Presentation is loading. Please wait.

Presentation is loading. Please wait.

Auditing In SQL Server SQL Saturday #521 – Atlanta Presented By Brad McKuhen.

Published byMelinda Randall Modified over 8 years ago

Similar presentations

Presentation on theme: "Auditing In SQL Server SQL Saturday #521 – Atlanta Presented By Brad McKuhen."— Presentation transcript:

1 Auditing In SQL Server SQL Saturday #521 – Atlanta Presented By Brad McKuhen

2

3 About Me  SQL Server DBA/Developer – 13+ years  Lead DBA at Clutch Group  Contact Me:  Info at lakesidedba.com  @bradmckuhen  http://www.lakesidedba.com

4 "All it takes is one bad day to reduce the sanest man alive to lunacy...Just one bad day."

5 From the top... Built In Logs C2 Common Criteria Compliance Default Trace Server Settings ExEv Server Audit Database Audit CDC TempDB Ransack WinMerge

6 Lock It Down

7 Rotate Your Logs Image Credit: http://d2rormqr1qwzpz.cloudfront.net/photos/2013/02/01/44394-owl_head.jpg USE msdb ; GO -- agent log cycling must be run from MSDB EXEC dbo.sp_cycle_agent_errorlog ; GO -- both log cycling SP's are SYSADMIN role only EXEC sp_cycle_errorlog ; GO

8 Audit Using Your Logs

9 C2 - Setup From MSDN: Selecting this option will configure the server to record both failed and successful attempts to access statements and objects. All of them. Be very careful about using this. -- turn it on sp_configure 'show advanced options', 1 ; GO RECONFIGURE WITH OVERRIDE ; GO sp_configure 'c2 audit mode', 1 ; GO RECONFIGURE WITH OVERRIDE ; GO -- turn it off sp_configure 'c2 audit mode', 0 ; GO RECONFIGURE WITH OVERRIDE ; GO sp_configure 'show advanced options', 0 ; GO RECONFIGURE WITH OVERRIDE; GO A restart is required to implement this.

10 C2 - Results

11 C3 – Common Criteria Compliance https://s-media-cache-ak0.pinimg.com/736x/b5/62/9a/b5629a9fc8a2de88160841a53384354f.jpg

12 C3 - Setup CriteriaDescription Residual Information Protection (RIP) RIP requires a memory allocation to be overwritten with a known pattern of bits before memory is reallocated... The ability to view login statistics Each time a user successfully logs in to SQL Server, information about the last successful login time, the last unsuccessful login time, and the number of attempts... is made available... query the sys.dm_exec_sessions DMV That column GRANT should not override table DENY After the common criteria compliance enabled option is enabled, a table-level DENY takes precedence over a column-level GRANT. When the option is not enabled, a column-level GRANT takes precedence over a table-level DENY. Important In addition to enabling the common criteria compliance enabled option, you also must download and run a script that finishes configuring SQL Server to comply with Common Criteria Evaluation Assurance Level 4+ (EAL4+). You can download this script from the Microsoft SQL Server Common Criteria Web site.Microsoft SQL Server Common Criteria https://msdn.microsoft.com/en-us/library/bb326650.aspx

13 C3 – Common Criteria Compliance, Query

14 C3 – Common Criteria Compliance, Results Tons More Information In This DMV Than We Can Cover

15 Default Trace - Setup SELECT * FROM sys.configurations WHERE configuration_id = 1568

16 Default Trace – Get Results

17 Built In Logs C2 Common Criteria Compliance Default Trace Server Settings ExEv Server Audit Database Audit CDC TempDB Ransack WinMerge

18 Enterprise Vs. Standard FeatureIs Enterprise?Is Standard? C2 C3  CDC/CDT Server Audit DDL Trigger Database Audit Log Rotation Extended Events

19 Server Options - Setup

20 Extended Events - Setup CREATE EVENT SESSION [Get All Statements] ON SERVER ADD EVENT sqlserver.rpc_completed (ACTION(sqlos.task_time, sqlserver.database_id, sqlserver.database_name, sqlserver.is_system, sqlserver.nt_username, sqlserver.session_id, sqlserver.sql_text, sqlserver.username) WHERE ([sqlserver].[is_system] = (0))), ADD EVENT sqlserver.sql_batch_completed (ACTION(sqlos.task_time, sqlserver.database_id, sqlserver.database_name, sqlserver.is_system, sqlserver.nt_username, sqlserver.session_id, sqlserver.sql_text, sqlserver.username) WHERE ([sqlserver].[is_system] = (0))), ADD EVENT sqlserver.sql_statement_completed (ACTION(sqlos.task_time, sqlserver.database_id, sqlserver.database_name, sqlserver.is_system, sqlserver.nt_username, sqlserver.session_id, sqlserver.sql_text, sqlserver.username) WHERE ([sqlserver].[is_system] = (0))) ADD TARGET package0.event_file (SET filename = N'C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Log\Get All Statements.xel') WITH (STARTUP_STATE = ON) GO ALTER EVENT SESSION [Get All Statements] ON SERVER STATE = START; GO

