Database Autonomy Service (DAS) provides the security audit feature to automatically identify risks, such as high-risk SQL statements, SQL injection attacks, and new request sources. This topic describes how to perform security audit in the SQL Explorer and Audit module.

Prerequisites

  • The database instance that you want to manage is connected to DAS and is in the Accessed state.
  • DAS Professional Edition is enabled for the database instance. For more information, see Purchase DAS Professional Edition.
  • The database instance that you want to manage is of one of the following types:
    • ApsaraDB RDS for MySQL High-availability Edition and Enterprise Edition
    • PolarDB for MySQL Single Node Edition, Archive Database Edition, and Cluster Edition
  • The database instance that you want to manage is located in one of the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Zhangjiakou), China (Hohhot), China (Chengdu), China (Guangzhou), China (Heyuan), China (Ulanqab), China (Hong Kong), Singapore (Singapore), Malaysia (Kuala Lumpur), and Indonesia (Jakarta).

Storage duration

Audit data generated in real time by using the security audit feature can be stored for up to 30 days.

Procedure

  1. Log on to the DAS console.
  2. In the left-side navigation pane, click Instance Monitoring.
  3. On the page that appears, click the ID of the database instance that you want to manage. The instance details page appears.
  4. In the left-side navigation pane, choose Request Analysis > SQL Explorer and Audit. On the page that appears, click the Security Audit tab.
  5. Specify a time range for the security audit and click View. The security audit results during a specific hour are displayed.
    Note When you select a time range, the end time must be later than the start time, and the interval between the start time and the end time cannot exceed 30 days. The queried time range must be within the data storage duration of SQL Explorer for a database instance and must be later than the date when DAS Professional Edition is enabled for the instance.

    Click a point in time in the trend chart to view the security audit details of the hour after the time point.

    Parameter Description
    High-risk Operation DAS automatically identifies the following types of high-risk SQL statements based on preset rules:
    • DDL statements used to create a table, modify the schema of a table, modify an index, rename a table, and perform other operations
    • Statements used to update and delete full tables
    • Statements that are used to run large queries that meet one of the following conditions by default:
      • The number of scanned rows is at least 1,000,000.
      • The number of returned rows is at least 100,000.
      • The number of updated rows is at least 100,000.
    SQL Injections SQL injections refer to attacks during which malicious SQL statements are inserted into web forms, domain names, or page requests to trick servers into executing these SQL statements. This type of attacks compromise database security.
    Note DAS continuously monitors for SQL injections in databases and identifies the access sources.
    New Access Source DAS automatically identifies new access sources by comparing them with the access source records to determine whether the access requests are sent from unknown servers.
    Note
    • Audit results of new access sources are displayed with a delay of up to 10 minutes.
    • Access sources that did not access your database within the previous seven days are determined to be new access sources.
      • After security audit is enabled for a new database instance, no data of new access sources is provided for the first seven days.
      • If the security audit feature has never been enabled for an existing database instance, no data of new access sources is provided for the first seven days after this feature is enabled.