Audit supported on all SKUs

Improved Resilience

User-Defined Audit Event

Record Filtering

T-SQL Stack Information

SQL Server
Express

6
Select…

Rollback
7
 select salary from
exec hr.viewsalary hr.payroll

hr.viewsalary hr.payroll

Audit Log
exec sp_audit_write
@user_defined_event_id
1234,
1, @succeeded
N‘Hello World’ @user_defined_info

Audit Log
CREATE SERVER AUDIT audit_name
TO { [ FILE (<file_options> [ , ...n ]) ] | APPLICATION_LOG | SECURITY_LOG }
[ WITH ( <audit_options> [ , ...n ] ) ]
[ FILTER = <predicate_expression> ]
}
…
<predicate_expression> ::=
{
[ NOT ] <predicate_factor> | {( <predicate_expression> ) }
[ { AND | OR } [ NOT ] { <predicate_factor> | ( <predicate_expression> ) } ]
[ ,...n ]
}
 Workload 1 Workload 2 Workload 3 Workload 4 Workload 5
• 11 dbs, ranging • 2 dbs ranging from • 3 dbs ranging from • 1 db at 3235.75 MB • 1 db at 174.94 MB
from 1.94 MB to 64 MB to 423.88 MB 1.94 MB to 1059.63 • 84 tables with • 152 tables with
1812.5 MB. • 35 tables with MB average of 144,245 average of 4,108
• 755 tables with average of 49,141 • 154 tables with rows rows
average of 2761 rows average of 586 rows, • 3,435,303 stmts • 296,642 stmts
rows • 1,633,557 stmts Here is the activity executed. executed.
• 1,219,234 stmts executed • 585,400 stmts
executed. executed
 Customer Workload Performance
Base Time (minutes) SQL Trace (minutes) SQL Server Audit (minutes)
101.9

76.6
68.1
63.4
55.9

41.3

13.3 15.9 14.1

5.1 6.3 5.6 3.6 4.78 4

Workload 1 Workload 2 Workload 3 Workload 4 Workload 5

Windows Security Log
• “Tamper-proof” log
• DBA cannot clear log (assuming not an Administrator)
• System Center Operations Manager Audit Collection Service

Copy Audit logs to secure location

• Directory or share inaccessible by service account or DBA
• Audit logs files are shared-read and cannot be tampered with while active
• Possible momentary exposure if using multiple logs

Combination of the two

• Audit “tamper” activity to Security Log, e.g., DBA modifying Audit
• All other Audit events are sent to file
Audit Events Buffered
• Audit buffer size varies but is around 4MB (equivalent to at least 170 events,
depending upon statement text)
Buffer
filled

Server Blocks New Activity Generating Audit Event

• Does not effect other Audits
• Blocks until buffer space freed or audit disabled
System
error

Audit Session Turned Off

• Buffered data is discarded and error written to errorlog
• Continue trying to write future events to Audit log
• Automatically try to restart Audit session when next event is generated
Audit Events Buffered
• Audit buffer size varies but is around 4MB (equivalent to at least 170 events,
depending upon statement text)

Buffer
filled

Server Fails New Activity Generating Audit Event

• Does not effect other Audits
• Fails new operations until buffer space freed or audit disabled
• Buffered audit events persist and continuously re-attempted tp write
until audit disabled or server shut down
 • Correct source of error
Option 1 • E.g., file system full

• Single-user mode, “-m”

• Audit is active but shutdown-on-failure behavior deactivated
Option 2 • Audit Admin can fix Audit configuration

• Minimal configuration mode, “-f”

Option 3 • Audit disabled but Audit DDL can still be issued.

• If “Fail Operation” and “AUDIT_ CHANGE_GROUP”, use DAC connection

Bonus • Audit event still generated but will not fail operation
).aspx
Bare Metal Microsoft SQL Server 2012 Deployment and Management (S. Hall
B WRK Rm 1)

Microsoft SQL Server: Mission Critical Confidence - Organizational Security

and Compliance Demo Station (S. Hall A)
 http://blogs.msdn.com
ilsung@microsoft.com /b/sqlsecurity/

Il-Sung
Lee I’m not a tweeter
mva
http://northamerica.msteched.com www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn