Professional Documents
Culture Documents
Ngoi nhng tnh nng v Audit c trong cc phin bn trc, SQL Server 2012 cung cp
thm rt nhiu tnh nng mi, trong bao gm mt s ci tin mnh m cho kh nng gim st
(audit) SQL Server.
Phn u ca bi vit ny xin khi qut li tt c nhng tnh nng v audit c trong nhng phin
bn SQL Server trc y, bao gm cc tnh nng:
Trigger
SQL Server Audit
1. Trigger
Trigger l 1 i tng (object) trong database cho php chy th tc lu tr (stored procedure)
no mi khi c 1 thay i xy ra. C 2 loi Trigger:
DDL Trigger: p dng cho nhng thay i lin quan n cu trc ca database, nh:
ALTER DATABASE, CREATE TABLE,
DML Trigger: p dng cho nhng thay i lin quan trc tip n d liu, nh:
UPDATE, INSERT, DELETE.
ngn khng cho thay i cu trc ca 1 Table no (DDL Trigger cho ALTER
TABLE)
nh dng li gi tr trc khi chn vo 1 Table no (DML Trigger cho Insert vi
ch Instead hoc After)
log li nhng thay i v mc cu trc hay d liu ca 1 Table (DDL Trigger hoc
DML Trigger)
Lu li nhng thay i trong 1 hoc nhiu table, thuc 1 hoc nhiu database khc nhau,
ca 1 hoc nhiu server khc nhau (s dng Linked Server).
S dng Service Broker gi message n nhiu ni khc nhau, nh: file trong server,
event trong Event Viewer, hay email n ngi qun tr.
-- to bng DDL_Log
CREATE TABLE DDL_Log
(
PostTime datetime,
DB_User nvarchar (100),
Event nvarchar (100),
TSQL nvarchar (2000)
)
GO
-- to Trigger
CREATE TRIGGER myDDLTrigger
ON DATABASE
FOR DDL_DATABASE_LEVEL_EVENTS
AS
DECLARE @data XML
SET @data = EVENTDATA()
INSERT DDL_Log (PostTime, DB_User, Event, TSQL)
VALUES
(
GETDATE(),
CONVERT(nvarchar(100), CURRENT_USER),
@data.value('(/EVENT_INSTANCE/EventType)[1]', 'nvarchar(100)'),
@data.value('(/EVENT_INSTANCE/TSQLCommand)[1]', 'nvarchar(2000)')
) ;
GO
V d sau y s to 1 Audit log li thng tin mi khi c 1 connection no login b fail (do
nhiu nguyn nhn khc nhau: khng ng username, sai password, ) v lu nhng thng tin
trong Windows Application log.
USE master ;
GO
--To Audit
CREATE SERVER AUDIT mySQLServerAudit TO APPLICATION_LOG WITH ( QUEUE_DELAY =
1000, ON_FAILURE = CONTINUE);
GO
--To Server Audit Specification v gn cho Audit
CREATE SERVER AUDIT SPECIFICATION FailedLoginServerAuditSpecification FOR
SERVER AUDIT mySQLServerAudit ADD (FAILED_LOGIN_GROUP);
--Enable audit
ALTER SERVER AUDIT mySQLServerAudit WITH (STATE = ON);
GO
Da vo nhng thng tin trn, ngi qun tr c th d dng kim tra, theo di nhng thay i
ny thng qua cc Stored Procedure hoc xem trc tip cc system table do CDC to ra.
V d sau y s bt tnh nng CDC cho table Test v xem nhng thay i thng qua vic truy
vn stored procedure hay system table.
--bt tnh nng CDC cho database
EXEC sys.sp_cdc_enable_db
GO
--bt tnh nng CDC cho table Test
EXEC sys.sp_cdc_enable_table N'dbo', N'Test',DEFAULT,DEFAULT, 1
GO
/* thc hin 1 s lnh Insert, Update, Delete */
-- xem thng tin bng cch truy vn stored procedure
Sau khi bt Change Tracking, chng ta c th s dng 1 s view hoc function xem thng tin:
--lit k cc database trong instance c bt tnh nng Change Tracking
SELECT * FROM sys.change_tracking_databases
--lit k cc table trong database hin ti c bt tnh nng Change Tracking
SELECT * FROM sys.change_tracking_tables
/*lit k tt c cc dng d liu trong table Test ( bt
Tracking) cng vi cc thng tin v version tung ng */
SELECT t.*, ct.*
FROM Test t CROSS APPLY
CHANGETABLE ( VERSION Test, (id), t.id ) AS ct;
Vi nhng tnh nng trn, ngi qun tr c kh nng gim st 1 cch chi tit nhng thay
i v cu trc cng nh v d liu trong cc database ca mnh .
