My client has been using Microsoft Access 2010 for quite a while and they received some Security Audit Requirements. They are using a Linked Tables approach connecting to Microsoft SQL Server 2012 Express.
The requirements states that all actions against the data must be logged. (INSERT, UPDATE, DELETE AND SELECT statements)
For the INSERT, UPDATE, DELETE statements I could create a trigger which would log the changes.
The issue is around the audit of SELECT statements. If the data was read-only, I could have used a Stored Procedure which would have logged the query. But executing a Stored Proc makes a Recordset not updatable.
Does anyone have an idea how to approach this challenge?
I'm open to a lot of strategies... (Connecting Access to SQL through a web service, anything...)
It's important to note that my client does not have $30k to spend on an Enterprise edition of SQL Sever as they are a small-business with less than 10 employees.
SELECT statements are part of the database-level audit action groups in SQL Server. (Search that page for "database-level audit actions".) But that level of auditing requires SQL Server Enterprise edition.
Theoretically, you can limit all access to use only stored procedures regardless of whether the data is read-only. Write the stored procedure to write auditing information to the log first, then do whatever else needs to be done--SELECT, INSERT, etc.
Practically, you might not be able to do that. It depends on the applications that hit your database. Limiting all access to use only stored procedures can break applications that expect other things. (How would a Ruby on Rails application respond if you switched to just stored procedures?)
A bulletproof audit system that makes your database unusable isn't very good; it's simpler and cheaper to just shut down the database server altogether.
You could upgrade to a SQL Server edition that supports SQL Server profiler.
The other option is to get other tools to audit like sql audit for example.
You could turn on JET showplan. This would log all queries used by Access.
http://www.techrepublic.com/article/use-microsoft-jets-showplan-to-write-more-efficient-queries/?siu-container
As I pointed out in comments you really fooling the audit requirements UNLESS each form is opened using a where clause that limits the viewing of data in that form to the ONE record. If you don’t do this, then a form opened to a linked table could have 1000’s of records, and user(s) hitting ctrl-f to find and jump to one record means the SELECT statement tells you ZERO about what the user actually looked at. So while you can turn on show plan, the audit concept would not tell you anything about what the user actually looked at unless application design changes are made to restrict forms to one record. And to be fair, 99% of my applications in fact do open and restrict the main editing form to the one record via a where clause.
So while you can technology wise log all SELECT commands as per above, it not really in the sprit of such a log since such a log would not be of any use to determine what actual records the user looked at.
Related
Is there a way where I can audit every tables changes without writing each triggers for every table.
I have nearly nearly 500 tables and writing triggers for each of them is very hectic task and managing them is a nightmare.
Furthermore most of the tables are normalized which makes the things that I need track more complicated.
However every insert,update,delete,select task is done through stored procedures.
One of the solution is auditing through those procedures . However I am looking to an effortless Solution for auditing. Some sort like server level triggers on every stored procedure which tracks every tables that is being used on the procedure
If you are on Enterprise Edition and ##version >= 2008 you can use database audit.
Here you can find an example of setting it SQL Server 2008 Auditing Feature
And here you find the official doc Create a Server Audit and Database Audit Specification
Is there a way or a tool, that will provide an audit report of data that has been updated directly in SQL Server 2012?
We have applications that obviously add and update data, and these use special logins.
What concerns me, are database administrators who could potentially change a record directly without going through the application. Sometimes it is necessary, so I cannot remove their rights but I would like to obtain a report.
TIA
You can use sql server audit feature for this task. Using audit and
audit specification, you can check what query has been run by which
user at what time as well as on which object. Its so convenient to
find what actually has been added or modified on any objects. You sure
can use CTC but the creation of audit is much more easy that that of
defining CTC or CDC. Check out this site for audit details.:
https://msdn.microsoft.com/en-us/library/cc280386.aspx
Background
I have a production SQL Server 2005 server to which 4 different applications connect and make changes.
