A Comparative Analysis of Auditing Solutions in SQL Server

7/9/2009

1

A Comparative Analysis of

Auditing Solutions in SQL Server or

How The Hell Can I Tell Who's Messing With My Data

Audit

• A methodical examination or review of a

condition or situation

7/9/2009

2

Compliance

• Acting according to certain accepted

standards

• Monitoring the extent of compliance with the

standards and ethical codes at either an

agency or sector level

Compliance

Assessment

Prioritization

Action plan

Monitoring

Validation

Remediation

Policies

Training

Practices

7/9/2009

3

Auditing in SQL

• User actions

– data changes

– Data read

– Schema changes

• Security events

– Logins

– Server security activities

Audit Solutions Timeline

6.x• Trace, DML Triggers

7• Profiler

2000• C2

2005• DDL triggers

2005 SP2• Common criteria + logon triggers

2008• SQL Audit, CDC, Change Tracking

7/9/2009

4

Agenda

• Schema changes and Security Audit– Trace

– SQL Audit

– DDL Triggers (& Login Triggers)

• Data changes Audit– DML Triggers

– Change Tracking

– Change Data Capture (CDC)

• Third party tools– Idera SQL Compliance Manager

SQL Trace

• Versions Available:

6.x + (Profiler since 7)

• Editions available:

All (Profiler not available in Express Edition)

• What does it audit?

User Actions

(who read, who wrote, who altered)

Most of the events we can dream of: object access and management in any scope, security changes and events, logins (in addition to everything required for debugging, monitoring and performance tuning)

7/9/2009

5

SQL Trace

Pros

• A one-stop mechanism to get tons of security related information.

• No objects have to be altered or created.

• Captures things that can’t be captured otherwise (DBCC, create/alter trace, backup/restore) - until SQL Server 2008

• Actions are ALWAYS audited (even if transaction was rolled back)

Cons

• Data changes are not collected (can be collected with user defined events, but this requires triggers and is complex to work out)

• May be harder to filter and analyze for relevant events.

• The syntax is complicated and harder to understand what we are auditing (when not using profiler).

• There is no guarantee the trace will run when the server starts, we should take care of it (using a startup proc. Or agent job)

SQL Trace

• How to create

– See Yaniv Etrogi’s UG 87 session in sqlserver.co.il

• How does it work?

– Based on internal trace events

7/9/2009

6

SQL Trace

• Performance overhead

– Minimal (when not used with Profiler)

– 5 events, only profiler filtered out:

http://sqlblog.com/blogs/linchi_shea/archive/2007/08/01/trace-profiler-test.aspx

SQL Trace

• Interesting events to look for (Security):

– Audit Schema Object Access

– Audit Schema Object Management

– Audit Schema Object GDR

– Audit Schema Object Take Ownership

– Audit Login Failed

7/9/2009

7

SQL Trace

• Default trace

– File growth, shrink

– Mirroring state change

– Errors and warnings

– Fulltext crawl start/stop/abort

– Object create/alter/drop

– 17 audit events

– Server memory change

– 5 20mb file-rollover files

SQL Trace

• Blackbox trace

– 5mb files (size and file-rollover file count can be overridden after setup)

– Saved to default data folder

– Traces:

• RPC Starting

• Batch Starting

• Exception

• Attention (timeouts)

– No filters, no event/column configuration

7/9/2009

8

C2 Audit


2000+


All


Failed and successful attempts to access

statements and objects.

C2 Audit

Pros

• Simple trace to set up (one checkbox)

• Audits every action on every object within the SQL Server instance.

• No audit – no SQL Server. SQL Shuts down if it can’t write audit information.

Cons

• Requires instance restart to enable/disable.

• Not configurable in terms of events, columns, filters or file size. It saves audit trail in 200mb files in the default data folder (any worse choice?) – can cause disk space problems

7/9/2009

9

C2 Audit

• How to create

– or check the option in Server properties

EXEC EXEC EXEC EXEC sp_configuresp_configuresp_configuresp_configure 'c'c'c'c2 2 2 2 audit mode', audit mode', audit mode', audit mode', 1 1 1 1 GOGOGOGORECONFIGURERECONFIGURERECONFIGURERECONFIGURE

C2 Audit


– Like SQL trace (with audit 40 events, 45 columns

and no filters)

7/9/2009

10

Common Criteria Compliance


2005 SP2 +


Enterprise only

• What does it do?

Enables elements that are required for the

Common Criteria.


Criteria Description

Residual Information Protection (RIP) Requires a memory allocation to be

overwritten with a known pattern of bits

before memory is reallocated to a new

resource. (better security, worse

performance)

The ability to view login statistics login auditing is enabled, information

about the last successful login time, the

last unsuccessful login time, and the

number of attempts between the last

successful and current login times is made

available via sys.dm_exec_sessions

That column GRANT should not override

table DENY

a table-level DENY takes precedence over

a column-level GRANT

(not default behavior)

7/9/2009

11


• How to create

– or check the option Server properties

– Also requires to run a script that finishes

configuring SQL Server to comply with Common

Criteria Evaluation Assurance Level 4+ (EAL4+)

EXEC EXEC EXEC EXEC sp_configuresp_configuresp_configuresp_configure ''''common criteria compliance enabled', ', ', ', 1 1 1 1 GOGOGOGORECONFIGURERECONFIGURERECONFIGURERECONFIGURE



– Not tested.

7/9/2009

12

SQL Audit


2008


Enterprise only


Audit user actions

(who read, who wrote, who altered)

Unlike SQL Trace, SQL Audit is meant to provide full auditing capabilities and only auditing capabilities

SQL Audit

• How does it work?– SQL Server Audit is a brand new audit mechanism.

– Different set of events for server scope and database scope.

– Based on Extended Events

– Tightly bound to DBMS engine - implemented by hooking the internal permissions checks

– Can output to• File

• Windows Application Log

• Windows Security Log

– Can be synchronous or asynchronous (default)

7/9/2009

13

SQL Audit

• Sample Event groups:

– Server scope:

• SUCCESSFUL_LOGIN_GROUP

• FAILED_LOGIN_GROUP

• LOGIN_CHANGE_PASSWORD_GROUP

• DBCC_GROUP

– Database scope:

• SCHEMA_OBJECT_CHANGE_GROUP

• DATABASE_OWNERSHIP_CHANGE_GROUP

• DATABASE_PERMISSION_CHANGE_GROUP

SQL Audit

Pros

• A one-stop mechanism to get tons of security related information.

• Captures things that can’t be captured otherwise (DBCC, create/alter trace, backup/restore)

• Easy to set up, filter in any granularity of objects, actions and users.

• Performs even better than a trace

• Actions are ALWAYS audited (even if transaction was rolled back)

• Many options of output – can be combined with System Center Operations Manager (formerly known as MOM)

• Can be configured to shutdown the server if fails to audit.

Cons

• Data changes are not collected

• Audit data saved to sqlaudit file or event log and not to a table.

7/9/2009

14

SQL Audit

• How to create

USE master USE master USE master USE master CREATE SERVER AUDIT auditCREATE SERVER AUDIT auditCREATE SERVER AUDIT auditCREATE SERVER AUDIT audit1 1 1 1 TO FILE TO FILE TO FILE TO FILE

(FILEPATH = '(FILEPATH = '(FILEPATH = '(FILEPATH = '\\\\\\\\srvsrvsrvsrv\\\\adt')adt')adt')adt')

USE USE USE USE hr_dbhr_dbhr_dbhr_dbCREATE DATABASE AUDIT SPECIFICATION CREATE DATABASE AUDIT SPECIFICATION CREATE DATABASE AUDIT SPECIFICATION CREATE DATABASE AUDIT SPECIFICATION hr_dbspechr_dbspechr_dbspechr_dbspec FOR FOR FOR FOR SERVER AUDIT auditSERVER AUDIT auditSERVER AUDIT auditSERVER AUDIT audit1 1 1 1 ADD(SELECT,UPDATE,INSERT,DELETE ON ADD(SELECT,UPDATE,INSERT,DELETE ON ADD(SELECT,UPDATE,INSERT,DELETE ON ADD(SELECT,UPDATE,INSERT,DELETE ON hr.salaryhr.salaryhr.salaryhr.salary by by by by dbodbodbodbo) ) ) )

--------and enable the audit & audit specificationand enable the audit & audit specificationand enable the audit & audit specificationand enable the audit & audit specification

SQL Audit

• How to read

SELECT * FROM SELECT * FROM SELECT * FROM SELECT * FROM fn_get_audit_filefn_get_audit_filefn_get_audit_filefn_get_audit_file('E:('E:('E:('E:\\\\SqlAuditsSqlAuditsSqlAuditsSqlAudits\\\\*', *', *', *', default, default)default, default)default, default)default, default)

7/9/2009

15

SQL Audit


– Lower than Profiler!

http://msdn.microsoft.com/en-us/library/dd392015.aspx

0

20

40

60

80

100

120

1 2 3 4 5

Base Time

SQL Trace

SQL Audit

SQL Audit

• Tips:

– It’s disabled by default – don’t forget to enable it

after you set it up.

