1. Background
Database is the data core of enterprise business, and its security has become an important source of leakage and tampering in the traditional environment. Therefore, it is very important to audit the operation behavior of database, especially the audit log of full SQL execution record.
SLS cooperates with RDS to launch RDS SQL audit function, which delivers RDS SQL audit logs to SLS in real time; SLS provides real-time query, visual analysis, alarm and other functions.
RDS SQL audit log records all the operations performed on the database. The information is obtained through the analysis of network protocol by the system, which has very low CPU consumption on the system and does not affect the efficiency of SQL execution. RDS SQL audit log includes but is not limited to the following operations:
- Log in and log out of the database.
- DDL (data definition language) operation: SQL statements defined for database structure, including create, alter drop, truncate, comment, etc.
- DML (data manipulation language) operation: SQL operation statements, including select, insert, update, delete, etc.
- Other SQL execution operations, including any other control executed through SQL, such as rollback, control, etc.
- SQL execution delay, execution result, number of rows affected, etc.
In addition, SLS also monitors the operation compliance of RDS to detect the abnormal configuration of RDS and ensure the database security.
2. RDS audit log collection
At present, there are two ways to collect SLS from RDS SQL audit logs:
- Cloud product collection channel
- Advantages: It is simple to configure in the scene of a small number of instances collected in the same region.
- Disadvantages: Does not support cross region, cross account; does not support instance dynamic discovery. If you need to cross region and account, you need to build your own data processing task.
- Log Audit Collection channel
- Advantage:
- Support cross account, cross regional centralized collection.
- Support instance discovery, one click to start automatic collection, and support to control collection range through collection strategy.
- Disadvantages:
- AK authorization or manual authorization is required to open the log audit app.
- The SQL explorer function of the collection instance will be automatically turned on, and automatic shutdown is not supported. If you want to turn off SQL explorer, you need to first turn off the audit log collection function, or set the instance not to collect through the collection policy, and then turn off SQL explorer one by one on the RDS console.
2.1 Cloud product collection channel
Single account collection in the same region (RDS audit logs can be only collected in the same region)
In the "Import Data" area on the home page of SLS console, select "RDS SQL Audit". The following is an example of ap-southeast-1.
Because the collected instance is located in ap-southeast-1, you need to create a new project or select the existing project and logstore in ap-southeast-1.
Note: RDS audit logs can be only collected in the same region.
"Specify Data Source" page: You can view all RDS instance information in ap-southeast-1. By default, the "Import Status" is turned off. After completing the ram authorization, you can open the "Import Status" button to open the log delivery according to the log collection requirements.
RDSSQLAudit
SpecifyLogstore
ConfigureQuery
End
SpecifyData
Source
andAnalysis
RAM
1octpadepthplYom
Youhavegrantedlogservicetodispatchydctog
而)uh
响心m.bymaaomo
Documentation
Database
lmport
lnstanceName
Region
lmportTo
Status
Type
ap-
CurrentLogstore
mysql
southeast-1
Next
Previous
Now the collection of SQL audit logs is completed. You can go to the logstore configured above to view the RDS audit logs.
rds_log
rds_log
lndexAttributes
DataTransformation
SaveasAlert
SaveSearch
Search&Analyze
1DayRelative)
03-12
03-13
03-13
03-13
03-13
03-13
LogEntries:36SearchStatuerultsaeccurate
LogReduce
Graph
RawLogs
20
QuickAnalysis
Table
RawData
NewLine
ltemsperpage:
Time
Searchbyfield
Mar13,18:19:49
Logservice
rds-audit_log
checkrows:0
topic
client_ip;
checkrows
db:nuti
fail:1159
client_ip
instanceid
Latency:18963392
origin_tim1615630789289508
fail
return_rows:0
instance_id
sql:Logout!
threadid:811742
update.rows:0
isbind
品
user:root
Cross region and cross account collection
Because the collection channel of cloud products has the limitation that RDS audit logs can only be collected to the logstore in the same region, in order to break this limitation and realize cross account and cross region collection, it is necessary to build data processing tasks of cross domain or cross account.
Because the self built data processing task needs more complex authorization, it will not be described in detail here. If necessary, please refer to:
It can be seen that the cloud product collection channel only has the advantage of convenient collection in the simple collection scenario. But when dealing with cross region and cross account collection, not only the data synchronization link is long, but also a relatively complex authorization process is required; moreover, when the instance changes (or the new instances are created), the synchronization link needs to be manually maintained, and the maintenance cost is very high. The audit channel can solve the pain of cross region, cross account collection and high maintenance cost of instance change.
2.2 Log Audit collection channel
Authorization And Config
It is recommended to use Alibaba cloud ram for user operation. Create an aliyun ram user, give the ram user "aliyunramfullaccess" and "aliyunlogfullaccess" permissions, and create an AK.
Log in to the ram user and select "Log Audit Service" on SLS console.
You should configure authorization for log collection for the first time. Enter the AK created in the first step, and select the central project region to store the audit logs.
If the following page appears, the authorization has been completed. After that, you can open the corresponding cloud product logs according to the needs of collecting logs. For example, you need to collect RDS SQL audit logs here.