There are no foreign keys and in some cases no primary keys.
Unfortunately throwing the whole thing out and starting from scratch is not an option.
So my solution is to start migrating each of the applications to a service layer approach so that there is only one application directly connecting to the database.
However there are problems that need to be fixed before that service layer is written and all the applications are migrated over.
So rather than make changes and hope they don't break any one of the 4 badly written applications (with no way of quickly testing all functionality) my solution is to start auditing the database
Problem
How do I audit what stored procedures, tables, columns, views are being accessed/updated/called by each user on SQL Server 2005.
I can find out which tables are being updated but I have no idea which columns and by what users.
I also don't know if certain tables are being accessed only through stored procedures/views.
I know that SQL Server 2008 has better auditing features but if I could do this without spending money that would be great. That said if the best solution is to upgrade or buy software that's also an option.
Check out SQL Server 2008's CDC feature. You can't use this directly in 2005 but you can write a trigger for each table to log all data changes to a new audit table. i.e. you'd have an audit table for each table in your db, with all the same columns plus some additional columns saying what the operation was and when it occurred.
If the nature of your applications means you can get user information and/or application information from CURRENT_USER and APP_NAME() you could include that information in the audit table too.
And check out this answer for more goodness.
I want to save any kind of log/tables with every query executed by my application.
I know I could do this by coding it (before I make any query, I insert a new row in a log table with the query and the user who is executing it.
I have read it can be done automatically but I'm not sure how can it work with WCF Services. I mean every query is going to be executed by the same SQL user and this wouldn't be very useful for audit operations (I need to know WHO made every query, and users will be validated against my own users tables).
Have you ever had a similar scenario? Thanks in advance!
As a starting point it may be worth looking into doing this via SQL Server Profiler. You can normally find this in the Tools Menu in Management Studio.
You can set up a trace to capture all SQL run on a server. More importantly you have a myriad of filter options which can be applied so that you only capture the data you are interested in (e.g. DatabaseName, UserName).
This information can be stored directly in a SQL Table, which should give you the abillity to join onto. Of course running anything like this will result in some overhead on the SQL box.
You can try the SQL Server Audit feature. It audits singe or groups of events both on server and database level. However, be advised that the database level auditing is available in SQL Server Enterprise and Developer editions only
The inspiration for this question is a stored proc broke on me because it called another stored proc that inserted data in a table whose schema was completely altered.
The question is you have a table in a SQL Server database, and you don't know how it got there. You don't have any DDL triggers in place for custom audit information, and there is no record in your source control repository of the tables DDL. Using only SQL Server, what forensic data can you obtain about the table.
Myself, and whoever stumbles across this question in a similar situation, is not going to be helped by suggestions regarding version control and DDL triggers. Those are great go forward solutions, and there is plenty of info on this blog about those topics, if corporate politics allows us to implement those solutions. What I, and people in my situation really need is to be able to gather as many fragments of data as possible from SQL server, to combine with whatever other data we can come up with.
Unfortunately, you have no way to reconstruct what happened, except:
if the DBAs have traces running and the history. SQL Server 2005 has a default trace and there is the "blackbox" trace, but these are used to find out what happened right before a crash
if you have FULL recovery model, then you can try a log viewer tool (free Red Gate one)
depending on activity and your security model, you could also check the Windows Security Log to see who logged in with DDL privileges
the SQL event logs may also have information. For example, if you have enabled the trace flag that logs "permission" errors, then you can see when it started. Or the person who made the change may have generated other exceptions that are logged
you could ask those with rights. It could be a genuine mistake (eg thought they were in dev)
The following query got me the create and last modify time.
SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[tbTableInQuestion]') AND type in (N'U')
You should be able to find the creation of the table in the transaction log. I have never used any of the viewer tools here, and I couldn't tell you how to search back in time for this, but everything happens in a transaction, so it's gotta be logged -- even the system tables...