21 Extended Events - Results SELECT CAST(event_data AS XML) event_data, * FROM sys.fn_xe_file_target_read_file ('C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Log\Get All Statements*.xel', NULL, NULL, NULL) Courtesy of https://www.brentozar.c om/archive/2014/03/ex tended-events-doesnt- hard/ One way, quite manual:

22 Extended Events - Results

23

24 Server Audit - Setup CREATE SERVER AUDIT [AuditForDemo] TO FILE (FILEPATH = 'C:\TEMP', MAXSIZE = 1 GB, MAX_ROLLOVER_FILES = 2, RESERVE_DISK_SPACE = OFF) WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE); CREATE SERVER AUDIT SPECIFICATION [ServerAuditSpecificationForDemo] FOR SERVER AUDIT [AuditForDemo] ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP), ADD (AUDIT_CHANGE_GROUP), ADD (BACKUP_RESTORE_GROUP), ADD (BROKER_LOGIN_GROUP); -- START THEM ALTER SERVER AUDIT [AuditForDemo] WITH (STATE = ON); GO ALTER SERVER AUDIT SPECIFICATION [ServerAuditSpecificationForDemo] WITH (STATE = ON); GO https://msdn.microsoft.com/en-us/library/cc280663.aspx

25 Server Audit - Events  APPLICATION_ROLE_CHANGE_PASS WORD_GROUP  AUDIT_CHANGE_GROUP  BACKUP_RESTORE_GROUP  BROKER_LOGIN_GROUP  DATABASE_CHANGE_GROUP  DATABASE_LOGOUT_GROUP  DATABASE_MIRRORING_LOGIN_GRO UP  DATABASE_OBJECT_ACCESS_GROU P  DATABASE_OBJECT_CHANGE_GROU P  DATABASE_OBJECT_OWNERSHIP_C HANGE_GROUP  DATABASE_OBJECT_PERMISSION_C HANGE_GROUP  DATABASE_OPERATION_GROUP  DATABASE_OWNERSHIP_CHANGE_G ROUP  DATABASE_PERMISSION_CHANGE_G ROUP  DATABASE_PRINCIPAL_CHANGE_GR OUP  DATABASE_PRINCIPAL_IMPERSONAT ION_GROUP  DATABASE_ROLE_MEMBER_CHANGE _GROUP  DBCC_GROUP  FAILED_DATABASE_AUTHENTICATIO N_GROUP  FAILED_LOGIN_GROUP  FULLTEXT_GROUP  LOGIN_CHANGE_PASSWORD_GROU P  LOGOUT_GROUP  SCHEMA_OBJECT_ACCESS_GROUP  SCHEMA_OBJECT_CHANGE_GROUP  SCHEMA_OBJECT_OWNERSHIP_CHA NGE_GROUP  SCHEMA_OBJECT_PERMISSION_CHA NGE_GROUP  SERVER_OBJECT_CHANGE_GROUP  SERVER_OBJECT_OWNERSHIP_CHA NGE_GROUP  SERVER_OBJECT_PERMISSION_CHA NGE_GROUP  SERVER_OPERATION_GROUP  SERVER_PERMISSION_CHANGE_GR OUP  SERVER_PRINCIPAL_CHANGE_GROU P  SERVER_PRINCIPAL_IMPERSONATIO N_GROUP  SERVER_ROLE_MEMBER_CHANGE_ GROUP  SERVER_STATE_CHANGE_GROUP  SUCCESSFUL_DATABASE_AUTHENTI CATION_GROUP  SUCCESSFUL_LOGIN_GROUP  TRACE_CHANGE_GROUP  TRANSACTION_GROUP  USER_CHANGE_PASSWORD_GROUP  USER_DEFINED_AUDIT_GROUP https://msdn.microsoft.com/en-us/library/cc280663.aspx

