Embed Size (px)
Citation preview
Auditing in MicrosoftSQL Server 2012
Il-Sung LeeProgram ManagerMicrosoft Corporation
DBI407
Agenda
• What’s changed since SQL Server 2008?• What is the performance impact?• Can I protect the Audit log from the DBA?• What happens if Audit fails to write?• What do I do if the server fails to start because of
SQL Server Audit?• Anything else I should know?
What’s changed sinceSQL Server 2008?
Lots. We’ve made SQL Server Audit more flexible and
reliable.
SQL Server Audit Enhancements
Audit supported on all SKUs
Improved Resilience
User-Defined Audit Event
Record Filtering
T-SQL Stack Information
Audit Supported on All SKUs
Basic Audit on all SKUsServer Audit Specs onlyDB Audit Specs for Enterprise
No longer need SQLTraceEnjoy advantages of Audit
PerformanceMultiple Audits and multiple targetsPersist stateAudit Resilience
SQL Server
Express
6
Improved Resilience
Before:Write failures may silently lose Audit recordsUse ON_FAILURE = SHUTDOWN
Now:Automatically recover from most file or network errorsAdded “ON_FAILURE = FAIL_OPERATION”Added “MAX_FILES” option
Select…
Rollback
7
T-SQL Stack Information
Audit Log
hr.viewsalary hr.payroll
exec hr.viewsalaryselect salary from hr.payroll
demo
T-SQL Stack Information
User-Defined Audit Event
sp_audit_write()
exec sp_audit_write1234,1,N‘Hello World’
@user_defined_event_id
@succeeded
@user_defined_info
Audit Log
demo
User-Defined Audit Event
Record Filtering
Tightly constrain info written to Audit logAudit record generated but not written
Leverages Xevent filtering
CREATE SERVER AUDIT audit_name TO { [ FILE (<file_options> [ , ...n ]) ] | APPLICATION_LOG | SECURITY_LOG } [ WITH ( <audit_options> [ , ...n ] ) ] [ FILTER = <predicate_expression> ] } … <predicate_expression> ::= { [ NOT ] <predicate_factor> | {( <predicate_expression> ) } [ { AND | OR } [ NOT ] { <predicate_factor> | ( <predicate_expression> ) } ] [ ,...n ] }
demo
Record Filtering
What is the performance impact?
Depends…
Audit Performance
Depends upon:The workloadWhat’s being audited
Comparison of SQL Server Audit against SQL Trace for 5 different typical customer workloads…
Workload 1 Workload 2 Workload 3 Workload 4 Workload 5• 11 dbs, ranging
from 1.94 MB to 1812.5 MB.
• 755 tables with average of 2761 rows
• 1,219,234 stmts executed.
• 2 dbs ranging from 64 MB to 423.88 MB
• 35 tables with average of 49,141 rows
• 1,633,557 stmts executed
• 3 dbs ranging from 1.94 MB to 1059.63 MB
• 154 tables with average of 586 rows, Here is the activity
• 585,400 stmts executed
• 1 db at 3235.75 MB
• 84 tables with average of 144,245 rows
• 3,435,303 stmts executed.
• 1 db at 174.94 MB
• 152 tables with average of 4,108 rows
• 296,642 stmts executed.
SQL Server Audit vs SQL Trace
Workload 1 Workload 2 Workload 3 Workload 4 Workload 5
13.3
41.3
5.1
63.4
3.6
15.9
101.9
6.3
76.6
4.7814.1
55.9
5.6
68.1
4
Customer Workload Performance
Base Time (minutes) SQL Trace (minutes)SQL Server Audit (minutes)
Can I protect the Audit log from the DBA?
Yes.
Protecting Audit Data
Windows Security Log• “Tamper-proof” log• DBA cannot clear log (assuming not an Administrator)• System Center Operations Manager Audit Collection Service
Copy Audit logs to secure location• Directory or share inaccessible by service account or DBA• Audit logs files are shared-read and cannot be tampered with while active• Possible momentary exposure if using multiple logs
Combination of the two• Audit “tamper” activity to Security Log, e.g., DBA modifying Audit• All other Audit events are sent to file
What happens if Audit fails to write?