LogAuditService
GlobalConfi...x
ActionTrail
AccesstoCloudProducts
GlobalConfigurations
日OK
xCancel
GlobaIConfigurations
StatusDashboard
RegionoftheCentralProject:
Singapore
OverallDashboard
Region]
CentralProject:slsaudit-cente
RegionalProject:slsaudit-region
ap-southeast-1
Multi-AccountConfigurations
Collectionand
ThecurrentaccounthasauthorzedLogseviceocolectandchnizeog
GlObalConfigurations
Synchronization
Authorization;
Documentation
SynchronizationtoCentralProjec
UsageandBilling
CollectionPolicy
CloudProducts
Audit-RelatedLogs
StorageType
Days
Central
OperationsLog
ActionTrail
Roglonal
AccessLog
oss
Days
180
Days
Days
180
MeteringLog
Central
Collection
Days
Detault
SQLAuditLog
RDS
Central
Policy
Collection
180
Disabled
Central
Days
SlowQueryLog
Policy
Collection
Regional
Disabled
Days
SOLAuditLog
180
PolarDB-x
Days
Policy
Collection
Regional
180
Disabled
Days
Days
SLB
Lay-7AccessLog
Policy
If you have a requirement for cross account collection, you can configure multiple accounts for log collection.
Configure SQL audit collection
This chapter focuses on how to open RDS SQL audit log and manage the log collection scope through collection policy. The first step to start SQL audit log is configuring the collection policy. See the collection policy document for a complete syntax description. Here are some common policies.
- Collect the instance log of a specific region. For example, only ap-southeast-1 and ap-southeast-1 are collected.
- Instances of specific tags are not collected. For example, the instances with "type" tag which value is "test" are not collected.
ConfigureCollectionPolicy(RDSSQLAuditLog)
心地心地地地地
AdyancedEDitMode:
Close
DefaultCollectionPolicy
Retain
ModifyPolicy:
Drop
Properties:
Tag
Tag:type
Operator:
ExactMatch
Action:
test
+AddProperty
AddedPolices:
Cancel
Save
Delete
Edit
droptag.type"est"
(默认策略--接受)
accept
Cancel
- Only specified instance logs are collected.
ConfigureCollectionPolicy(RDsSQLAuditLog)
心地心心心心心心地心
AdyancedEditMode:
Close
Retain
DefaultCollectionPolicy:
ModifyPolicy
Properties:lnstanceID
OperatorExactMatch
Action:Acc...
instance1
instance2
+AddProperty
AddedPolices:
Cancel
Save
Edit
acceptinstance.id(istace"or"istance2")
Delete
2.accept*(默认策略--接受)
OK
Cancel
SQL Audit Query
RDS
GlobalConfi...
LogAuditService
Central
DataTransfommationD
4lndexAttributes
SaveasAlert
SaveSearch
rdslog
ActionTrall
1Day(Relative)
Search&Analyz
RDS
03-13
03-12
03-13
03-13
03-13
03-13
LogEntrles:11SearchStatus:Theresultsareaccurate.
LogReduce
RawLogs
Graph
NewLine
Itemsperpago:
RawData
QuickAnalysis
Table
Time
Searchbyfield
?Log-service
rdsaudit_log
Mar
21:02:07
check.rows:5
topic
clientip:101.88.214.30
check_rows
db:yemo
db-type:mysql
cllentip
db_version:8.0
fait:6
instanceid:
db_type
instance.name:
version
latency:1221
fai
origin_time1615640527698967
Ownerid:1293284105955578
instance_id
region:cn-huhehaote
instance_name
return_rows:1
sql:showtables
latency
thread_id:816053
origin_time
Updaterows:0
3. Rds audit log -- report
The SQL audit log based on SLS provides three audit reports
- RDS Audit Center: mainly displays the SQL execution indicators, distribution, trend and other information of all databases. For example: Statistics of PV, UV, operation database / data table, etc.
RDSAudit...
BDsxBaitCenter
CRefresh
FullScreen
nAlerts
TiMeRange
Subscribe
Share
ResetTime
OperatedDBinstancecoundt
UV
OperatedtablecountTo...
pVToday(Relative)
Today(Relative)
OperatedDBcountToda...
17个
18个
2
72.937K
281
Today(...
Totaldeletedrows
Today(R...
Toda...
Toda...
Totalinsertedrows
Operationerrors
TotalquridrowsToday(...
Totalupdatedrows
987.22Krows
4.536K
4.536K
1.985K个
rows
rows
rows
OperatedDBdistributionTodayRelative)
OperatedDBinstancedistributionTodayRelative)
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
system
rm
0.00%
0.00%
sls
0.00%
0.00%
0.00%
0.00%
System(cm
rm
0.00%
0.00%
0.00%
0.00%
system(rm-
rm
0.01%
0.01%
0.00%
0.01%
system(rm
0.01%
0.01%
0.01%
0.00%
rm
systemcm
Total
Total
0.01%
0.01%
72.937K
72.937K
0.03%
0.02%
system(cm
0.03%
16.59%
rm
16.57%
system(rm
- RDS audit security center: it mainly shows the failed SQL and dangerous SQL of all databases, as well as the details, distribution and trend of mass deletion or modification events.
