Invite for #tsql2sday #71 – SQL Server Audit

2015-09-01 - Audit, General, Security, T-SQL Tuesday

T-SQL Tuesday #71

It is time for the T-SQL Tuesday invite again. Well, the invite was due yesterday, and it wasn't my turn. I am not sure whose turn it was, but the invite did not go out, so I am jumping in today. So, sorry for being late to the game, but Adam just asked me 40 minutes ago to take over...

This month is the 71th month in the T-SQL Tuesday history. T-SQL Tuesday was introduced by Adam Machanic (B|T) almost six years ago in December 2009.

The Invite: Write About SQL Server Auditing

For this month, I would like to invite you to write about Auditing. Auditing is certainly a security related topic, and with that fits right in with the August topic (Encryption).

But don't write this up as yet another "boring" security topic. There are other use cases for auditing too. The built-in SQL Server Audit feature for example can be used to track down how many different applications are accessing a particular table.

The result of a SQL Server Audit

There are several approaches you can take with this topic. You could tell us a story:

  • Have you encountered a situation where auditing saved the day?
  • Where you able to stop an ongoing attack because auditing alerted you?
  • Have you encountered a situation, in which auditing would have been helpful, but was not set up?
  • Have you worked with the SQL Server Audit feature? What is particularly interesting to you about it?
  • Do you think that everybody should use some form of auditing? Let us know, why.
  • Do you think auditing is a waste of resources? We would like to hear more.
  • Are you forced to be compliant? Under what regulation? HIIPA, PCI, CCC? How did auditing help to get you compliant?

If stories are not your thing, let us know how you use auditing. Or, write about how to use a fascinating piece of SQL Server Audit.

  • What are the advantages and disadvantages of SQL Server Audit over other possible audit implementations, like triggers, traces, Extended Events or external tools like log file readers?
  • How can you use SQL Server Audit to see if a particular table or procedure is still in use?
  • What is the difference between a Server Audit Specification and a Database Audit Specification and when should you use which?
  • SQL Server Audit is based on Extended Events. What does it offer that XEs do not provide?

Finally, you could go totally meta:

  • How do you audit the audit? How do you make sure that the audit does not just get disabled by an adversary?
  • How do you monitor your audit log to make sure you get alerted when something irregular is happening?

I hope I was able to spark your interest. I can't wait to see you (or at least your post) next week at the party.

The Rules

There are a few rules and regulations that you should follow while attending this party so that nobody feels left out or mistreated:

  1. Your post must go live between 00:00:00 GMT on Tuesday the 13th of October and 00:00:00 GMT on Wednesday the 14th.
  2. Your post has to link back to the hosting blog post (this one), and the link must be anchored from the T-SQL Tuesday LOGO (found above) which must also appear at the top of the post.
  3. Trackbacks should work. However, it is safer to tweet about your post and include my Twitter handle (@sqlity) and the #tsql2sday hashtag.

Categories: Audit, General, Security, T-SQL Tuesday
Tags: , , ,