Upload
siavashtaghizadeh2683
View
179
Download
5
Embed Size (px)
Citation preview
7/9/2009
1
A Comparative Analysis of
Auditing Solutions in SQL Server or
How The Hell Can I Tell Who's Messing With My Data
Audit
• A methodical examination or review of a
condition or situation
7/9/2009
2
Compliance
• Acting according to certain accepted
standards
• Monitoring the extent of compliance with the
standards and ethical codes at either an
agency or sector level
Compliance
Assessment
Prioritization
Action plan
Monitoring
Validation
Remediation
Policies
Training
Practices
7/9/2009
3
Auditing in SQL
• User actions
– data changes
– Data read
– Schema changes
• Security events
– Logins
– Server security activities
Audit Solutions Timeline
6.x• Trace, DML Triggers
7• Profiler
2000• C2
2005• DDL triggers
2005 SP2• Common criteria + logon triggers
2008• SQL Audit, CDC, Change Tracking
7/9/2009
4
Agenda
• Schema changes and Security Audit– Trace
– SQL Audit
– DDL Triggers (& Login Triggers)
• Data changes Audit– DML Triggers
– Change Tracking
– Change Data Capture (CDC)
• Third party tools– Idera SQL Compliance Manager
SQL Trace
• Versions Available:
6.x + (Profiler since 7)
• Editions available:
All (Profiler not available in Express Edition)
• What does it audit?
User Actions
(who read, who wrote, who altered)
Most of the events we can dream of: object access and management in any scope, security changes and events, logins (in addition to everything required for debugging, monitoring and performance tuning)
7/9/2009
5
SQL Trace
Pros
• A one-stop mechanism to get tons of security related information.
• No objects have to be altered or created.
• Captures things that can’t be captured otherwise (DBCC, create/alter trace, backup/restore) - until SQL Server 2008
• Actions are ALWAYS audited (even if transaction was rolled back)
Cons
• Data changes are not collected (can be collected with user defined events, but this requires triggers and is complex to work out)
• May be harder to filter and analyze for relevant events.
• The syntax is complicated and harder to understand what we are auditing (when not using profiler).
• There is no guarantee the trace will run when the server starts, we should take care of it (using a startup proc. Or agent job)
SQL Trace
• How to create
– See Yaniv Etrogi’s UG 87 session in sqlserver.co.il
• How does it work?
– Based on internal trace events
7/9/2009
6
SQL Trace
• Performance overhead
– Minimal (when not used with Profiler)
– 5 events, only profiler filtered out:
http://sqlblog.com/blogs/linchi_shea/archive/2007/08/01/trace-profiler-test.aspx
SQL Trace
• Interesting events to look for (Security):
– Audit Schema Object Access
– Audit Schema Object Management
– Audit Schema Object GDR
– Audit Schema Object Take Ownership
– Audit Login Failed
7/9/2009
7
SQL Trace
• Default trace
– File growth, shrink
– Mirroring state change
– Errors and warnings
– Fulltext crawl start/stop/abort
– Object create/alter/drop
– 17 audit events
– Server memory change
– 5 20mb file-rollover files
SQL Trace
• Blackbox trace
– 5mb files (size and file-rollover file count can be overridden after setup)
– Saved to default data folder
– Traces:
• RPC Starting
• Batch Starting
• Exception
• Attention (timeouts)
– No filters, no event/column configuration
7/9/2009
8
C2 Audit
• Versions Available:
2000+
• Editions available:
All
• What does it audit?
Failed and successful attempts to access
statements and objects.
C2 Audit
Pros
• Simple trace to set up (one checkbox)
• Audits every action on every object within the SQL Server instance.
• No audit – no SQL Server. SQL Shuts down if it can’t write audit information.
Cons
• Requires instance restart to enable/disable.
• Not configurable in terms of events, columns, filters or file size. It saves audit trail in 200mb files in the default data folder (any worse choice?) – can cause disk space problems
7/9/2009
9
C2 Audit
• How to create
– or check the option in Server properties
EXEC EXEC EXEC EXEC sp_configuresp_configuresp_configuresp_configure 'c'c'c'c2 2 2 2 audit mode', audit mode', audit mode', audit mode', 1 1 1 1 GOGOGOGORECONFIGURERECONFIGURERECONFIGURERECONFIGURE
C2 Audit
• Performance overhead
– Like SQL trace (with audit 40 events, 45 columns
and no filters)
7/9/2009
10
Common Criteria Compliance
• Versions Available:
2005 SP2 +
• Editions available:
Enterprise only
• What does it do?
