The hardest part of Security Auditing is to define what should be audited and how. The security breaches around a SQL Server instances may occur in several areas: from SSIS packages saved on disk, to system users and administrators who can read and even modify data. There a lot of different attack vectors to monitor. A good place to start is to determine the legislative requirements for your installation, which will depend on the nature of the data. Generally, there is a requirement to track and log events that occur on the Database Engine in sufficient detail to aid a forensic analysis of any data-breach that occurs.
The next challenge, after defining what should be audited, is to find a way to take a snapshot of the system’s security context at the time of the start of the auditing. The idea is that we must know what the settings are at the beginning of the auditing process, so we can monitor deviations and send alerts based on them.
Finally, another challenge is to choose a way to deal with the large volume of data generated by the security auditing. The data can be stored in logs (SQL Server instance logs, Operating system logs), it can also be stored in log files on disk. Ideally, the data can be stored in ring buffers and consumed by external components and so on, but all this needs to be planned around the audit retention interval that is required.
The work of setting up an audit log has been made much easier by Microsoft’s introduction of SQL Audit functionality. It has been available in SQL Server since SQL2008 and it was slightly improved in SQL2012. In this article first show how to set up the current security context, and then we’ll show you how to set up SQL Audit and apply it to all the databases in an instance.
How to take a snapshot of the current security context
First, we will create a database called SQLAudit and a table in it called AuditDBLogin.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
IF OBJECT_ID('dbo.AuditDBLogin', 'U') IS NULL CREATE TABLE [dbo].[AuditDBLogin]( [ServerName] [NVARCHAR](128) NULL, [LoginName] [sysname] NOT NULL, [LoginType] [VARCHAR](13) NOT NULL, [DatabaseName] [NVARCHAR](128) NULL, [SelectAccess] [INT] NULL, [InsertAccess] [INT] NULL, [UpdateAccess] [INT] NULL, [DeleteAccess] [INT] NULL, [DBOAccess] [INT] NULL, [SysadminAccess] [INT] NULL, [AuditDate] [DATETIME] NOT NULL DEFAULT ( GETDATE() ) ) |
Then we will run the following script to get the database logins and all permissions for the databases. It will need to run every database you need to audit on the instance that we are interested in auditing:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 |
INSERT INTO SQLAudit.dbo.AuditDBLogin ( [ServerName] , [LoginName] , [LoginType] , [DatabaseName] , [SelectAccess] , [InsertAccess] , [UpdateAccess] , [DeleteAccess] , [DBOAccess] , [SysadminAccess] ) SELECT ServerName = @@SERVERNAME , LoginName = AccessSummary.LoginName , LoginType = CASE WHEN syslogins.isntuser = 1 THEN 'WINDOWS_LOGIN' WHEN syslogins.isntgroup = 1 THEN 'WINDOWS_GROUP' ELSE 'SQL_USER' END , DatabaseName = DB_NAME() , SelectAccess = MAX(AccessSummary.SelectAccess) , InsertAccess = MAX(AccessSummary.InsertAccess) , UpdateAccess = MAX(AccessSummary.UpdateAccess) , DeleteAccess = MAX(AccessSummary.DeleteAccess) , DBOAccess = MAX(AccessSummary.DBOAccess) , SysadminAccess = MAX(AccessSummary.SysadminAccess) FROM ( /* Get logins with permissions */ SELECT LoginName = sysDatabasePrincipal.name , SelectAccess = CASE WHEN permission_name = 'SELECT' THEN 1 ELSE 0 END , InsertAccess = CASE WHEN permission_name = 'INSERT' THEN 1 ELSE 0 END , UpdateAccess = CASE WHEN permission_name = 'UPDATE' THEN 1 ELSE 0 END , DeleteAccess = CASE WHEN permission_name = 'DELETE' THEN 1 ELSE 0 END , DBOAccess = 0 , SysadminAccess = 0 FROM sys.database_permissions AS sysDatabasePermission INNER JOIN sys.database_principals AS sysDatabasePrincipal ON sysDatabasePrincipal.principal_id = sysDatabasePermission.grantee_principal_id INNER JOIN sys.server_principals AS sysServerPrincipal ON sysServerPrincipal.sid = sysDatabasePrincipal.sid WHERE sysDatabasePermission.class_desc = 'OBJECT_OR_COLUMN' AND sysDatabasePrincipal.type_desc IN ( 'WINDOWS_LOGIN', 'WINDOWS_GROUP', 'SQL_USER' ) AND sysServerPrincipal.is_disabled = 0 UNION ALL /* Get group members with permissions */ SELECT LoginName = sysDatabasePrincipalMember.name , SelectAccess = CASE WHEN permission_name = 'SELECT' THEN 1 ELSE 0 END , InsertAccess = CASE WHEN permission_name = 'INSERT' THEN 1 ELSE 0 END , UpdateAccess = CASE WHEN permission_name = 'UPDATE' THEN 1 ELSE 0 END , DeleteAccess = CASE WHEN permission_name = 'DELETE' THEN 1 ELSE 0 END , DBOAccess = 0 , SysadminAccess = 0 FROM sys.database_permissions AS sysDatabasePermission INNER JOIN sys.database_principals AS sysDatabasePrincipalRole ON sysDatabasePrincipalRole.principal_id = sysDatabasePermission.grantee_principal_id INNER JOIN sys.database_role_members AS sysDatabaseRoleMember ON sysDatabaseRoleMember.role_principal_id = sysDatabasePrincipalRole.principal_id INNER JOIN sys.database_principals AS sysDatabasePrincipalMember ON sysDatabasePrincipalMember.principal_id = sysDatabaseRoleMember.member_principal_id INNER JOIN sys.server_principals AS sysServerPrincipal ON sysServerPrincipal.sid = sysDatabasePrincipalMember.sid WHERE sysDatabasePermission.class_desc = 'OBJECT_OR_COLUMN' AND sysDatabasePrincipalRole.type_desc = 'DATABASE_ROLE' AND sysDatabasePrincipalRole.name <> 'public' AND sysDatabasePrincipalMember.type_desc IN ( 'WINDOWS_LOGIN', 'WINDOWS_GROUP', 'SQL_USER' ) AND sysServerPrincipal.is_disabled = 0 UNION ALL /* Get users in db_owner, db_datareader and db_datawriter */ SELECT LoginName = sysServerPrincipal.name , SelectAccess = CASE WHEN sysDatabasePrincipalRole.name IN ( 'db_owner', 'db_datareader' ) THEN 1 ELSE 0 END , InsertAccess = CASE WHEN sysDatabasePrincipalRole.name IN ( 'db_owner', 'db_datawriter' ) THEN 1 ELSE 0 END , UpdateAccess = CASE WHEN sysDatabasePrincipalRole.name IN ( 'db_owner', 'db_datawriter' ) THEN 1 ELSE 0 END , DeleteAccess = CASE WHEN sysDatabasePrincipalRole.name IN ( 'db_owner', 'db_datawriter' ) THEN 1 ELSE 0 END , DBOAccess = CASE WHEN sysDatabasePrincipalRole.name = 'db_owner' THEN 1 ELSE 0 END , SysadminAccess = 0 FROM sys.database_principals AS sysDatabasePrincipalRole INNER JOIN sys.database_role_members AS sysDatabaseRoleMember ON sysDatabaseRoleMember.role_principal_id = sysDatabasePrincipalRole.principal_id INNER JOIN sys.database_principals AS sysDatabasePrincipalMember ON sysDatabasePrincipalMember.principal_id = sysDatabaseRoleMember.member_principal_id INNER JOIN sys.server_principals AS sysServerPrincipal ON sysServerPrincipal.sid = sysDatabasePrincipalMember.sid WHERE sysDatabasePrincipalRole.name IN ( 'db_owner', 'db_datareader', 'db_datawriter' ) AND sysServerPrincipal.type_desc IN ( 'WINDOWS_LOGIN', 'WINDOWS_GROUP', 'SQL_LOGIN' ) AND sysServerPrincipal.is_disabled = 0 UNION ALL /* Get users in sysadmin */ SELECT LoginName = sysServerPrincipalMember.name , SelectAccess = 1 , InsertAccess = 1 , UpdateAccess = 1 , DeleteAccess = 1 , DBOAccess = 0 , SysadminAccess = 1 FROM sys.server_principals AS sysServerPrincipalRole INNER JOIN sys.server_role_members AS sysServerRoleMember ON sysServerRoleMember.role_principal_id = sysServerPrincipalRole.principal_id INNER JOIN sys.server_principals AS sysServerPrincipalMember ON sysServerPrincipalMember.principal_id = sysServerRoleMember.member_principal_id WHERE sysServerPrincipalMember.type_desc IN ( 'WINDOWS_LOGIN', 'WINDOWS_GROUP', 'SQL_LOGIN' ) AND sysServerPrincipalMember.is_disabled = 0 ) AS AccessSummary INNER JOIN master.dbo.syslogins AS syslogins ON syslogins.loginname = AccessSummary.LoginName WHERE AccessSummary.LoginName NOT IN ( 'NT SERVICE\MSSQLSERVER', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\SQLSERVERAGENT' ) GROUP BY AccessSummary.LoginName , CASE WHEN syslogins.isntuser = 1 THEN 'WINDOWS_LOGIN' WHEN syslogins.isntgroup = 1 THEN 'WINDOWS_GROUP' ELSE 'SQL_USER' END; |
this routine will provide a security snapshot that can be used to verify and note who has what permissions. Then, the SQL audit itself keeps track of changes to the permissions; and reporting can be done if anything significant is altered. This routine is needed only as a reference to understand any changes that are subsequently shown by SQL Audit to the permission system.
Audit everything – scripts for 2008 and 2012
Now we are ready to create the SQL Audit. First, we will start by creating an Audit for the Server itself: this is an object on a SQL Server instance level which is used to specify the way that the data is channelled and stored. The Server Audit may contain a Server audit specification (events on an instance level) and database audit specifications (events on a database level). The data can be stored either in binary file on disk, or written to the Windows Server application or security logs.
Keep in mind that only Enterprise / Developer editions support database level audit specifications.
Creating the Server Audit:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
-- drop server audit USE [master] GO IF EXISTS (SELECT * FROM sys.server_audits WHERE name = N'MSSQL_Server_Audit') BEGIN ALTER SERVER AUDIT MSSQL_Server_Audit WITH (STATE = OFF) DROP SERVER AUDIT [MSSQL_Server_Audit] END GO -- create server audit CREATE SERVER AUDIT [MSSQL_Server_Audit] TO FILE ( FILEPATH = N'F:\\SQLAudit\' ,MAXSIZE = 200 MB ,MAX_ROLLOVER_FILES = 2 ,RESERVE_DISK_SPACE = ON ) WITH ( QUEUE_DELAY = 1000 ,ON_FAILURE = CONTINUE ) ALTER SERVER AUDIT [MSSQL_Server_Audit] WITH (STATE = ON) GO |
In this case I have chosen to save the data into a binary file on the disk system. There will be two files of 200Mb each, which will be rotated and overwritten as they reach their 200Mb size limit.
Creating a Server Audit Specification
As I’ve already mentioned, the Server Audit Specification collects events on a SQL Server instance level. The script will check for the version of the SQL Server and will execute different sections based on whether it is SQL 2008 or above, since there are extra audit events in the SQL 2012 and up.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 |
