12/7/2013

A Walk Around the

SQL Server 2014 Audit Feature
Washington, DC SQL Saturday
December 7, 2013

DEMOS!
SQL SERVER 2014 CTP2
Windows Server 2012R2
Windows Azure VM on Azure Portal

12/7/2013

Speaker Introduction: Timothy P. McAliley

13+ years in IT
Currently work for Microsoft
Premier Field Engineer SQL Server, Washington, DC.
Previously Worked for:
Symantec
Football Fanatics (Jacksonville, FL) (High Volume e-Commerce)
ASM Research, Inc. (Fairfax, VA) (Defense Contractor)
MCSA: SQL Server 2012, Windows Server 2012
MCSE: Data Platform, Server Infrastructure

Objective and Scope of this Presentation

Overview of SQL Server 2014 Server and Database Auditing
Demonstration of SQL Server Audit Configuration

12/7/2013

Agenda
Introduction to SQL Server Audit
Configuring SQL Server Audit
Audit Actions and Action Groups
Defining Audit Targets
Creating Audits
Creating Server Audit Specifications
Creating Database Audit Specifications
Audit-related DMVs and System Views
Demonstration Using SQL Server Audit
Other Issues and Considerations
Resources for More Information

Introduction to SQL Server Audit

12/7/2013

Introduction to SQL Server Audit

SQL Server Audit compared/in relation to
Change Data Capture
DML/DDL Audit Triggers
C2 Auditing
SQL Trace

Introduction to SQL Server Audit

SQL Server Audit - A note on Performance Impact
% increase in memory utlization
% increase disk i/o
% increase in cpu

What is the Impact of Auditing?

It Depends
Synchronous /Asynchronous
Scope of Audit Specifications

Best Practice
Test in Non-Production Environment
Initiate/Sample with a Narrow Scope

12/7/2013

Introduction to SQL Server Audit

SQL Server Audit
First introduced in SQL Server 2008
Event tracking and logging system based on Extended Events
Full operation in Enterprise edition of SQL Server 2014
Fine-grained auditing (Database level)

Basic auditing in other editions of SQL Server 2014 (Server level)

Comprised of:
Audits
Server and Database Audit Specifications
Actions and Action Groups
Targets

Introduction to SQL Server Audit

Improved Resilience
On Audit Shut Down Server
On Audit Log Failure: Continue
On Audit Log Failure: Fail Operation

Custom User Events

sp_audit_write
Ability to Determine T-SQL Method Used

12/7/2013

Introduction to SQL Server Audit

Leveraged by Extended Events - Is a lightweight operating system
level eventing engine for servers outside of the SQL Engine
Is designed to be able to process any type of event (auditable events)
Can be integrated with Event Tracing for Windows (ETW)

Extended
Event Engine

SQL Engine

Configuring SQL Server Audit

12/7/2013

Configuring SQL Server Audit

Configuring SQL Server Audit is a process:
Create an audit and define the target
Create an audit specification (server or database)
Enable the audit and the audit specification
Read the output events

Configuring SQL Server Audit

Create Server
Audit

Configure Server
or Database Audit
Specification

Enable Audit
Specification

Monitor and
Review

12/7/2013

Audit Actions and Action Groups

Audit Actions and Action Groups

Audit actions are additional tasks that can be performed when
events occur. Action groups are predefined sets of events that
can be used instead of defining individual events.
Categories of actions
Server
Database
Audit

Server audit state changes are always audited

Action Groups
Large number of predefined action groups for each audit category are
provided
Simplify setup and management of audits

12/7/2013

Defining Audit Targets

Defining Audit Targets

Results of an audit are sent to a target
File
1 MB Minimum
2,147,483,647 TB Max Size or Disk Capacity if Unlimited is Configured

Windows Application Event Log

Windows Security Event Log

Results must be reviewed and archived periodically

Security of audit targets
Be cautious with application log as any authenticated user can read it
Writing to security event log requires the SQL Server service account to be
added to "Generate Security Audits" policy

12/7/2013

Creating Audits

Creating Audits

Create Server
Audit

Configure Server
or Database Audit
Specification

Enable Audit
Specification

Monitor and
Review

10

12/7/2013

Creating Audits
Configuration

Comment

Audit name

Name for the audit

Queue delay (in milliseconds)

0 = Synchronous

Amount in time before audit actions

must be processed

On Audit Log Failure

Continue
Shut Down Server
Fail Operation

Audit destination

Audit Target; File or Event Log

Maximum rollover files

Maximum number of files to retain (only

for files)

Maximum file size (MB/GB/TB)

Maximum size of each audit file

Reserve disk space

Indicates whether disk space for the

audit files should be reserved in advance

Maximum files

Caps the number of audit files

Creating Audits
Queue Delay - A bit more on configurations specifics:
Specifies the amount of time in milliseconds that can elapse
before audit actions are forced to be processed.
A value of 0 indicates synchronous delivery.
The default minimum value is 1000 (1 second).
The maximum is 2,147,483,647 (2,147,483.647 seconds or 24
days, 20 hours, 31 minutes, 23.647 seconds).

