All Products
Search

This Product

    Database Autonomy Service:Security audit

    Document Center

    Database Autonomy Service:Security audit

    Last Updated:Sep 27, 2023

    Database Autonomy Service (DAS) provides the security audit feature to automatically identify risks, such as high-risk SQL statements, SQL injections, and new access sources. This topic describes how to use the security audit feature.

    Prerequisites

    • The database instance that you want to manage is of one of the following types:

      • ApsaraDB RDS for MySQL Basic Edition, High-availability Edition, Enterprise Edition, and Cluster Edition

      • PolarDB for MySQL Single Node Edition, X-Engine Edition, Cluster Edition, and Multi-master Cluster (Database/Table) Edition

    • The database instance is connected to DAS and is in the Normal Access state.

    • The SQL Explorer and Audit feature is enabled for the database instance. For more information, see the "Enable the SQL Explorer and Audit feature" section of the Overview topic.

    Storage duration

    Audit data generated in real time by using the security audit feature can be stored for up to 30 days.

    Limits

    • The security audit feature cannot identify all SQL injection attacks due to technical limits.

    • To prevent a large amount of audit data from being stored in a short period, DAS throttles the output of security audit results.

    Procedure

    1. Log on to the DAS console.

    2. In the left-side navigation pane, click Instance Monitoring.

    3. On the page that appears, find the database instance that you want to manage and click the instance ID. The instance details page appears.

    4. In the left-side navigation pane, choose Request Analysis > SQL Explorer and Audit. On the page that appears, click the Security Audit tab.

    5. Specify a time range for security audit and click Search. The security audit results on an hourly basis within the specified time range are displayed.

      When you select a time range, make sure that the end time is later than the start time and that the interval between the start time and the end time does not exceed 30 days. The queried time range must fall within the data storage duration of SQL Explorer for a database instance and be later than the date when DAS Professional Edition is enabled for the database instance.

      Click a point in time in the trend chart to view the security audit details of the hour after the point in time.

      Important

      When you analyze data that is generated by the new version of SQL Explorer and Audit, DAS creates a task for computing and analysis if one of the following conditions is met. You can view the task progress and historical tasks on the Task list tab.

      • The time range during which you want to query data exceeds one day.

      • The data that you want to query is stored in cold storage. In the new version of SQL Explorer and Audit, the data that has been stored for more than seven days is transferred to cold storage.

      Item

      Description

      Risk level

      High-risk Operation

      DAS automatically identifies the following types of High-risk Operation based on preset rules:

      • DDL statements, such as those used to create a table, modify the schema of a table, modify an index, or rename a table

      • Statements used to update or delete full tables

      • Statements used to run large queries that meet one of the following default conditions:

        • The number of scanned rows is equal to or greater than 1,000,000.

        • The number of returned rows is equal to or greater than 100,000.

        • The number of updated rows is equal to or greater than 100,000.

      • DDL statements: low risk

      • Statements used to update full tables: high risk

      • Statements used to run large queries: medium risk

      SQL Injection

      SQL injections refer to attacks during which malicious SQL statements are inserted into web forms, domain names, or page requests to trick servers into executing these SQL statements. This type of attack compromises database security.

      Note

      DAS continuously monitors SQL injections in databases and identifies the access sources.

      High risk

      Add access

      DAS automatically identifies new access sources by comparing them with access source records to determine whether the access requests are sent from unknown servers.

      Note

      Access sources that did not access your database within the previous seven days are considered new access sources.

      • After the security audit feature is enabled for a new database instance, no data of new access sources is provided for the first seven days.

      • If the security audit feature has never been enabled for an existing database instance, no data of new access sources is provided for the first seven days after this feature is enabled.

      Medium risk