Database Autonomy Service (DAS) provides the global security audit feature to automatically identify risks such as high-risk SQL statements, SQL injections, and new access sources. This topic describes how to view global security audit results.
Prerequisites
The database instance that you want to manage is connected to DAS and is in the Normal Access state.
The SQL Explorer and Audit feature is enabled for the database instance. For more information, see the Enable the SQL Explorer and Audit feature section of the "Overview" topic.
Supported databases and regions
The following table describes the databases and regions that support the global security audit feature.
Database | Region |
ApsaraDB RDS for MySQL High-availability Edition, Enterprise Edition, and Cluster Edition | China (Shanghai) |
PolarDB for MySQL Single Node Edition, X-Engine Edition, Cluster Edition, and Multi-master Cluster (Database/Table) Edition |
Storage duration
Audit data generated in real time by using the security audit feature can be stored for up to 30 days.
Limits
The security audit feature cannot identify all SQL injection attacks due to technical limits.
To prevent a large amount of audit data from being stored in a short period, DAS throttles the output of security audit results.
View global security audit results
If you have multiple database instances, you can view the security audit results of all databases in the Global Security Risk Trend section.
- Log on to the DAS console.
In the left-side navigation pane, click Security Audit.
Select a time range to view information in the Global Security Risk Trend and Security Risks sections on an hourly basis within the specified time range.
NoteWhen you select a time range, the end time must be later than the start time, and the interval between the start time and the end time cannot exceed seven days. You can view the global security audit results for the last 14 days at most.
Click a point in time in the trend chart to view the security risks of the hour after the time point.
Risk type
Description
Risk level
High-risk Requests
DAS automatically identifies the following types of High-risk Requests based on preset rules:
DDL statements, such as those used to create a table, modify the schema of a table, modify an index, or rename a table
Statements used to update full tables, such as UPDATE and DELETE
Statements used to run large queries that meet one of the following conditions by default:
The number of scanned rows is at least 1,000,000.
The number of returned rows is at least 100,000.
The number of updated rows is at least 100,000.
DDL statements: low-risk
Statements used to update full tables: high-risk
Statements used to run large queries: medium-risk
SQL Injections
SQL injections refer to attacks during which malicious SQL statements are inserted into web forms, domain names, or page requests to trick servers into executing these SQL statements. This type of attack compromises database security.
NoteDAS continuously monitors SQL injections in databases and identifies the access sources.
High-risk
New Access Source
DAS automatically identifies new access sources by comparing them with access source records to determine whether the access requests are sent from unknown servers.
NoteAccess sources that did not access your database within the previous seven days are considered new access sources.
After the security audit feature is enabled for a new database instance, no data from new access sources is provided for the first seven days.
If the security audit feature has never been enabled for an existing database instance, no data from new access sources is provided for the first seven days after this feature is enabled.
Medium-risk
References
For more information about how to view the security audit results of a specific database instance, see Security audit for the SQL Explorer and Audit module.