1. Creating a Database Audit Specification
A Database Audit Specification is a member of the
Server Audit and collects specific information about the database-level
events on which the Server Audit reports. The CREATEDATABASEAUDITSPECIFICATION method is executed in SSMS to create a Database Audit Specification. The following is an example of the syntax of this method:
CREATE DATABASE AUDIT SPECIFICATION [Specification
Name]
FOR [Server Audit]
ADD ([Action] ON [Securable] BY [Principal])
WITH (STATE = {ON|OFF})
The arguments to this method are:
Specification Name– the textual reference to the Database Audit Specification.
Server Audit – the textual reference to the Server Audit of which the Database Audit Specification is a member.
Action– the action or comma delimited list of actions to be monitored.
Securable– the database object that is to be monitored.
Principal – the Database User, Database Role, or Application Role that is being monitored.
With State – defines whether the Database Audit Specification is active (ON) or inactive (OFF).
In the HomeLending database, we will create a Database Audit Specification with the name of Customer_Information_Spec and capture any SELECT, INSERT, UPDATE and DELETE events that are performed by the public database role, as shown in Listing 1.
All database users are members of the public
database role; therefore we will know when any user executes any of
these methods on our decoy table.
2. Reviewing the Windows Application Log
By executing a simple SELECT statement against our decoy table, in the HomeLending
database, the Server Audit is initiated. Many pieces of information are
captured in the Windows Application Log, but the most critical in
identifying the event that occurred are shown in Table 1.
Table 1. Critical auditing information captured the Windows Application Log.
| Log Item | Captured Value | Description |
|---|
| Source: | MSSQL$SQLINSTANCEA | The Instance Name |
| Date: | 5/28/2009 6:16:30 AM | The Time of the Event |
| Keywords: | Classic, Audit Success | Indicates An Audit Event |
| Computer: | SERVER1 | The Server Name |
| Session_id: | 52 | The SPID |
| Server_Principal_Name: | SERVER1\John | The SQL Server Login |
| Database_Principal_Name: | dbo | The Database User |
| Server_Instance_Name: | SERVER1\SQLINSTANCEA | The SQL Server Instance |
| Database_Name: | HomeLending | The Database |
| Schema_Name: | dbo | The Database Object Schema |
| Object_Name: | Customer_Information | The Table Name |
| Statement: | Select * from customer_information | The Statement That Was Executed. |
The Windows Application Log can be located by
navigating to the Windows Control Panel on the Start Menu and selecting
Administrative Tools followed by Event Viewer. Within the event log, to
the upper left, is an icon for the Windows Application Log.
It is useful to review the Windows
Application Log to identify any events that have occurred on the decoy
table, but it is a passive tool and depends upon the intentional review
of the logs at a given point in time. Unless the DBA is constantly
checking the logs, hours or days could pass before an event on the decoy
table is identified. Instead, the DBA will need to create an alert that
will notify the appropriate parties, through an e-mail or pager, when
an event occurs.