Vy trong SQL Server 2012, s c thm nhng ci tin g trong vic Audit ni chung hay SQL
Server Audit ni ring? Cu hi ny c rt nhiu ngi qun tr database quan tm v s c
lm r thng qua cc tnh nng c cp trong Phn 2 ny, bao gm:
1. User-Defined Audit
User-Defined Audit cho php cc ng dng t tu bin, to ra cc s kin ca ring mnh v ghi
thng tin audit log 1 cch linh hot hn, v d nh: ghi vo audit log tn ca cc user ng nhp
vo application thay cho tn login chung c khai bo trong connection string ng dng kt
ni n database.
Chng ta c th add thm cc s kin (audit event) nh vy bng vic s dng th tc (stored
procedure) sp_audit_write. Khi tt c cc s kin s c lu trong group
USER_DEFINED_AUDIT_GROUP. Lu rng s dng c, trc
USER_DEFINED_AUDIT_GROUP phi c enable.
V d sau s ghi vo audit log 1 s kin vi id = 141 cng 1 s thng tin tu thch.
EXEC sp_audit_write
@user_defined_event_id = 141,
@succeeded = 0,
@user_defined_information = N'My information' ;
2. Audit Filtering
Trc y, tht khng d dng ch lc (theo 1 iu kin c th no ) nhng s kin m
ngi qun tr ang quan tm. iu ny c khc phc trong phin bn SQL Server 2012
vi tnh nng Audit Filtering.
Gi y, SQL Server Audit h tr kh nng lc nhng s kin cn audit trc khi chng c
ghi vo audit log thng qua mnh WHERE trong cu lnh CREATE SERVER
AUDIT v ALTER SERVER AUDIT.
http://msdn.microsoft.com/en-us/library/cc280448%28v=sql.110%29.aspx
Syntax
CREATE SERVER AUDIT audit_name
{
TO { [ FILE (<file_options> [ , ...n ] ) ] | APPLICATION_LOG |
SECURITY_LOG }
Arguments
TO { FILE | APPLICATION_LOG | SECURITY_LOG }
Determines the location of the audit target. The options are a binary file, The Windows
Application log, or the Windows Security log. SQL Server cannot write to the Windows Security
log without configuring additional settings in Windows. For more information, see Write SQL
Server Audit Events to the Security Log.
FILEPATH ='os_file_path'
The path of the audit log. The file name is generated based on the audit name and audit GUID.
MAXSIZE = { max_size }
Specifies the maximum size to which the audit file can grow. The max_size value must be an
integer followed by MB, GB, TB, or UNLIMITED. The minimum size that you can specify for
max_size is 2 MB and the maximum is 2,147,483,647 TB. When UNLIMITED is specified, the
file grows until the disk is full. Specifying a value lower than 2 MB will raise the error
MSG_MAXSIZE_TOO_SMALL. The default value is UNLIMITED.
MAX_ROLLOVER_FILES ={ integer | UNLIMITED }
Specifies the maximum number of files to retain in the file system in addition to the current file.
The MAX_ROLLOVER_FILES value must be an integer or UNLIMITED. The default value is
UNLIMITED. This parameter is evaluated whenever the audit restarts (which can happen when
the instance of the Database Engine restarts or when the audit is turned off and then on again) or
when a new file is needed because the MAXSIZE has been reached. When
MAX_ROLLOVER_FILES is evaluated, if the number of files exceeds the
MAX_ROLLOVER_FILES setting, the oldest file is deleted. As a result, when the setting of
MAX_ROLLOVER_FILES is 0 a new file is created each time the
MAX_ROLLOVER_FILES setting is evaluated. Only one file is automatically deleted when
MAX_ROLLOVER_FILES setting is evaluated, so when the value of
MAX_ROLLOVER_FILES is decreased, the number of files will not shrink unless old files are
manually deleted. The maximum number of files that can be specified is 2,147,483,647.