Enables elements that are required for the
Common Criteria.
Common Criteria Compliance
Criteria Description
Residual Information Protection (RIP) Requires a memory allocation to be
overwritten with a known pattern of bits
before memory is reallocated to a new
resource. (better security, worse
performance)
The ability to view login statistics login auditing is enabled, information
about the last successful login time, the
last unsuccessful login time, and the
number of attempts between the last
successful and current login times is made
available via sys.dm_exec_sessions
That column GRANT should not override
table DENY
a table-level DENY takes precedence over
a column-level GRANT
(not default behavior)
7/9/2009
11
Common Criteria Compliance
• How to create
– or check the option Server properties
– Also requires to run a script that finishes
configuring SQL Server to comply with Common
Criteria Evaluation Assurance Level 4+ (EAL4+)
EXEC EXEC EXEC EXEC sp_configuresp_configuresp_configuresp_configure ''''common criteria compliance enabled', ', ', ', 1 1 1 1 GOGOGOGORECONFIGURERECONFIGURERECONFIGURERECONFIGURE
Common Criteria Compliance
• Performance overhead
– Not tested.
7/9/2009
12
SQL Audit
• Versions Available:
2008
• Editions available:
Enterprise only
• What does it audit?
Audit user actions
(who read, who wrote, who altered)
Unlike SQL Trace, SQL Audit is meant to provide full auditing capabilities and only auditing capabilities
SQL Audit
• How does it work?– SQL Server Audit is a brand new audit mechanism.
– Different set of events for server scope and database scope.
– Based on Extended Events
– Tightly bound to DBMS engine - implemented by hooking the internal permissions checks
– Can output to• File
• Windows Application Log
• Windows Security Log
– Can be synchronous or asynchronous (default)
7/9/2009
13
SQL Audit
• Sample Event groups:
– Server scope:
• SUCCESSFUL_LOGIN_GROUP
• FAILED_LOGIN_GROUP
• LOGIN_CHANGE_PASSWORD_GROUP
• DBCC_GROUP
– Database scope:
• SCHEMA_OBJECT_CHANGE_GROUP
• DATABASE_OWNERSHIP_CHANGE_GROUP
• DATABASE_PERMISSION_CHANGE_GROUP
SQL Audit
Pros
• A one-stop mechanism to get tons of security related information.
• Captures things that can’t be captured otherwise (DBCC, create/alter trace, backup/restore)
• Easy to set up, filter in any granularity of objects, actions and users.
• Performs even better than a trace
• Actions are ALWAYS audited (even if transaction was rolled back)
• Many options of output – can be combined with System Center Operations Manager (formerly known as MOM)
• Can be configured to shutdown the server if fails to audit.
Cons
• Data changes are not collected
• Audit data saved to sqlaudit file or event log and not to a table.
7/9/2009
14
SQL Audit
• How to create
USE master USE master USE master USE master CREATE SERVER AUDIT auditCREATE SERVER AUDIT auditCREATE SERVER AUDIT auditCREATE SERVER AUDIT audit1 1 1 1 TO FILE TO FILE TO FILE TO FILE
(FILEPATH = '(FILEPATH = '(FILEPATH = '(FILEPATH = '\\\\\\\\srvsrvsrvsrv\\\\adt')adt')adt')adt')
USE USE USE USE hr_dbhr_dbhr_dbhr_dbCREATE DATABASE AUDIT SPECIFICATION CREATE DATABASE AUDIT SPECIFICATION CREATE DATABASE AUDIT SPECIFICATION CREATE DATABASE AUDIT SPECIFICATION hr_dbspechr_dbspechr_dbspechr_dbspec FOR FOR FOR FOR SERVER AUDIT auditSERVER AUDIT auditSERVER AUDIT auditSERVER AUDIT audit1 1 1 1 ADD(SELECT,UPDATE,INSERT,DELETE ON ADD(SELECT,UPDATE,INSERT,DELETE ON ADD(SELECT,UPDATE,INSERT,DELETE ON ADD(SELECT,UPDATE,INSERT,DELETE ON hr.salaryhr.salaryhr.salaryhr.salary by by by by dbodbodbodbo) ) ) )
--------and enable the audit & audit specificationand enable the audit & audit specificationand enable the audit & audit specificationand enable the audit & audit specification
SQL Audit
• How to read
SELECT * FROM SELECT * FROM SELECT * FROM SELECT * FROM fn_get_audit_filefn_get_audit_filefn_get_audit_filefn_get_audit_file('E:('E:('E:('E:\\\\SqlAuditsSqlAuditsSqlAuditsSqlAudits\\\\*', *', *', *', default, default)default, default)default, default)default, default)
7/9/2009
15
SQL Audit
• Performance overhead
– Lower than Profiler!
