buildingsecurity audits with extended events
TRANSCRIPT
Building Security Audits with Extended Events
Jason Strate
b: www.jasonstrate.com
t: StrateSQL
Resources jasonstrate.com/go/xevents
Introduction
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
• Founded 2008 by MSFT MVP Brian Knight• Focused on the MSFT SQL Server Platform• Provides services, training and software• MSFT/HP “go to” partner: • Gold Certified:
o BIo Data Managemento SQL Performance
• Team led by multiple MVP’s• Offices throughout the US with Corporate
HQ in Jacksonville, FL
Pragmatic Works Company History
It’s 12 o’clock…
Do you know where your data is?
Do you know who is accessing your data?
> ACCESS GRANTED!
Agenda
Why Security Audits?
Security Audit
Components
Building a Login Audit
Building a Query Audit
Agenda
Why Security Audits?
Security Audit
Components
Building a Login Audit
Building a Query Audit
Why Do We Need Security Audits?
Regulations
Corporate Policy
Responsibilities
Most Important Reason
Everyone Lies!Even Unicorns,While They AreDoing Their Jobs
Validate Security
DataUsers
Types of Audits
Common Criteria Compliance
C2 Audit Tracing
SQL Audit
Extended Events
Types of Audits
Common Criteria Compliance
C2 Audit Tracing
SQL Audit
Extended Events
CCC and C2 Concerns
• Difficult to manage
• Too much data
• Too little control
• Behavior changes in SQL Server
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
SQL Audit
• Two audit levels– Server (Instance)– Database
• Captures preset data• Sync or async targets
– File– Security log– Application log
• Standard and Enterprise– SQL Server 2012
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
SQL Audit
• No control on columns– Maybe too much data
• Limited output formats– Maybe need in-flight
aggregation
• Need something less?
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
Perfect for tracking permissions changes, login creation, DBCC
activity, backups and restores, etc.
Do you know SQL Audit?
SQL AUDIT
Demo
“Lower” Solution
• Less invasive
• Temporary need
• Scenarios…– What about Bob, the New
DBA?
– How often is Sally accessing the database?
– What is the application logon/logout frequency?
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
Agenda
Why Security Audits?
Security Audit
Components
Building a Login Audit
Building a Query Audit
Components
Events Actions
Predicates Targets
Packages
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
Packages
Events Actions
Predicates Targets
Packages • sqlserver• SecAudit
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
Events
Events Actions
Predicates Targets
Packages
• Logon• Logout• SQL Statement
Starting• RPC Starting• Module Start• SQL Batch
Starting
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
Actions
Events Actions
Predicates Targets
Packages
• User Name• Client App
Name• Client
Hostname• Database Id• Database Name• NT Username• Server Instance
Name• Server Principal
Name• SQL Text• User Name
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
PREDICATES
Events Actions
Predicates Targets
Packages
WHERE• Equal• Greater Than• Less Than• Not Equal• LIKE
FILTERS• AND• OR
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
Targets
Events Actions
Predicates Targets
Packages• File Target• Ring Buffer• Event Stream
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
Agenda
Why Security Audits?
Security Audit
Components
Building a Login Audit
Building a Query Audit
Login Scenario
• How often is a login being used?
• When are logins occurring?
• What applications are using a login?
• What host has the most logins?
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
Login Audits
• Connection Tracking template
– Login
– Logout
– Connectivity Ring Buffer Recorded
• Targets
– File target for long term analysis
– Ring buffer for shorty term activity
– Event stream for real-time analysis
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
LOGIN AUDITS
Demo
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
Agenda
Why Security Audits?
Security Audit
Components
Building a Permissions
Audit
Building a Query Audit
Query Audit
• What queries did the new DBA run?
• What is being run against XYZ database?
• What is the developer doing that keeps causing SEVERITY 20 errors?
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
Query Audit
• Query level auditing
– RPC Starting
– Module Start
– SP Statement Starting
– SQL Batch Starting
– SQL Statement Starting
• Targets
– Same as Login Audit
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
QUERY AUDIT
Demo
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
Any Questions?
Learn More About Extended Events
MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
ServicesSpeed development through training, and rapid development services from Pragmatic Works.
ProductsBI products to covert to a Microsoft BI platform and simplify development onthe platform.
FoundationHelping those who do not have themeans to get into information technologyachieve their dreams.
For more information…
Name: Jason Strate
Email: [email protected]
Blog: www.jasonstrate.com
Resource: jasonstrate.com/go/xevents