MAX_FILES =integer
Specifies the maximum number of audit files that can be created. Does not rollover to the first file
when the limit is reached. When the MAX_FILES limit is reached, any action that causes
additional audit events to be generated will fail with an error.
RESERVE_DISK_SPACE = { ON | OFF }
This option pre-allocates the file on the disk to the MAXSIZE value. It applies only if MAXSIZE
is not equal to UNLIMITED. The default value is OFF.
QUEUE_DELAY =integer
Determines the time, in milliseconds, that can elapse before audit actions are forced to be
processed. A value of 0 indicates synchronous delivery. The minimum settable query delay value
is 1000 (1 second), which is the default. The maximum is 2,147,483,647 (2,147,483.647 seconds
or 24 days, 20 hours, 31 minutes, 23.647 seconds). Specifying an invalid number will raise the
error MSG_INVALID_QUEUE_DELAY.
ON_FAILURE = { CONTINUE | SHUTDOWN | FAIL_OPERATION }
Indicates whether the instance writing to the target should fail, continue, or stop SQL Server if the
target cannot write to the audit log. The default value is CONTINUE.
CONTINUE
SQL Server operations continue. Audit records are not retained. The audit continues to attempt to
log events and will resume if the failure condition is resolved. Selecting the continue option can
allow unaudited activity which could violate your security policies. Use this option, when
continuing operation of the Database Engine is more important than maintaining a complete
audit.
SHUTDOWN
Forces a server shut down when the server instance writing to the target cannot write data to the
audit target. The login issuing this must have the SHUTDOWN permission. If the logon does not
have this permission, this function will fail and an error message will be raised. No audited events
occur. Use the option when an audit failure could compromise the security or integrity of the
system.
FAIL_OPERATION
Database actions fail if they cause audited events. Actions which do not cause audited events can
continue, but no audited events can occur. The audit continues to attempt to log events and will
resume if the failure condition is resolved. Use this option when maintaining a complete audit is
more important than full access to the Database Engine.
AUDIT_GUID =uniqueidentifier
To support scenarios such as database mirroring, an audit needs a specific GUID that matches the
GUID found in the mirrored database. The GUID cannot be modified after the audit has been
created.
predicate_expression
Specifies the predicate expression used to determine if an event should be processed or not.
Predicate expressions are limited to 3000 characters, which limits string arguments.
event_field_name
Is the name of the event field that identifies the predicate source. Audit fields are described in
sys.fn_get_audit_file (Transact-SQL). All fields can be audited except file_name and
audit_file_offset.
number
Is any numeric type including decimal. Limitations are the lack of available physical memory or a
number that is too large to be represented as a 64-bit integer.
' string '
Either an ANSI or Unicode string as required by the predicate compare. No implicit string type
conversion is performed for the predicate compare functions. Passing the wrong type results in an
error.
Examples
B. Creating a server audit with a Windows Application log target with options
The following example creates a server audit called HIPPA_Audit with the target set for the Windows
Application log. The queue is written every second and shuts down the SQL Server engine on failure.
CREATE SERVER AUDIT HIPAA_Audit
TO APPLICATION_LOG
WITH ( QUEUE_DELAY = 1000, ON_FAILURE = SHUTDOWN);
Arguments
TO { FILE | APPLICATION_LOG | SECURITY }
Determines the location of the audit target. The options are a binary file, the Windows application log, or
the Windows security log.
FILEPATH = 'os_file_path'
The path of the audit trail. The file name is generated based on the audit name and audit GUID.
MAXSIZE =max_size
Specifies the maximum size to which the audit file can grow. The max_size value must be an integer
followed by MB, GB, TB, or UNLIMITED. The minimum size that you can specify for max_size is 2 MB
and the maximum is 2,147,483,647 TB. When UNLIMITED is specified the file grows until the disk is
full. Specifying a value lower than 2 MB will raise the error MSG_MAXSIZE_TOO_SMALL. The default
value is UNLIMITED.
MAX_ROLLOVER_FILES =integer | UNLIMITED
Specifies the maximum number of files to retain in the file system. When the setting of
MAX_ROLLOVER_FILES=0 there is no limit imposed on the number of rollover files that will be
created. The default value is 0. The maximum number of files that can be specified is 2,147,483,647.