http://msdn.microsoft.com/en-us/library/dd392015.aspx
0
20
40
60
80
100
120
1 2 3 4 5
Base Time
SQL Trace
SQL Audit
SQL Audit
• Tips:
– It’s disabled by default – don’t forget to enable it
after you set it up.
– Just like with DCL statements we can use database
or schema scopes. For example:
SELECT ON DATABASE::MyDB
UPDATE ON SCHEMA::HR
– Can output to application/security log
(look for event ID 33205)
7/9/2009
16
DDL Triggers
• Versions Available:
2005+ (logon triggers in 2005 SP2+)
• Editions available:
All
• What does it audit?
Tracks object changes in server, database and
schema levels + login events
DDL Triggers
Pros
• Useful for auditing but can also be used to act on DDL statements (i.e. ROLLBACK)
• Can have lots of logic within it (we write all the code)
Cons
• Transaction bound (if change is done within transaction, the audit can be rolled back as well)
• Requires code and object generation.
• The tracking table (if exists) needs to be managed.
7/9/2009
17
DDL Triggers
• How to create, prerequisites
– Logon triggers require 2005 SP2+
– Use EVENTDATA() function to get information
CREATE TRIGGER [name]CREATE TRIGGER [name]CREATE TRIGGER [name]CREATE TRIGGER [name]ON [DATABASE]ON [DATABASE]ON [DATABASE]ON [DATABASE] / [ALL SERVER]/ [ALL SERVER]/ [ALL SERVER]/ [ALL SERVER]FOR [DDL_DATABASE_LEVEL_EVENTS]FOR [DDL_DATABASE_LEVEL_EVENTS]FOR [DDL_DATABASE_LEVEL_EVENTS]FOR [DDL_DATABASE_LEVEL_EVENTS]AS ...AS ...AS ...AS ...
DDL Triggers
• Performance overhead
– Slightly higher than trace
– Depends on the statements inside the trigger.
7/9/2009
18
DML Triggers
• Versions Available:
Any
• Editions available:
All
• What does it audit?
Audit data changes in a table + security
information.
DML Triggers
Pros
• Useful for auditing but can also be used to act on DML statements (i.e. ROLLBACK)
• Can have lots of logic within it (we write all the code)
• Can combine security information and data changes
Cons
• Transaction bound (change is done within transaction, the audit can be rolled back as well, if trigger fails, transaction is doomed)
• Requires code and object generation.
• The tracking table (if exists) needs to be managed.
7/9/2009
19
DML Triggers
• How to create
– Use deleted and inserted table to retrieve changed data.
– Use built in functions like Suser_sname() to get security information.
– Use the UPDATE (column) function to check if a column changed or COLUMNS_UPDATED ( ) to check which columns have changed.
CREATE TRIGGER [name] ON { table | view }CREATE TRIGGER [name] ON { table | view }CREATE TRIGGER [name] ON { table | view }CREATE TRIGGER [name] ON { table | view }[ WITH <[ WITH <[ WITH <[ WITH <dml_trigger_optiondml_trigger_optiondml_trigger_optiondml_trigger_option> ]> ]> ]> ]{ FOR | AFTER | INSTEAD OF } { FOR | AFTER | INSTEAD OF } { FOR | AFTER | INSTEAD OF } { FOR | AFTER | INSTEAD OF } {[ INSERT ][,][ UPDATE ][,][ DELETE ] }{[ INSERT ][,][ UPDATE ][,][ DELETE ] }{[ INSERT ][,][ UPDATE ][,][ DELETE ] }{[ INSERT ][,][ UPDATE ][,][ DELETE ] }AS ...AS ...AS ...AS ...
DML Triggers
• Performance overhead
– Depends on the statements inside the trigger.
7/9/2009
20
Change Tracking
• Versions Available:
2008
• Editions available:
All
• What does it audit?
• Audits the fact that a certain row has changed and using what action (Insert, Update or Delete):
– Which rows have changed in a user table?
– Has a row changed?
Change Tracking
• How to create, prerequisites– Should be enabled in the database and then on the table
– Table must have a primary key or a unique index.