Depends again…
Audit Write Failure (Shutdown)
Server shuts downBuffered audit events lost
Audit Write Failure (Continue)
Audit Events Buffered• Audit buffer size varies but is around 4MB (equivalent to at least 170
events, depending upon statement text)
Server Blocks New Activity Generating Audit Event• Does not effect other Audits• Blocks until buffer space freed or audit disabled
Audit Session Turned Off• Buffered data is discarded and error written to errorlog• Continue trying to write future events to Audit log• Automatically try to restart Audit session when next event is generated
Buffer
filled
System
error
Audit Write Failure (Fail Operation)
Audit Events Buffered• Audit buffer size varies but is around 4MB (equivalent to at least 170
events, depending upon statement text)
Server Fails New Activity Generating Audit Event• Does not effect other Audits• Fails new operations until buffer space freed or audit
disabled• Buffered audit events persist and continuously re-attempted
tp write until audit disabled or server shut down
Buffer
filled
What do I do if the server fails to start because of SQL Server
Audit?
Start the server in single-user mode
Starting the Server
Option 1
• Correct source of error• E.g., file system full
Option 2
• Single-user mode, “-m”• Audit is active but shutdown-on-failure behavior deactivated• Audit Admin can fix Audit configuration
Option 3
• Minimal configuration mode, “-f”• Audit disabled but Audit DDL can still be issued.
Bonus
• If “Fail Operation” and “AUDIT_ CHANGE_GROUP”, use DAC connection
• Audit event still generated but will not fail operation
demo
Using SQL Server Audit with Policy-Based Management
Anything else I should know?
Just a few things.
Other Things You Should Know
Parameterized queriesAudit Xevent Sessions may not be manipulated by Xevent DDL.Audit logs are not encrypted or compressedAudit events are fired with permission checksWriting to files are much faster than to event logNo auditing of result sets
Other Things You Should Know
Both Audit and Audit Specifications have STATE parameters.
Can only change state outside user transaction. All other audit changes can be done in a transaction, but with Audit or Audit Specification OFF.
Securely and Easily Track DB Activity
Consider SQL Server Audit for all security auditing requirements and leverage the 2012 enhancements
Carefully devise a strategy for what needs to be audited and where to send the audit information based on security and performance needs
Monitor administrator activity and prevent tampering of the logs.
Session Resources
Books Online:Security Enhancements (Database Engine), http://msdn.microsoft.com/en-us/library/cc645578(v=sql.110).aspxSQL Server Audit (Database Engine), http://msdn.microsoft.com/en-us/library/cc280386(v=SQL.110).aspx
Whitepaper:Auditing in SQL Server 2008, http://msdn.microsoft.com/en-us/library/dd392015(v=SQL.100).aspx
SQL Server Security Forum:http://social.msdn.microsoft.com/forums/en-US/sqlsecurity/threads/
SQL Security Blog:http://blogs.msdn.com/b/sqlsecurity/
Related Content
Bare Metal Microsoft SQL Server 2012 Deployment and Management (S. Hall B WRK Rm 1)
Microsoft SQL Server: Mission Critical Confidence - Organizational Security and Compliance Demo Station (S. Hall A)
Find Me Later At The Mission Critical Booth In The Expo
Il-SungLee
http://blogs.msdn.com/b/sqlsecurity/
I’m not a tweeter
Track Resources
@sqlserver@ms_teched
mvaMicrosoft Virtual Academy
SQL Server 2012 Eval Copy
Get Certified!
Hands-On Labs
Resources
Connect. Share. Discuss.
http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
Complete an evaluation on CommNet and enter to win!
Please Complete an Evaluation Your feedback is important!
Multipleways to Evaluate Sessions
Scan the Tagto evaluate thissession now on myTechEd Mobile
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.