MAX_FILES =integer
Specifies the maximum number of audit files that can be created. Does not rollover to the first file when the
limit is reached. When the MAX_FILES limit is reached, any action that causes additional audit events to
be generated will fail with an error.
RESERVE_DISK_SPACE = { ON | OFF }
This option pre-allocates the file on the disk to the MAXSIZE value. Only applies if MAXSIZE is not
equal to UNLIMITED. The default value is OFF.
QUEUE_DELAY =integer
Determines the time in milliseconds that can elapse before audit actions are forced to be processed. A value
of 0 indicates synchronous delivery. The minimum settable query delay value is 1000 (1 second), which is
the default. The maximum is 2,147,483,647 (2,147,483.647 seconds or 24 days, 20 hours, 31 minutes,
23.647 seconds). Specifying an invalid number will raise the error MSG_INVALID_QUEUE_DELAY.
ON_FAILURE = { CONTINUE | SHUTDOWN | FAIL_OPERATION}
Indicates whether the instance writing to the target should fail, continue, or stop if SQL Server cannot write
to the audit log.
CONTINUE
SQL Server operations continue. Audit records are not retained. The audit continues to attempt to log
events and will resume if the failure condition is resolved. Selecting the continue option can allow
unaudited activity which could violate your security policies. Use this option, when continuing operation of
the Database Engine is more important than maintaining a complete audit.
SHUTDOWN
Forces a server shut down when the server instance writing to the target cannot write data to the audit
target. The login issuing this must have the SHUTDOWN permission. If the logon does not have this
permission, this function will fail and an error message will be raised. No audited events occur. Use the
option when an audit failure could compromise the security or integrity of the system.
FAIL_OPERATION
Database actions fail if they cause audited events. Actions which do not cause audited events can continue,
but no audited events can occur. The audit continues to attempt to log events and will resume if the failure
condition is resolved. Use this option when maintaining a complete audit is more important than full access
to the Database Engine.
STATE = { ON | OFF }
Enables or disables the audit from collecting records. Changing the state of a running audit (from ON to
OFF) creates an audit entry that the audit was stopped, the principal that stopped the audit, and the time the
audit was stopped.
MODIFY NAME = new_audit_name
Changes the name of the audit. Cannot be used with any other option.
predicate_expression
Specifies the predicate expression used to determine if an event should be processed or not. Predicate
expressions are limited to 3000 characters, which limits string arguments.
event_field_name
Is the name of the event field that identifies the predicate source. Audit fields are described in
sys.fn_get_audit_file (Transact-SQL). All fields can be audited except file_name and audit_file_offset.
number
Is any numeric type including decimal. Limitations are the lack of available physical memory or a number
that is too large to be represented as a 64-bit integer.
' string '
Either an ANSI or Unicode string as required by the predicate compare. No implicit string type conversion
is performed for the predicate compare functions. Passing the wrong type results in an error.
Examples
3. Audit Resilience
Audit Resilience cung cp kh nng tu bin s phn hi ca SQL Server cng nh gim thiu
mt d liu audit khi vic ghi audit log b li do nhiu nguyn nhn khc nhau nh li ghi d
liu, li mng,
C 2 option mi h tr tnh nng ny v s c cu hnh mi khi to 1 Audit:
On Audit Log Failure: s c 3 la chn khc nhau quy nh phn ng ca SQL Server
khi khng th ghi Audit log: Continue, Shutdown Server, hoc Fail operation. Tnh nng
mi h tr ny rt quan trng v phin bn trc ch c 1 la chn duy nht l
shutdown server hay khng m thi.
Maximum Rollover Files: Trc y ch c 2 la chn quy nh s file log c
dng lu audit log: khng gii hn s lng log file hoc gii hn s lung log file.
Trong trng hp c gii hn, khi s lng log file chm ngng ti a, file log c nht
s t ng xo i c th ghi thm file log mi hn (gi l roll-over). SQL Server 2012
cung cp thm 1 la chn na cho php gi li 1 s lng file log c nh m khng b
mt thng tin audit v hin tng roll-over.
Trn y l 1 s ci tin trong SQL Server 2012 nhm cung cp kh nng Audit d liu 1 cch
linh hot v hu ch cho nhng ngi qun tr.