1. Auditing in Microsoft SQL Server 2012
12/6/2018 7:37 AM
DBI407
Auditing in Microsoft SQL Server 2012
Il-Sung Lee
Program Manager
Microsoft Corporation
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Agenda What’s changed since SQL Server 2008?
What is the performance impact?
Can I protect the Audit log from the DBA?
What happens if Audit fails to write?
What do I do if the server fails to start because of SQL Server Audit?
Anything else I should know?

3. What’s changed since SQL Server 2008?

4. Lots. We’ve made SQL Server Audit more flexible and reliable.

5. SQL Server Audit Enhancements
Audit supported on all SKUs
Improved Resilience
User-Defined Audit Event
Record Filtering
T-SQL Stack Information

6. Audit Supported on All SKUs
Basic Audit on all SKUs
Server Audit Specs only
DB Audit Specs for Enterprise
No longer need SQLTrace
Enjoy advantages of Audit
Performance
Multiple Audits and multiple targets
Persist state
Audit Resilience
SQL Server Express
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. Improved Resilience Before: Now:
Write failures may silently lose Audit records
Use ON_FAILURE = SHUTDOWN
Now:
Automatically recover from most file or network errors
Added “ON_FAILURE = FAIL_OPERATION”
Added “MAX_FILES” option
Select…
Rollback
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. T-SQL Stack Information
select salary from hr.payroll
exec hr.viewsalary
hr.viewsalary
hr.payroll
Audit Log

9. T-SQL Stack Information
12/6/2018 7:37 AM
demo
T-SQL Stack Information
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. User-Defined Audit Event
sp_audit_write()
exec sp_audit_write
1234, 1,
N‘Hello World’
@user_defined_event_id
@succeeded
@user_defined_info
Audit Log
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11. User-Defined Audit Event
12/6/2018 7:37 AM
demo
User-Defined Audit Event
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Record Filtering Tightly constrain info written to Audit log
CREATE SERVER AUDIT audit_name TO { [ FILE (<file_options> [ , ...n ]) ] | APPLICATION_LOG | SECURITY_LOG } [ WITH ( <audit_options> [ , ...n ] ) ]
[ FILTER = <predicate_expression> ]
} …
<predicate_expression> ::= {     [ NOT ] <predicate_factor> | {( <predicate_expression> ) }     [ { AND | OR } [ NOT ] { <predicate_factor> | ( <predicate_expression> ) } ]     [ ,...n ] }
Tightly constrain info written to Audit log
Audit record generated but not written
Leverages Xevent filtering

13. demo Record Filtering 12/6/2018 7:37 AM
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14. What is the performance impact?

15. Depends…

16. Audit Performance Depends upon:
The workload
What’s being audited
Comparison of SQL Server Audit against SQL Trace for 5 different typical customer workloads…
Workload 1
Workload 2
Workload 3
Workload 4
Workload 5
11 dbs, ranging from 1.94 MB to MB.
755 tables with average of 2761 rows
1,219,234 stmts executed.
2 dbs ranging from 64 MB to MB
35 tables with average of 49,141 rows
1,633,557 stmts executed
3 dbs ranging from 1.94 MB to MB
154 tables with average of 586 rows, Here is the activity
585,400 stmts executed
1 db at MB
84 tables with average of 144,245 rows
3,435,303 stmts executed.
1 db at MB
152 tables with average of 4,108 rows
296,642 stmts executed.