– Just like with DCL statements we can use database

or schema scopes. For example:

SELECT ON DATABASE::MyDB

UPDATE ON SCHEMA::HR

– Can output to application/security log

(look for event ID 33205)

7/9/2009

16

DDL Triggers


2005+ (logon triggers in 2005 SP2+)


All


Tracks object changes in server, database and

schema levels + login events

DDL Triggers

Pros

• Useful for auditing but can also be used to act on DDL statements (i.e. ROLLBACK)

• Can have lots of logic within it (we write all the code)

Cons

• Transaction bound (if change is done within transaction, the audit can be rolled back as well)

• Requires code and object generation.

• The tracking table (if exists) needs to be managed.

7/9/2009

17

DDL Triggers

• How to create, prerequisites

– Logon triggers require 2005 SP2+

– Use EVENTDATA() function to get information

CREATE TRIGGER [name]CREATE TRIGGER [name]CREATE TRIGGER [name]CREATE TRIGGER [name]ON [DATABASE]ON [DATABASE]ON [DATABASE]ON [DATABASE] / [ALL SERVER]/ [ALL SERVER]/ [ALL SERVER]/ [ALL SERVER]FOR [DDL_DATABASE_LEVEL_EVENTS]FOR [DDL_DATABASE_LEVEL_EVENTS]FOR [DDL_DATABASE_LEVEL_EVENTS]FOR [DDL_DATABASE_LEVEL_EVENTS]AS ...AS ...AS ...AS ...

DDL Triggers


– Slightly higher than trace

– Depends on the statements inside the trigger.

7/9/2009

18

DML Triggers


Any


All


Audit data changes in a table + security

information.

DML Triggers

Pros

• Useful for auditing but can also be used to act on DML statements (i.e. ROLLBACK)

• Can have lots of logic within it (we write all the code)

• Can combine security information and data changes

Cons

• Transaction bound (change is done within transaction, the audit can be rolled back as well, if trigger fails, transaction is doomed)

• Requires code and object generation.

• The tracking table (if exists) needs to be managed.

7/9/2009

19

DML Triggers

• How to create

– Use deleted and inserted table to retrieve changed data.

– Use built in functions like Suser_sname() to get security information.

– Use the UPDATE (column) function to check if a column changed or COLUMNS_UPDATED ( ) to check which columns have changed.

CREATE TRIGGER [name] ON { table | view }CREATE TRIGGER [name] ON { table | view }CREATE TRIGGER [name] ON { table | view }CREATE TRIGGER [name] ON { table | view }[ WITH <[ WITH <[ WITH <[ WITH <dml_trigger_optiondml_trigger_optiondml_trigger_optiondml_trigger_option> ]> ]> ]> ]{ FOR | AFTER | INSTEAD OF } { FOR | AFTER | INSTEAD OF } { FOR | AFTER | INSTEAD OF } { FOR | AFTER | INSTEAD OF } {[ INSERT ][,][ UPDATE ][,][ DELETE ] }{[ INSERT ][,][ UPDATE ][,][ DELETE ] }{[ INSERT ][,][ UPDATE ][,][ DELETE ] }{[ INSERT ][,][ UPDATE ][,][ DELETE ] }AS ...AS ...AS ...AS ...

DML Triggers


– Depends on the statements inside the trigger.

7/9/2009

20

Change Tracking


2008


All


• Audits the fact that a certain row has changed and using what action (Insert, Update or Delete):

– Which rows have changed in a user table?

– Has a row changed?

Change Tracking

• How to create, prerequisites– Should be enabled in the database and then on the table

– Table must have a primary key or a unique index.

• How does it work?– Synchronous – if a problem occurs in the change tracking,

the transaction is rolled back.