11

12/7/2013

Creating Audits
On Audit Log Failure - Continue - A bit more on configurations
specifics:
SQL Server operations continue. Audit records are not
retained. The audit continues to attempt to log events and
will resume if the failure condition is resolved. Selecting the
Continue option can allow unaudited activity which could
violate your security policies. Select this option when
continuing operation of the Database Engine is more
important than maintaining a complete audit. This is the
default selection.

Creating Audits
On Audit Log Failure Shut Down Server - A bit more on
configurations specifics:
Forces a server shut down when the server instance writing
to the target cannot write data to the audit target. The login
issuing this must have the SHUTDOWN permission. If the
logon does not have this permission, this function will fail and
an error message will be raised. No audited events occur.
Select this option when an audit failure could compromise
the security or integrity of the system

12

12/7/2013

Creating Audits
On Audit Log Failure Fail Operation- A bit more on
configurations specifics:
In cases where the SQL Server Audit cannot write to the audit
log this option causes database actions to fail if they would
otherwise cause audited events. No audited events occur.
Actions which do not cause audited events can continue. The
audit continues to attempt to log events and will resume if
the failure condition is resolved. Select this option when
maintaining a complete audit is more important than full
access to the Database Engine.

Creating Audits
Audit File Maximum Limit -A bit more on configurations
specifics:
Maximum rollover files
Specifies that, when the maximum number of audit files is reached, the oldest audit
files are overwritten by new file content.

Maximum files
Specifies that, when the maximum number of audit files is reached, any action that
causes additional audit events to be generated will fail with an error.

Unlimited check box

When the Unlimited check box under Maximum rollover files is selected, there is no
limit imposed on the number of audit files that will be created. The Unlimited check
box is selected by default and applies to both the Maximum rollover files and
Maximum files selections.

Number of files box

Specifies the number of audit files to be created, up to 2,147,483,647. This option is
only available if Unlimited is unchecked.

13

12/7/2013

Creating Audits
Maximum File Size -A bit more on configurations specifics:
Specifies the maximum size for an audit file in either
megabytes (MB), gigabytes (GB), or terabytes (TB).
You can specify between 1024 MB and 2,147,483,647 TB.
Selecting the Unlimited check box does not place a limit on
the size of the file.
Specifying a value lower than 1024 MB will fail, returning an
error.
The Unlimited check box is selected by default.

Creating Audits
Reserve Disk Space - A bit more on configurations specifics:
Specifies that space is pre-allocated on the disk equal to the
specified maximum file size.
This setting can only be used if the Unlimited check box under
Maximum file size is not selected.
This check box is not selected by default.

14

12/7/2013

Creating Server Audit Specifications

Creating Server Audit Specifications

Create Server
Audit

Configure
Server Audit
Specification

Enable Audit
Specification

Monitor and
Review

15

12/7/2013

Creating Server Audit Specifications

Define the actions that should be

audited and the Audit that the

results should be sent to
Can be configured in GUI or T-SQL

CREATE SERVER
AUDIT SPECIFICATION
FailedLoginSpec
FOR SERVER AUDIT
Audit-20121222-171544
ADD (FAILED_LOGIN_GROUP);

Creating Server Audit Specifications

Choose a server audit if you want to monitor the following:
Actions that impact the entire server
Actions that monitor changes across all databases
Actions that monitor changes to schemas to all databases

Server Audit Specifications reside in Master DB

16

12/7/2013

Creating Database Audit Specifications

Creating Server Audit Specifications

Create Server
Audit

Configure
Database Audit
Specification

Enable Audit
Specification

Monitor and
Review

17

12/7/2013

Creating Database Audit Specifications

Define the actions that should be

audited and the Audit that the

results should be sent to
Can be configured in GUI or T-SQL

CREATE DATABASE
AUDIT SPECIFICATION
BackupRestoreSpec
FOR SERVER AUDIT
Audit-20121222-171544
ADD (BACKUP_RESTORE_GROUP);

Creating Database Audit Specifications

Choose database audit specifications if you want to monitor:
Actions specific to a database, object, or schema
Specific actions of a principal within a database
Specific actions (SELECT, DELETE, UPDATE, and other Data Manipulation