26 DDL Tracked – The Table CREATE DATABASE AuditSampleDB; GO --EXEC AuditSampleDB.dbo.sp_changedbowner 'contoso\ironman'; EXEC AuditSampleDB.dbo.sp_changedbowner 'sa'; GO USE AuditSampleDB; GO CREATE TABLE dbo.DDLEvents (EventDate DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, EventType NVARCHAR(64), EventDDL NVARCHAR(MAX), EventXML XML, DatabaseName NVARCHAR(255), SchemaName NVARCHAR(255), ObjectName NVARCHAR(255), [ObjectID] INT, HostName VARCHAR(64), IPAddress VARCHAR(32), ProgramName NVARCHAR(255), LoginName NVARCHAR(255));

27 DDL Tracked – The Trigger CREATE TRIGGER ddl_trig_alter_db ON ALL SERVER FOR ALTER_DATABASE, CREATE_DATABASE, DROP_DATABASE AS BEGIN DECLARE @WhatHappened XML; SELECT @WhatHappened = EVENTDATA(); DECLARE @ip VARCHAR(32) = (SELECT client_net_address FROM sys.dm_exec_connections WHERE session_id = @@SPID); INSERT AuditSampleDB.dbo.DDLEvents (EventType, EventDDL, EventXML, DatabaseName, SchemaName, ObjectName, HostName, IPAddress, ProgramName, LoginName) SELECT @WhatHappened.value('(/EVENT_INSTANCE/EventType)[1]', 'NVARCHAR(100)'), @WhatHappened.value('(/EVENT_INSTANCE/TSQLCommand)[1]', 'NVARCHAR(MAX)'), @WhatHappened, DB_NAME(), @WhatHappened.value('(/EVENT_INSTANCE/SchemaName)[1]', 'NVARCHAR(255)'), @WhatHappened.value('(/EVENT_INSTANCE/ObjectName)[1]', 'NVARCHAR(255)'), HOST_NAME(), @ip, PROGRAM_NAME(), SUSER_SNAME(); END GO

28 DDL Tracked

29 Tracking A User Via Audit - Setup

30 Tracking A User Via Audit - Results

31 Database Audit - Setup CREATE DATABASE SampleDB; GO USE [SampleDB] GO CREATE DATABASE AUDIT SPECIFICATION [DatabaseAuditSpecificationForDemo] FOR SERVER AUDIT [AuditForDemo] ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP), ADD (AUDIT_CHANGE_GROUP), ADD (BACKUP_RESTORE_GROUP), ADD (DATABASE_CHANGE_GROUP), ADD (DATABASE_LOGOUT_GROUP), ADD (DATABASE_OBJECT_ACCESS_GROUP), ADD (DATABASE_OBJECT_CHANGE_GROUP); GO ALTER DATABASE AUDIT SPECIFICATION [DatabaseAuditSpecificationForDemo] WITH (STATE = ON); GO https://msdn.microsoft.com/en-us/library/cc280663.aspx

32 Database Audit - Events  APPLICATION_ROLE_CHANGE_P ASSWORD_GROUP  AUDIT_CHANGE_GROUP  BACKUP_RESTORE_GROUP  DATABASE_CHANGE_GROUP  DATABASE_LOGOUT_GROUP  DATABASE_OBJECT_ACCESS_G ROUP  DATABASE_OBJECT_CHANGE_G ROUP  DATABASE_OBJECT_OWNERSHI P_CHANGE_GROUP  DATABASE_OBJECT_PERMISSIO N_CHANGE_GROUP  DATABASE_OPERATION_GROUP  DATABASE_OWNERSHIP_CHAN GE_GROUP  DATABASE_PERMISSION_CHAN GE_GROUP  DATABASE_PRINCIPAL_CHANGE _GROUP  DATABASE_PRINCIPAL_IMPERS ONATION_GROUP  DATABASE_ROLE_MEMBER_CH ANGE_GROUP  DBCC_GROUP  FAILED_DATABASE_AUTHENTICA TION_GROUP  SCHEMA_OBJECT_ACCESS_GR OUP  SCHEMA_OBJECT_CHANGE_GR OUP  SCHEMA_OBJECT_OWNERSHIP _CHANGE_GROUP  SCHEMA_OBJECT_PERMISSION _CHANGE_GROUP  SUCCESSFUL_DATABASE_AUTH ENTICATION_GROUP  USER_CHANGE_PASSWORD_GR OUP  USER_DEFINED_AUDIT_GROUP https://msdn.microsoft.com/en-us/library/cc280663.aspx