– Creates internal tables that have columns to store the primary key value, action performed (insert, update, delete) ,optional columns updated bitmap, version of the change.

– A version in a DB level.

– Has a retention period that cleans the internal tables.

– Built-in functions to retrieve changes and versions.

7/9/2009

21

Change Tracking


– More IO: The incremental performance overhead

that is associated with using change tracking on a

table is similar to the overhead incurred when an

index is created for a table and needs to be

maintained.

Change Tracking

• Pros– No need to develop complex procedures for tracking

changes

– Doesn’t take a lot of disk space

– Synchronous

– Auto cleanup tasks

• Cons– Doesn’t keep historical data

– Doesn’t keep security information

– Usually used with snapshot isolation level which cause performance to drop

– Affects the system IO

7/9/2009

22

Change Tracking

• Remarks

– When change tracking is enabled, there are

restrictions on the DDL that can be performed on

a table being tracked. The most notable restriction

is that the primary key cannot be altered in any

way.

– Switching a partition fails if one or both of the

tables has change tracking enabled.

Change Data Capture (CDC)


2008


Enterprise Only

• What does it Audit?

Audits all the changes on all rows in a table on

specific columns.

7/9/2009

23

CDC

• How does it work?

– Asynchronous

– Uses log reader (like transactional replication)

– Creates schema and tables


– A lot of disk space

– More IO

CDC

• Pros

– Asynchronous

– Has the option to choose what to monitor.

– Keeps data history

– Has a cleaning mechanism

• Cons

– A lot of disk space

– More IO

– Can cause log truncation problem

7/9/2009

24

CDC vs. Change TrackingFeature Change Tracking Change Data Capture

Synchronous Yes No

Requires SQL Agent No Yes

Forces full logging of some bulk operations

No Yes

Prevents log truncation No Yes, until log records harvested

Requires snapshot isolation Recommended No

Requires separate tables to store tracking data

Yes Yes

Allows placement of tracking tables

No Yes

Potential for space consumption issues

Some Lots

Automatic cleanup process Yes Yes

Restrictions on DDL Yes No

http://technet.microsoft.com/en-us/magazine/2008.11.sql.aspx?pr=blog

Audit Tools in SQL - SummaryName What audits? How? Uses performance Versions

Editions

SQL Trace All actions but

data

Server trace

technology, not

sync

Security, actions,

debug, performance

Low overhead 6.X +

DML

triggers

Data changes Triggers, sync Data changes (audit

trail)

Can cause

performance

problems.

All

Change

Tracking

Data changes Built-in

mechanism,

sync

Sync DB Like

maintaining

another NCIX

2008

CDC Data changes

and history

Log reader,

async

Load DWH, audit

trail

A lot of disk

space, more IO

2008 Ent

DDL

triggers

Schema

changes

Internal events

mechanism,

sync

Track schema

changes, change

management and

more

Depends on

the code

within the

trigger

2005

SQL Audit All user actions based on

EXEvents, sync

and async

Audit security

actions

Very low 2008 Ent

7/9/2009

25

Audit Tools in SQL - Summary

• What about…

– Archive and retention of audit data

– Reporting

– Alerting

– Threshold definition (alert only after 10 failed

logins in 5 minutes)

– Aggregations

– Audit the auditor

Idera Compliance Manager

• Examples

7/9/2009

26

References

• Auditing in SQL server 2008 - http://msdn.microsoft.com/en-us/library/dd392015.aspx

• SQL Server 2008 Improves Auditing, Change Tracking -http://www.directionsonmicrosoft.com/sample/DOMIS/update/2008/11nov/1108ss2iac.htm

• Tracking Changes in Your Enterprise Database by Paul S. Randal -http://technet.microsoft.com/en-us/magazine/2008.11.sql.aspx?pr=blog

• SQL Server 2005 Security Overview for Database Administrators -http://www.microsoft.com/sqlserver/2008/en/us/wp-sql-2008-security.aspx

• SQL Server 2005 security best practices white paper -http://www.microsoft.com/sqlserver/2005/en/us/white-papers.aspx

• SQL Server 2008 Compliance Guide -http://www.microsoft.com/downloads/details.aspx?FamilyId=6E1021DD-65B9-41C2-8385-438028F5ACC2&displaylang=en

Documents

A Comparative Analysis of Auditing Solutions in SQL Server