-- drop server audit specification USE [master] GO IF EXISTS (SELECT * FROM sys.server_audit_specifications WHERE name = N'MSSQL_Server_Specification') BEGIN ALTER SERVER AUDIT SPECIFICATION MSSQL_Server_Specification WITH (STATE = OFF) DROP SERVER AUDIT SPECIFICATION [MSSQL_Server_Specification] END GO /* This section checks for the version of the SQL Server and creates the Server Audit Specification */ IF (SELECT cast(left(cast(serverproperty('productversion') as varchar), 4) as decimal(5, 3))) < 11 BEGIN --PRINT 'SQL 2008%' CREATE SERVER AUDIT SPECIFICATION [MSSQL_Server_Specification] FOR SERVER AUDIT [MSSQL_Server_Audit] ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP ), ADD (AUDIT_CHANGE_GROUP ), ADD (BACKUP_RESTORE_GROUP ), ADD (BROKER_LOGIN_GROUP ), ADD (DATABASE_CHANGE_GROUP), ADD (DATABASE_MIRRORING_LOGIN_GROUP ), ADD (DATABASE_OBJECT_ACCESS_GROUP ), ADD (DATABASE_OBJECT_CHANGE_GROUP ), ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP ), ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP), ADD (DATABASE_OPERATION_GROUP ), ADD (DATABASE_OWNERSHIP_CHANGE_GROUP), ADD (DATABASE_PERMISSION_CHANGE_GROUP ), ADD (DATABASE_PRINCIPAL_CHANGE_GROUP), ADD (DATABASE_PRINCIPAL_IMPERSONATION_GROUP ), ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP), ADD (DBCC_GROUP ), ADD (FAILED_LOGIN_GROUP ), ADD (FULLTEXT_GROUP ), ADD (LOGIN_CHANGE_PASSWORD_GROUP), ADD (LOGOUT_GROUP ), ADD (SCHEMA_OBJECT_ACCESS_GROUP ), ADD (SCHEMA_OBJECT_CHANGE_GROUP ), ADD (SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP ), ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP), ADD (SERVER_OBJECT_CHANGE_GROUP ), ADD (SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP ), ADD (SERVER_OBJECT_PERMISSION_CHANGE_GROUP), ADD (SERVER_OPERATION_GROUP ), ADD (SERVER_PERMISSION_CHANGE_GROUP ), ADD (SERVER_PRINCIPAL_CHANGE_GROUP), ADD (SERVER_PRINCIPAL_IMPERSONATION_GROUP ), ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP), ADD (SERVER_STATE_CHANGE_GROUP), ADD (SUCCESSFUL_LOGIN_GROUP ), ADD (TRACE_CHANGE_GROUP ) WITH (STATE = ON) END ELSE BEGIN CREATE SERVER AUDIT SPECIFICATION [MSSQL_Server_Specification] FOR SERVER AUDIT [MSSQL_Server_Audit] ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP), ADD (AUDIT_CHANGE_GROUP), ADD (BACKUP_RESTORE_GROUP), ADD (BROKER_LOGIN_GROUP), ADD (DATABASE_CHANGE_GROUP ), ADD (DATABASE_LOGOUT_GROUP ), ADD (DATABASE_MIRRORING_LOGIN_GROUP), ADD (DATABASE_OBJECT_ACCESS_GROUP), ADD (DATABASE_OBJECT_CHANGE_GROUP), ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP), ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP ), ADD (DATABASE_OPERATION_GROUP), ADD (DATABASE_OWNERSHIP_CHANGE_GROUP ), ADD (DATABASE_PERMISSION_CHANGE_GROUP), ADD (DATABASE_PRINCIPAL_CHANGE_GROUP ), ADD (DATABASE_PRINCIPAL_IMPERSONATION_GROUP), ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP ), ADD (DBCC_GROUP), ADD (FAILED_DATABASE_AUTHENTICATION_GROUP), ADD (FAILED_LOGIN_GROUP), ADD (FULLTEXT_GROUP), ADD (LOGIN_CHANGE_PASSWORD_GROUP ), ADD (LOGOUT_GROUP), ADD (SCHEMA_OBJECT_ACCESS_GROUP), ADD (SCHEMA_OBJECT_CHANGE_GROUP), ADD (SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP), ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP ), ADD (SERVER_OBJECT_CHANGE_GROUP), ADD (SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP), ADD (SERVER_OBJECT_PERMISSION_CHANGE_GROUP ), ADD (SERVER_OPERATION_GROUP), ADD (SERVER_PERMISSION_CHANGE_GROUP), ADD (SERVER_PRINCIPAL_CHANGE_GROUP ), ADD (SERVER_PRINCIPAL_IMPERSONATION_GROUP), ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP ), ADD (SERVER_STATE_CHANGE_GROUP ), ADD (SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP), ADD (SUCCESSFUL_LOGIN_GROUP), ADD (TRACE_CHANGE_GROUP), ADD (USER_CHANGE_PASSWORD_GROUP), ADD (USER_DEFINED_AUDIT_GROUP) WITH (STATE = ON) END |
Creating the database audit specification
Sadly, the database audit specifications are only available in Enterprise / Developer editions.