Language [DML] statements) within a database

Database Audit Specifications Reside in Audited Database

18

12/7/2013

Audit-related DMVs and System Views

Audit-related DMVs and System Views

SQL Server provides a set of DMVs and system views for
managing SQL Server Audit
Audit-related DMVs
sys.dm_server_audit_status
sys.dm_audit_actions
sys.dm_audit_class_type_map
Audit-related System Views
sys.server_audits
sys.server_file_audits
sys.server_audit_specifications
sys.server_audit_specification_details
sys.database_audit_specifications
sys.database_audit_specification_details

19

12/7/2013

Demonstration Using SQL Server Audit

Demonstration Using SQL Server Audit

In this demonstration you will see how to:
Create a SQL Server Audit and define its target
Create and enable a database audit specification
Create an auditable event and view the event in the Windows Event

Viewer
View the results of a file-based audit

20

12/7/2013

Demonstration Using SQL Server Audit

Create Server
Audit

Configure Server
or Database Audit
Specification

Enable Audit
Specification

Monitor and
Review

Other Issues and Considerations

Audit Volume
Auditing and Encryption
Features, including auditing, behave the same with or without

Transparent Data Encryption (TDE)

Multi-Server Auditing with System Center 2012 -Operations

Manager, Audit Collection Services (ACS)

Integration with 3rd Party Auditing Tools
Enforce with SQL Server Policy Management

21

12/7/2013

Other Issues and Considerations

Attaching
Attaching a database that has an audit specification and specifies a GUID
that does not exist on the server will cause an orphaned audit
specification. Because an audit with a matching GUID does not exist on
the server instance, no audit events will be recorded.
To correct this situation, use the ALTER DATABASE AUDIT SPECIFICATION
command to connect the orphaned audit specification to an existing
server audit. Or, use the CREATE SERVER AUDIT command to create a new
server audit with the specified GUID.
You can attach a database that has an audit specification defined on it to
another edition of SQL Server that does not support SQL Server audit,
such as SQL Server Express but it will not record audit events.

Other Issues and Considerations

Mirroring/AG
A database that has a database audit specification defined and that uses
database mirroring will include the database audit specification. To work
correctly on the mirrored SQL instance, the following items must be
configured:
The mirror server must have an audit with the same GUID to enable the database audit
specification to write audit records. This can be configured by using the command CREATE
AUDIT WITH GUID= <GUID from source Server Audit>.
For binary file targets, the mirror server service account must have appropriate
permissions to the location where the audit trail is being written.
For Windows event log targets, the security policy on the computer where the mirror
server is located must allow for service account access to the security or application event
log.

22

12/7/2013

Other Issues and Considerations

Permissions Any authenticated user can read records sent to the Windows

Application Log
Writing to the Windows Security log requires the SQL Server service

account to be added to the Generate security audits policy

Access to Files For Auditors

Other Issues and Considerations

Permissions To Create/Alter/Drop Server Audit:
the ALTER ANY SERVER AUDIT or the CONTROL SERVER

To Creat/Alter/Drop Database Audit:

ALTER ANY DATABASE AUDIT permission or the ALTER or CONTROL permission on the

database

To View Catalogs (one of the following):

Membership in the sysadmin fixed server role.
The CONTROL SERVER permission.
The VIEW SERVER STATE permission.
The ALTER ANY AUDIT permission.
The VIEW AUDIT STATE permission (gives only the principal access to the sys.server_audits
catalog view).

To Use DMVs:
VIEW SERVER STATE or ALTER ANY AUDIT

23

12/7/2013

Resources for More Information

Resources for More Information

SQL Server Common Criteria Site:
http://www.microsoft.com/sqlserver/en/us/common-criteria.aspx

Introducing SQL Server Extended Events

http://go.microsoft.com/fwlink/?LinkID=237197

Understanding SQL Server Audit

http://go.microsoft.com/fwlink/?LinkID=233566

SQL Server Audit Action Groups and Actions

http://go.microsoft.com/fwlink/?LinkID=233440

SQL Server Audit (Database Engine)

http://go.microsoft.com/fwlink/?LinkID=233568

24

12/7/2013

Summary
Introduction to SQL Server Audit
Configuring SQL Server Audit
Audit Actions and Action Groups
Defining Audit Targets
Creating Audits
Creating Server Audit Specifications
Creating Database Audit Specifications
Audit-related DMVs and System Views
Demonstration Using SQL Server Audit
Other Issues and Considerations
Resources for More Information

Q&A?
Email me at
timothy.mcaliley@microsoft.com
Follow Me on Twitter @Sysframeworks
LinkedIn: Timothy P. McAliley

25

12/7/2013

User Group Events!

PASS DC, January 9th, 2014
Washington, DC IT Pro Camp
February 22, 2014
Microsoft Training Center
Very Similar Format to SQL Saturday
Free www.itprocamp.com/washdc

Thank You!

26