until buffer space freed or audit disabled Audit Session Turned Off Buffered data is discarded and error written to errorlog Continue trying to write future events to Audit log Automatically try to restart Audit session when next event is generated Buffer filled System error

Audit Events Buffered Audit buffer size varies but is around 4MB (equivalent to at least 170 events, depending upon statement text) Server Fails New Activity Generating Audit Event Does not effect other Audits Fails new operations until buffer space freed or audit disabled Buffered audit events persist and continuously re-attempted tp write until audit disabled or server shut down Buffer filled

Option 1 Correct source of error E.g., file system full Option 2 Single-user mode, “-m” Audit is active but shutdown-on-failure behavior deactivated Audit Admin can fix Audit configuration Option 3 Minimal configuration mode, “-f” Audit disabled but Audit DDL can still be issued. Bonus If “Fail Operation” and “AUDIT_ CHANGE_GROUP”, use DAC connection Audit event still generated but will not fail operation

demo Using SQL Server Audit with Policy-Based Management

Bare Metal Microsoft SQL Server 2012 Deployment and Management (S. Hall B WRK Rm 1) Microsoft SQL Server: Mission Critical Confidence - Organizational Security and Compliance Demo Station (S. Hall A) Find Me Later At The Mission Critical Booth In The Expo

Il-Sung Lee /b/sqlsecurity/ I’m not a tweeter

Connect. Share. Discuss. Learning Microsoft Certification & Training Resources TechNet Resources for IT Professionals Resources for Developers

Required Slide Complete an evaluation on CommNet and enter to win!