The script below iterates through all databases on the instance and creates the database audit specifications, including the model database, which will automatically bring the audit into any newly created databases.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 |
/* This section will iterate in every database and will create the database audit specifications */ IF (SELECT cast(left(cast(serverproperty('productversion') as varchar), 4) as decimal(5, 3))) < 11 BEGIN EXEC sp_MSforeachdb 'USE ? IF EXISTS (SELECT * FROM sys.database_audit_specifications WHERE name = N''DatabaseAuditSpecification'') BEGIN ALTER DATABASE AUDIT SPECIFICATION DatabaseAuditSpecification WITH (STATE = OFF) DROP DATABASE AUDIT SPECIFICATION DatabaseAuditSpecification END CREATE DATABASE AUDIT SPECIFICATION [DatabaseAuditSpecification] FOR SERVER AUDIT [MSSQL_Server_Audit] ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP ), ADD (AUDIT_CHANGE_GROUP ), ADD (BACKUP_RESTORE_GROUP ), ADD (DATABASE_CHANGE_GROUP), ADD (DATABASE_OBJECT_ACCESS_GROUP ), ADD (DATABASE_OBJECT_CHANGE_GROUP ), ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP ), ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP), ADD (DATABASE_OPERATION_GROUP ), ADD (DATABASE_OWNERSHIP_CHANGE_GROUP), ADD (DATABASE_PERMISSION_CHANGE_GROUP ), ADD (DATABASE_PRINCIPAL_CHANGE_GROUP), ADD (DATABASE_PRINCIPAL_IMPERSONATION_GROUP ), ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP), ADD (DBCC_GROUP ), ADD (SCHEMA_OBJECT_ACCESS_GROUP ), ADD (SCHEMA_OBJECT_CHANGE_GROUP ), ADD (SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP ), ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP) WITH (STATE = ON)' END ELSE BEGIN EXEC sp_MSforeachdb 'USE ? IF EXISTS (SELECT * FROM sys.database_audit_specifications WHERE name = N''DatabaseAuditSpecification'') BEGIN ALTER DATABASE AUDIT SPECIFICATION DatabaseAuditSpecification WITH (STATE = OFF) DROP DATABASE AUDIT SPECIFICATION DatabaseAuditSpecification END CREATE DATABASE AUDIT SPECIFICATION [DatabaseAuditSpecification] FOR SERVER AUDIT [MSSQL_Server_Audit] ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP ), ADD (AUDIT_CHANGE_GROUP ), ADD (BACKUP_RESTORE_GROUP ), ADD (DATABASE_CHANGE_GROUP), ADD (DATABASE_LOGOUT_GROUP), ADD (DATABASE_OBJECT_ACCESS_GROUP ), ADD (DATABASE_OBJECT_CHANGE_GROUP ), ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP ), ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP), ADD (DATABASE_OPERATION_GROUP ), ADD (DATABASE_OWNERSHIP_CHANGE_GROUP), ADD (DATABASE_PERMISSION_CHANGE_GROUP ), ADD (DATABASE_PRINCIPAL_CHANGE_GROUP), ADD (DATABASE_PRINCIPAL_IMPERSONATION_GROUP ), ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP), ADD (DBCC_GROUP ), ADD (FAILED_DATABASE_AUTHENTICATION_GROUP ), ADD (SCHEMA_OBJECT_ACCESS_GROUP ), ADD (SCHEMA_OBJECT_CHANGE_GROUP ), ADD (SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP ), ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP), ADD (SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP ), ADD (USER_CHANGE_PASSWORD_GROUP ), ADD (USER_DEFINED_AUDIT_GROUP ) WITH (STATE = ON)' END |
How to read the log
Now that we have setup the Server and Database level auditing, lets see what is in our audit file.
We can read the binary file from SQL Server query window via the following script:
|
1 2 3 4 |
SELECT TOP 100 * FROM sys.fn_get_audit_file('E:\\SQLAudit\MSSQL_Server_Audit*.sqlaudit', DEFAULT, DEFAULT) ORDER BY event_time DESC; |
The outcome of the query will look similar to this:
As we can see, there is a column called action_id, which points to a specific action that was performed.
