SQLServerCentral Article

Basics of C2 Auditing

,

Audit your Servers

What ever the system that we are taking about, whether it is an ERP system or CRM tool or any database system auditing has become essential part of that system.. Auditing will allow you to:

  1. Detect the misuse and prevent it being happened again.
  2. Take legal actions against the people who are responsible for the misuse.
  3. Take recovery action from the point where something has gone wrong.

There are many ways in which you can setup an auditing trail and many places in which to get it up. However, we SQL Server guys (sorry, gals as well) have a somewhat easy way of doing this thanks to a new feature of Microsoft SQL Server 2000, which is called the C2 audit mode option.

What is C2

The US Department of Defense has established a set of ratings applicable to security levels of computer systems, based on their capabilities in regard to auditing and discretionary access control. Accordance with this ratings Microsoft SQL Server 2000 has C2 audit mode option. Every version of SQL Server 2000 is C2-certified (provided it is run on a C2-certified computer and network). Accordingly, SQL Server guarantees that its auditing procedures satisfy C2 requirements -- for example, storing generated data only on a NTFS partition.

C2 auditing records information goes beyond server-level events, such as shutdown or restart, successful and failed login attempts, extending it to successful and failed use of permissions when accessing individual database objects and executing all Data Definition, Data Access Control, and Data Manipulation Language statements.

The audit information contains the timestamp, identifier of the account that triggered the event, target server name, event type, its outcome (success or failure), name of the user's application and Server process ID of the user's connection and name of the database .

How it is done

I can't believe why there is no UI is given to enable this option. However, Microsoft might have fair reason for doing this. There are some serious implications if you enable this option.

Anyway it can be done via my favorite tool, SQL Query Analyzer. Before you enable (or disable) this option you must be a member of sysadmin group. Before attempting to set the 'c2 audit mode' configuration option, you must enable the 'show advanced options' configuration option. This is performed using the following command:

USE master
EXEC sp_configure 'show advanced option', '1'
RECONFIGURE

To enable the feature, set 'c2 audit mode' to 1 using the following command:

sp_configure 'c2 audit mode', 1
go

To disable the feature, set 'c2 audit mode' to 0 using the following command:

sp_configure 'c2 audit mode', 0
go

After setting the value, you must stop and restart the server for C2 audit mode to be take effect. Now whenever you perform an Insert, Select or anything other statement, it will log the event in the trace files. These files reside in the \mssql\data directory for default instances of SQL Server 2000, or the \mssql$instancename\data directory for named instances of SQL Server 2000 as AuditTrace_yyyymmddhhmmss.trc, where the second part of the name indicates date and time when the log file was created. For example, some file names on my system are audittrace_20041007153315.trc and audittrace_20041007163855.trc. The size of a log is limited to 200MB, but new traces files are generated whenever the old one is full. Also a new one is generated on the shutdown of SQL Server with another one on startup.

One thing to be aware of is that SQL Server will stop if it cannot write log entries, i.e. you log so much that you run out of disk space. In emergency situations, where no space can be immediately freed for new log files, you can restart SQL Server with the -f flag, which will disregard auditing settings.

How to View the Audit Records

There are two ways of displaying the auditing records. Easy method would be clicking on the trace file. It will open this in SQL Profiler.

The second method would be using T-SQL.

SELECT *
 FROM ::fn_trace_gettable(
   'C:\Program Files\Microsoft SQL Server\MSSQL\Data\audittrace_20041007153315.trc', default
)
GO

Limitations

The main limitation of the auditing is that it reduces the performance of the SQL Server. This happens due to saving the every action to the file. Second limitation is the hard disk space. These auditing files grow rapidly, which will reduce the disk space. According to the C2 , if it is not able to write to the trace file, SQL Server will be shutdown.

Conclusion

If you need your server to maintain a detailed audit trail, then the C2 audit option may be a good choice. However, you might have to consider few things before configuring it to be sure that you don't cause yourself some issues over time. Be sure that you read the documentation carefully before enabling this option.

References

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/dbsql/sqlc2.asp
http://www.microsoft.com/technet/prodtechnol/winntas/maintain/security/c2secgde.mspx

Rate

4.88 (8)

You rated this post out of 5. Change rating

Share

Categories

Join the discussion and add your comment

Share

Rate

4.88 (8)

You rated this post out of 5. Change rating

Related content

SQLServerCentral Article

Monitoring Blocks

SQL Server excels at quickly acquiring and releasing locks to allow as much concurrency as possible on the server. However there are times that one user will block another, which can be a source of great user frustration as well as making the system appear to be slow. Leo Peysakhovich brings us some great information and code on how you can monitor and deal with blocking on your SQL Server 2000 server.

5 (4)

You rated this post out of 5. Change rating

2005-02-10

16,892 reads

Technical Article

Trace-scrubbing Tools

Andrew Zanevsky shares his trace-scrubbing procedures that make it easy for you to handle large trace files and aggregate transactions by type–even when captured T-SQL code has variations.

SQL Server Profiler is a veritable treasure trove when it comes to helping DBAs optimize their T-SQL code. But, the surfeit of riches (I'm reminded of the Arabian Nights tale of Aladdin) can be overwhelming. I recently had one of those "sinking" feelings when I first tried to make sense of the enormous amount of data collected by traces on a client's servers. At this particular client, the online transactions processing system executes more than 4 million database transactions per hour. That means that even a 30-minute trace that captures "SQL Batch Completed" events results in a table with 2 million rows. Of course, it's simply impractical to process so many records without some automation, and even selecting the longest or most expensive transactions doesn't necessarily help in identifying bottlenecks. After all, short transactions can be the culprits of poor performance when executed thousands of times per minute.

2005-01-11

2,003 reads

SQLServerCentral Article

Monitoring Drive and Database Free Space

SQL Server will autogrow your databases as they run out of space. But the process doesn't manage space, nor does it check the free space on the drive. Allowing autogrow to grow unchecked and unmanaged will eventually use up all the free disk space and potentially crash your server. New author Mark Nash brings you his system for monitoring space usage and generating a report that eases this process.

4.4 (5)

You rated this post out of 5. Change rating

2017-02-02 (first published: )

44,859 reads