17. SQL Server Audit vs SQL Trace

18. Can I protect the Audit log from the DBA?

19. Yes.

20. Protecting Audit Data Windows Security Log
“Tamper-proof” log
DBA cannot clear log (assuming not an Administrator)
System Center Operations Manager Audit Collection Service
Copy Audit logs to secure location
Directory or share inaccessible by service account or DBA
Audit logs files are shared-read and cannot be tampered with while active
Possible momentary exposure if using multiple logs
Combination of the two
Audit “tamper” activity to Security Log, e.g., DBA modifying Audit
All other Audit events are sent to file

21. What happens if Audit fails to write?

22. Depends again…

23. Audit Write Failure (Shutdown)
Server shuts down
Buffered audit events lost

24. Audit Write Failure (Continue)
Audit Events Buffered
Audit buffer size varies but is around 4MB (equivalent to at least 170 events, depending upon statement text)
Server Blocks New Activity Generating Audit Event
Does not effect other Audits
Blocks until buffer space freed or audit disabled
Audit Session Turned Off
Buffered data is discarded and error written to errorlog
Continue trying to write future events to Audit log
Automatically try to restart Audit session when next event is generated
Buffer filled
System error

25. Audit Write Failure (Fail Operation)
Audit Events Buffered
Audit buffer size varies but is around 4MB (equivalent to at least 170 events, depending upon statement text)
Server Fails New Activity Generating Audit Event
Does not effect other Audits
Fails new operations until buffer space freed or audit disabled
Buffered audit events persist and continuously re-attempted tp write until audit disabled or server shut down
Buffer filled

26. What do I do if the server fails to start because of SQL Server Audit?

27. Start the server in single-user mode

28. Starting the Server
Option 1
Correct source of error
E.g., file system full
Option 2
Single-user mode, “-m”
Audit is active but shutdown-on-failure behavior deactivated
Audit Admin can fix Audit configuration
Option 3
Minimal configuration mode, “-f”
Audit disabled but Audit DDL can still be issued.
Bonus
If “Fail Operation” and “AUDIT_ CHANGE_GROUP”, use DAC connection
Audit event still generated but will not fail operation

29. Using SQL Server Audit with Policy-Based Management
12/6/2018 7:37 AM
demo
Using SQL Server Audit with Policy-Based Management
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30. Anything else I should know?

31. Just a few things.

32. Other Things You Should Know
Parameterized queries
Audit Xevent Sessions may not be manipulated by Xevent DDL.
Audit logs are not encrypted or compressed
Audit events are fired with permission checks
Writing to files are much faster than to event log
No auditing of result sets

33. Other Things You Should Know
Both Audit and Audit Specifications have STATE parameters.
Can only change state outside user transaction.
All other audit changes can be done in a transaction, but with Audit or Audit Specification OFF.

34. Securely and Easily Track DB Activity
Consider SQL Server Audit for all security auditing requirements and leverage the 2012 enhancements
Carefully devise a strategy for what needs to be audited and where to send the audit information based on security and performance needs
Monitor administrator activity and prevent tampering of the logs.

35. Session Resources Books Online: Whitepaper: SQL Server Security Forum:
Security Enhancements (Database Engine),
SQL Server Audit (Database Engine),
Whitepaper:
Auditing in SQL Server 2008,
SQL Server Security Forum:
SQL Security Blog:

36. Related Content
Bare Metal Microsoft SQL Server 2012 Deployment and Management (S. Hall B WRK Rm 1)
Microsoft SQL Server: Mission Critical Confidence - Organizational Security and Compliance Demo Station (S. Hall A)
Find Me Later At The Mission Critical Booth In The Expo

37. Il-Sung Lee http://blogs.msdn.com/b/sqlsecurity/ ilsung@microsoft.com
I’m not a tweeter

38. mva Track Resources SQL Server 2012 Eval Copy Hands-On Labs @sqlserver
@teched_europe
mva
Microsoft Virtual Academy
Get Certified!

39. Resources Learning TechNet http://europe.msteched.com
Connect. Share. Discuss.
Microsoft Certification & Training Resources
TechNet
Resources for IT Professionals
Resources for Developers

40. Submit your evals online
12/6/2018 7:37 AM
Evaluations
Submit your evals online
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

41. 12/6/2018 7:37 AM
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

42. 12/6/2018 7:37 AM
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.