The actions can be listed by using the following query:
|
1 2 3 4 |
SELECT TOP 10 action_id , name FROM sys.dm_audit_actions; |
The output will look like this:
There are over 500 actions that are audited, and we can see how many actions are triggered in our Audit by running the following query:
|
1 2 3 4 5 6 7 8 9 10 |
SELECT COUNT(*) ActionsCount , f.action_id , a.name , a.class_desc FROM sys.fn_get_audit_file('E:\\SQLAudit\MSSQL_Server_Audit*.sqlaudit', DEFAULT, DEFAULT) f JOIN sys.dm_audit_actions a ON a.action_id = f.action_id GROUP BY f.action_id , a.name , a.class_desc; |
The result will look similar to this:
Automate and centralize
The technique and scripts above will audit everything – all the possible events on server and database level. Depending on the requirements, there can be different approaches on how to go from here. You have to be able to analyze and query the log.
There is a built in function in SQL Server which will query the log: sys.fn_get_audit_file. There are a few issues to be aware of, however. In a busy production system there might be Gigabytes of log data created in a few minutes, which is a challenge in itself to process.
Another caveat is that if the log is written to files, as suggested earlier in the article, a special attention needs to be paid to the file locking mechanisms during the log file reading and the rollover / deletion process. In other words, if there is a process which is using the sys.fn_get_audit_file function to read the audit files, then it will create a lock on the files and they wont be able to be deleted after rolling over, until the reading process is stopped.
A workaround would be to use the Security log in Windows to write the audit events instead of the files on the file system. This way, the locking can be avoided and the rollover and log recycling is a bit easier. However, this creates another issue – some tweaking needs to be performed so the SQL Server account can have the access to write to the Security log, since it does not have the permission by default.
This is done by giving access to the HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security key to the SQL Server account and also add the SQL Server account in the Generate Security Audits local group on the server. Of course, a SQL Server instance restart is needed.
There are quite a few options when it comes to processing the collected data. I cannot say that SQL Server has anything ready “out of the box” which will help the user do a full audit investigation and reporting. There are several ways to go from here and the most popular ones include third party tools like ELK, Splunk or EXASOL to get the data and index it in order to do reporting and alerting on it.
It really depends on what the goal of the audit is, how much data is generated and how much of it needs to be analyzed, and the answers to these questions will dictate the choice of tools down the road.
ELK is a great open source tool, the name stands for Elastic Search + Logstash + Kibana.
- The pros here are that it is a free, open source stack, which can handle the centralization, the indexing and the graphical display of realtime events from the Security Audit events.
- The cons here are that there is no support, a flexible Linux-based architecture needs to be setup in-house, and if there is no competence in-house, it will cost some time and funds.
Splunk is another option to go for
- The pros here are that it is fast, flexible, easily handles large volumes of data and supplies realtime reporting and search functionality. Splunk has a great support and staff which will setup everything for you.
- The cons here are that the solution costs a lot, and the bill comes by GB of data per day which is indexed and stored in Splunk. So, if you have a busy system, generating 50GB of data per day in security logs (I have personally seen much more than that!) you can imagine that it comes at a considerable cost.
EXASOL is a very fast in-memory database which has a great capability to store and process large volumes of data.
- The pros here are that it is fast, flexible, easily handles large volumes of data, it is fairly easy to setup and maintain
- The cons here are that the solution has costs associated to it, and it does not have its own reporting front-end. It is teamed up with Tableau, and reporting if fairly easy and fast, at a certain cost, of course.
In short, there is no real ‘out of the box’ solution provided by Microsoft to help us process the security audit data, thus we have to find a way to bring in other third party tool, depending on the audit goal and the estimated capacity requirements.
Audit the audit
A few words on the security of the security auditing: it is understood that sysadmins and db_owners can tamper with the Server Audit specifications and the Database audit specifications. One way to deal with this is to create another audit which audits the events related to the AUDIT_ CHANGE_GROUP.
This can be done with the following script:
|
1 2 3 4 5 |
USE master; CREATE SERVER AUDIT SPECIFICATION MSSQL_Server_AdminAudit FOR SERVER AUDIT MSSQL_Server_Audit ADD (AUDIT_CHANGE_GROUP) WITH (STATE = ON) ; |
The AUDIT_CHANGE_GROUP event is raised to alert on creation, modification or deletion of audit events. So in this case there will be two audits – one that audits the security events in the system and the other will be auditing if admins are tampering with the first audit.
Load comments