auditing made easy by microsoft sql server 2008
TRANSCRIPT
-
8/8/2019 Auditing Made Easy by Microsoft SQL Server 2008
1/4
Auditing made easy by
Microsoft SQL Server 2008
ByMuthusamy Anantha Kumar aka The MAK
It is one of the major tasks of the Microsoft SQL Server database administrator toenable auditing on all of the servers, secure the data collected and extract the data
from those audits for the internal and external auditors.
Auditing is very important to track and log events. It provides data for many legal
compliance requirements, such as Sarbanes Oxley, SAS 70, etc.
In Microsoft SQL Server 2008, Microsoft made the life of a DBA easy by providingthe enhanced auditing feature "SQL Server Audit". In this article series, I am goingto illustrate the various components involved in SQL Server auditing as well as
demonstrate how to create server level, database level and audit level audit usingaction and action group specification provided by Microsoft SQL Server 2008.
This part of the article series illustrates the various components for auditing and theaction groups provided by Microsoft SQL Server 2008.
Components of Auditing
SQL Server Audit
Server Level Audit Specification
Database Level Audit Specification
Target
SQL Server Audit object is the audit component that collects Server or Databaselevel actions or group of actions that we want to monitor.
Server Level Audit specification object is the audit component that collects server
level actions or group of actions that we want to monitor.
Database Level Audit specification object is the audit component that collects
database level actions or group of actions that we want to monitor.
Target component is the destination where you want to store the audit records. It
could be Windows Application or Security event log or it could be a file.
Steps involved in creating and using Audit
Create Audit and define target
Create Server level audit specification, Database level audit specification or
Audit level specification that maps to the Audit defined.
Enable the Audit specification
Enable the Audit
Read the audit event records from Windows Application or Security event logusing Event Viewer or read it from a file using the SQL Server function
fn_get_audit_file function
Audits Action Categories
http://www.databasejournal.com/feedback.php/http:/www.databasejournal.com/features/mssql/article.php/3856341http://www.databasejournal.com/feedback.php/http:/www.databasejournal.com/features/mssql/article.php/3856341http://www.databasejournal.com/feedback.php/http:/www.databasejournal.com/features/mssql/article.php/3856341 -
8/8/2019 Auditing Made Easy by Microsoft SQL Server 2008
2/4
Audit can have the following categories of Actions
Server Level: Includes Server operations
Database Level: Include DDL and DML.
Audit Level: Include the auditing process
Microsoft SQL Server 2008 has grouped actions for Server Level, Database Leveland Audit Level actions that we could use when creating the Server Level or
Database Level Audit specification.
The following are the Server Level Audit action groups that could be defined in the
Audit specification
SUCCESSFUL_LOGIN_GROUP
LOGOUT_GROUP
FAILED_LOGIN_GROUP
LOGIN_CHANGE_PASSWORD_GROUP
APPLICATION_ROLE_CHANGE_PASSWORD_GROUP SERVER_ROLE_MEMBER_CHANGE_GROUP
DATABASE_ROLE_MEMBER_CHANGE_GROUP
BACKUP_RESTORE_GROUP
DBCC_GROUP
SERVER_OPERATION_GROUP
DATABASE_OPERATION_GROUP
AUDIT_ CHANGE_GROUP
SERVER_STATE_CHANGE_GROUP
SERVER_OBJECT_CHANGE_GROUP
SERVER_PRINCIPAL_CHANGE_GROUP
DATABASE_CHANGE_GROUP
DATABASE_OBJECT_CHANGE_GROUP DATABASE_PRINCIPAL_CHANGE_GROUP
SCHEMA_OBJECT_CHANGE_GROUP
SERVER_PRINCIPAL_IMPERSONATION_GROUP
DATABASE_PRINCIPAL_IMPERSONATION_GROUP
SERVER_PRINCIPAL_IMPERSONATION_GROUP
DATABASE_PRINCIPAL_IMPERSONATION_GROUP
SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP
DATABASE_OWNERSHIP_CHANGE_GROUP
DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
SERVER_PERMISSION_CHANGE_GROUP
SERVER_OBJECT_PERMISSION_CHANGE_GROUP DATABASE_PERMISSION_CHANGE_GROUP
DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
DATABASE_OBJECT_ACCESS_GROUP
SCHEMA_OBJECT_ACCESS_GROUP
BROKER_LOGIN_GROUP
DATABASE_MIRRORING_LOGIN_GROUP
TRACE_CHANGE_GROUP
The following are the Database Level Audit action groups that could be defined inthe Audit specification
DATABASE_ROLE_MEMBER_CHANGE_GROUP
-
8/8/2019 Auditing Made Easy by Microsoft SQL Server 2008
3/4
DATABASE_OPERATION_GROUP
DATABASE_CHANGE_GROUP
DATABASE_OBJECT_CHANGE_GROUP
DATABASE_PRINCIPAL_CHANGE_GROUP
SCHEMA_OBJECT_CHANGE_GROUP
DATABASE_PRINCIPAL_IMPERSONATION_GROUP
DATABASE_OWNERSHIP_CHANGE_GROUP DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
DATABASE_PERMISSION_CHANGE_GROUP
DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
DATABASE_OBJECT_ACCESS_GROUP
SCHEMA_OBJECT_ACCESS_GROUP
The following are the Audit Level Audit action groups that could be defined in theAudit specification
AUDIT_ CHANGE_GROUP
The following are the Database Level Audit action that could be defined in the Audit
specification
SELECT
UPDATE
INSERT
DELETE
EXECUTE
RECEIVE
REFERENCES
The target audit file consists of zero or more audit action items, which are
recorded. As mentioned previously, the target component is the destination whereyou want to store the audit records. It could be Windows Application or Securityevent log or it could be a file. The following are the elements in the records sent tothe target.
event_time
sequence_no
action_id
succeeded
permission_bitmask is_column_permission
session_id
server_principal_id
database_principal_id
object_ id
target_server_principal_id
target_database_principal_id
class_type
session_server_principal_name
server_principal_name
server_principal_sid
database_principal_name target_server_principal_name
-
8/8/2019 Auditing Made Easy by Microsoft SQL Server 2008
4/4
target_server_principal_sid
target_database_principal_name
server_instance_name
database_name
schema_name
object_name
TSQL statement additional_information
Conclusion
Part 1 of this series illustrated the various components for auditing, the actiongroups provided by Microsoft SQL Server 2008 and the various elements in the
target records. Part 2 will illustrate how to define and enable Server Level Audit andread the target audit records.