• How does it work?– Synchronous – if a problem occurs in the change tracking,
the transaction is rolled back.
– Creates internal tables that have columns to store the primary key value, action performed (insert, update, delete) ,optional columns updated bitmap, version of the change.
– A version in a DB level.
– Has a retention period that cleans the internal tables.
– Built-in functions to retrieve changes and versions.
7/9/2009
21
Change Tracking
• Performance overhead
– More IO: The incremental performance overhead
that is associated with using change tracking on a
table is similar to the overhead incurred when an
index is created for a table and needs to be
maintained.
Change Tracking
• Pros– No need to develop complex procedures for tracking
changes
– Doesn’t take a lot of disk space
– Synchronous
– Auto cleanup tasks
• Cons– Doesn’t keep historical data
– Doesn’t keep security information
– Usually used with snapshot isolation level which cause performance to drop
– Affects the system IO
7/9/2009
22
Change Tracking
• Remarks
– When change tracking is enabled, there are
restrictions on the DDL that can be performed on
a table being tracked. The most notable restriction
is that the primary key cannot be altered in any
way.
– Switching a partition fails if one or both of the
tables has change tracking enabled.
Change Data Capture (CDC)
• Versions Available:
2008
• Editions available:
Enterprise Only
• What does it Audit?
Audits all the changes on all rows in a table on
specific columns.
7/9/2009
23
CDC
• How does it work?
– Asynchronous
– Uses log reader (like transactional replication)
– Creates schema and tables
• Performance overhead
– A lot of disk space
– More IO
CDC
• Pros
– Asynchronous
– Has the option to choose what to monitor.
– Keeps data history
– Has a cleaning mechanism
• Cons
– A lot of disk space
– More IO
– Can cause log truncation problem
7/9/2009
24
CDC vs. Change TrackingFeature Change Tracking Change Data Capture
Synchronous Yes No
Requires SQL Agent No Yes
Forces full logging of some bulk operations
No Yes
Prevents log truncation No Yes, until log records harvested
Requires snapshot isolation Recommended No
Requires separate tables to store tracking data
Yes Yes
Allows placement of tracking tables
No Yes
Potential for space consumption issues
Some Lots
Automatic cleanup process Yes Yes
Restrictions on DDL Yes No
http://technet.microsoft.com/en-us/magazine/2008.11.sql.aspx?pr=blog
Audit Tools in SQL - SummaryName What audits? How? Uses performance Versions
Editions
SQL Trace All actions but
data
Server trace
technology, not
sync
Security, actions,
debug, performance
Low overhead 6.X +
DML
triggers
Data changes Triggers, sync Data changes (audit
trail)
Can cause
performance
problems.
All
Change
Tracking
Data changes Built-in
mechanism,
sync
Sync DB Like
maintaining
another NCIX
2008
CDC Data changes
and history
Log reader,
async
Load DWH, audit
trail
A lot of disk
space, more IO
2008 Ent
DDL
triggers
Schema
changes
Internal events
mechanism,
sync
Track schema
changes, change
management and
more
Depends on
the code
within the
trigger
2005
SQL Audit All user actions based on
EXEvents, sync
and async
Audit security
actions
Very low 2008 Ent
7/9/2009
25
Audit Tools in SQL - Summary
• What about…
– Archive and retention of audit data
– Reporting
– Alerting
– Threshold definition (alert only after 10 failed
logins in 5 minutes)
– Aggregations
– Audit the auditor
Idera Compliance Manager
• Examples
7/9/2009
26
References
• Auditing in SQL server 2008 - http://msdn.microsoft.com/en-us/library/dd392015.aspx
• SQL Server 2008 Improves Auditing, Change Tracking -http://www.directionsonmicrosoft.com/sample/DOMIS/update/2008/11nov/1108ss2iac.htm
• Tracking Changes in Your Enterprise Database by Paul S. Randal -http://technet.microsoft.com/en-us/magazine/2008.11.sql.aspx?pr=blog
• SQL Server 2005 Security Overview for Database Administrators -http://www.microsoft.com/sqlserver/2008/en/us/wp-sql-2008-security.aspx
• SQL Server 2005 security best practices white paper -http://www.microsoft.com/sqlserver/2005/en/us/white-papers.aspx
• SQL Server 2008 Compliance Guide -http://www.microsoft.com/downloads/details.aspx?FamilyId=6E1021DD-65B9-41C2-8385-438028F5ACC2&displaylang=en