33 Database Audit – Get Results SELECT CAST(additional_information AS XML) AS ADDLINFOXML, * FROM sys.fn_get_audit_file('C:\TEMP\AuditForDemo_44582E17-A397-4882- B30F-946F27B0B262_0_131024426446730000.sqlaudit', DEFAULT, DEFAULT) WHERE database_name = 'AdventureWorks2014' ORDER BY EVENT_TIME DESC; GO

34 CDC - Setup

35 CDC – Get Results

36 What about BBanner?

37 CDC Results, Post-BBanner

38

39 What’s In TempDB? – Example Setup

40 What’s In TempDB? – Get Results

41 Agent Ransack – File Search

42

43 WinMerge – Folder Compare

44 WinMerge – File Compare

45 Questions? Contact Me:  Info at lakesidedba.com  @bradmckuhen  http://www.lakesidedba.com

Download ppt "Auditing In SQL Server SQL Saturday #521 – Atlanta Presented By Brad McKuhen."

Similar presentations

By: Jose Chinchilla July 31, 2010. Jose Chinchilla MCITP: SQL Server 2008, Database Administrator MCTS: SQL Server 2005/2008, Business Intelligence DBA.

By: Jose Chinchilla July 31, Jose Chinchilla MCITP: SQL Server 2008, Database Administrator MCTS: SQL Server 2005/2008, Business Intelligence DBA.
Module 12: Auditing SQL Server Environments

Module 12: Auditing SQL Server Environments
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Module 17 Tracing Access to SQL Server 2008 R2. Module Overview Capturing Activity using SQL Server Profiler Improving Performance with the Database Engine.

Module 17 Tracing Access to SQL Server 2008 R2. Module Overview Capturing Activity using SQL Server Profiler Improving Performance with the Database Engine.
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
GOLD SILVER BRONZE. © CGI Group Inc. 2014 Oracle Auditing COUG Presentation – June 19, 2014 Ray Smith June 2014.

GOLD SILVER BRONZE. © CGI Group Inc Oracle Auditing COUG Presentation – June 19, 2014 Ray Smith June 2014.
SQL Server 2005 Implementation and Maintenance Chapter 10: Maintaining and Automating SQL Server.

SQL Server 2005 Implementation and Maintenance Chapter 10: Maintaining and Automating SQL Server.
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
Creating and Altering Tables cis 407 Object Names Create Statement Alter statement Drop Statement.

Creating and Altering Tables cis 407 Object Names Create Statement Alter statement Drop Statement.
Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.

Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.
Auditing Database DDL Changes with SQLVer. About PASS The PASS community encompasses everyone who uses the Microsoft SQL Server or Business Intelligence.

Auditing Database DDL Changes with SQLVer. About PASS The PASS community encompasses everyone who uses the Microsoft SQL Server or Business Intelligence.
Working with SQL and PL/SQL/ Session 1 / 1 of 27 SQL Server Architecture.

Working with SQL and PL/SQL/ Session 1 / 1 of 27 SQL Server Architecture.
AGENDA Tools used in SQL Server 2000 Graphical BOL Enterprise Manager Service Manager CLI Query Analyzer OSQL BCP.

AGENDA Tools used in SQL Server 2000 Graphical BOL Enterprise Manager Service Manager CLI Query Analyzer OSQL BCP.
Week 2 - Installation SQL SERVER2000 ENTERPRISE EDITION INSTALLATION.

Week 2 - Installation SQL SERVER2000 ENTERPRISE EDITION INSTALLATION.
Managing and Monitoring SQL Server 2005 Shankar Pal Program Manager SQL Server, Redmond.

Managing and Monitoring SQL Server 2005 Shankar Pal Program Manager SQL Server, Redmond.
Grab Bag & Short Shouts PASS Victoria BC Chapter Fall 2014 Martin S. Stoller

Grab Bag & Short Shouts PASS Victoria BC Chapter Fall 2014 Martin S. Stoller
Session 7 Creating and Managing Databases. RDBMS and Data Management/ Session 7/2 of 27 Session Objectives Describe the system and user-defined databases.

Session 7 Creating and Managing Databases. RDBMS and Data Management/ Session 7/2 of 27 Session Objectives Describe the system and user-defined databases.
Adapted from Afyouni, Database Security and Auditing DB Auditing Examples (Ch. 9) Dr. Mario Guimaraes.

Adapted from Afyouni, Database Security and Auditing DB Auditing Examples (Ch. 9) Dr. Mario Guimaraes.
Adapted from Afyouni, Database Security and Auditing Database Application Auditing – Ch. 8.

Adapted from Afyouni, Database Security and Auditing Database Application Auditing – Ch. 8.

Similar presentations

Ads by Google