Database Autonomy Service (DAS) provides the security audit feature to automatically identify risks, such as high-risk SQL statements, SQL injection attacks, and new request sources. This topic describes how to perform security audit in the SQL Explorer and Audit module.
- The database instance that you want to manage is connected to DAS and is in the Accessed state.
- DAS Professional Edition is enabled for the database instance. For more information, see Purchase DAS Professional Edition.
- The security audit feature is available for the following types of databases:
- ApsaraDB RDS for MySQL High-availability Edition and Enterprise Edition
- PolarDB for MySQL Single Node Edition, Archive Database Edition, and Cluster Edition
- The security audit feature is available in the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Zhangjiakou), China (Hohhot), China (Chengdu), China (Guangzhou), China (Heyuan), China (Ulanqab), China (Hong Kong), Singapore (Singapore), Malaysia (Kuala Lumpur), and Indonesia (Jakarta).
Audit data generated in real time by using the security audit feature can be stored for up to 30 days.
- Log on to the DAS console.
- In the left-side navigation pane, click Instance Monitoring.
- On the page that appears, click the ID of the database instance that you want to manage. The instance details page appears.
- In the left-side navigation pane, choose Request Analysis > SQL Explorer and Audit. On the page that appears, click the Security Audit tab.
- Specify a time range for the security audit and click View. The security audit results during a specific hour are displayed.
Click a point in time in the trend chart to view the security audit details of the hour after the time point.
Parameter Description High-risk Operation DAS automatically identifies the following three types of high-risk SQL statements based on preset rules:
- DDL statements used to create a table, modify the schema of a table, modify an index, rename a table, and perform other operations
- Statements used to update and delete full tables
- Statements used to run large queries that meet one of the following conditions by
- The number of scanned rows is at least 1,000,000.
- The number of returned rows is at least 100,000.
- The number of updated rows is at least 100,000.
SQL Injection SQL injections refer to attacks in which malicious SQL statements are inserted into web forms, domain names, or page requests to trick servers into executing the SQL statements. This type of attack compromises database security.Note DAS continuously monitors for SQL injections in databases and identifies the access sources. New Access Source DAS automatically identifies new access sources by comparing them with the access source records to determine whether the access requests originate from unknown servers.Note
- Audit results of new access sources are displayed with a delay of up to 10 minutes.
- Access sources that have not accessed your database within the last seven days are
considered new access sources.
- After security audit is enabled for a new database instance, no data of new access sources is provided for the first seven days.
- If security audit has never been enabled for an existing database instance, no data of new access sources is provided for the first seven days after this feature is enabled.