RDSAuditC...X
RDSSecurity...x
RDSSecurityCenter
FullScreen
ResetTime
Share
:Subscribe
nAlerts
TiMeRange
Refresh
ErrorcountToday(Relative)
Batchupdateeventcount
DangerousSQLexecution
LoginfailurecountToday...
Batchdeleteeventcount
55
1.985K
Externalclientw/errorsdistributionTodayRelative)
FailedoperationtypedistributionTodayelative)
2.77%
Total
Logout
1.985K
Login
97.23%
- RDS audit performance center: it mainly shows the specific performance indicators of all databases, such as the peak value of SQL execution, the average time of SQL execution, the specific distribution and source of slow SQL, etc.
4. Rds audit log -- alert
SLS log audit has newly released built-in alarm rules, including 19 built-in rules for RDS SQL audit (which will be expanded in the future).
4.1 Rule view
Through "SLS home page" -> "Log Audit Service" -> "Audit Alert" on the left side of console -> "Policy Settings " -> "Alert Rules", you can enter the audit alert rules configuration page. There are two main types of rules:
- SQL audit rules (RDS security): mainly for SQL execution exception monitoring. For example, slow SQL, or batch deletion.
- Premise: enable RDS SQL audit log collection through log audit app.
- RDS operation compliance rules: mainly based on CIS rules, it monitors the operation configuration of RDS.
- Premise: activate actiontrail operation log collection through log audit app.
GlobalConfi...X
RDS
AuditService
AuditAlert
AlartDashboard
Standard
cisStandard(48)
FlowSecunty(20)
DatabaseSecurity(13)
ContainerSecurity(3)
Show
EventPiplineCenter
Type
LogAuditCompliance(13)
PermissionControl(3)
RuleCenter
AccountSecurltyt1o)
oSSOperationCompliance(4)
SLBOperationCompliance(2)
RDSperationCompliance(6)]
Troubleshooting
ECSOperationCompliance(4)
CloudfirewallOperationCompliance(1)
vpCOperationCompliance(3)
PalicySettings
RRDSSecurity(13)
K8sSecurity(3)
TT
TDIOperationCompliance(1)
APICalLC1)
AlertRules
APIGatewayFlowSecurity(3)
KssFlowSecurity(4)
ossFlowSecurity(7)
SLBFlowSecurity(6)
NASDataSecurity(2)
TDISecurityEvent(5)
AlertPolicy
WAFSecurityEvent(2)
ossDataSecurity(2)
CloudfirewallSecurityEvent(2)Hide
ActionPolicy
ContentTemplate
Hide
MetaData.
SearchbytemplateIDordescriptior
Enable
Disable
Pause
Delote
Uparade
UserManagement
Type
Actions
MonitoringRuLE
Status
USErGroup
RDSInstancesQLlnsightDisabled
CloudPIatformAlicloud
EnableSettings
NotCreated
User
Alert?
Show
CloudPlatformAlicloud
RDSSlowsQLDetection?
AddSettings
NotCreated
Show
CloudPIatformAlicloud
RDSDataMassDeletionAlcrt?
+
AddSettings
NotCreated
Show
DetectionofRDSVisitthrough
CloudPlatformAlicloud
NotCreated
EnableSettings
lnternet?
Show
RDSQuerysQLAverageExecution
CloudPlatformAlicloud
NoTCreated
AddSettings
格
TiMeMonitorIng?
Show
RDSIntanceUpdatePeak
CloudPlattormAlicloud
NotCreated
AddSettings
Monitoring?
Show
CloudPlatformAlicLoud
RDSInstanceAccessWhitelist
NotCreated
EnableSettings
AbnormalSettingAlert?
Show
NewlyCreatedRDSInstance'sSSL
CloudPLatformAlicLoud
4.2 Alert Config
Action policy configuration
Set up action policy to send alarm notification. At present, it supports Dingding, mailbox and other channels.
GlobalConfi...x
LogAuditService
AuditAlert
AlertDashboard
EventPiplineCenter
AlertCenter
AlertRule
ActionPolicy
RuleCenter
Troubleshooting
21/64
ID:
sls.app.audit.builtin
PolicySettings
23/64
SLSAuDitActionPolicy
Name:
AIertRules
AlertPollicy
SecondaryActionPolicy
PrimaryActionPolicy
ActionPolicy
ContentTemplate
Start
MetaData
UserManagement
UsorGroup
AetonGroup
User
Dinghlk
DingTek
Notiicelon
De:27749671db3014-01a3d6-3
REqu:stURL
SLSaudTbultnconkEntte..
AArtTarclate
Prriad
OAUTO
BacktoList
Alert example -- slow SQL audit
- Enable the alert
Set alert parameters according to user needs. For example, slow SQL detection threshold, white list and so on.
LogAuditService
GlobalConfi...
AuditAlert
RDS
ECSOperationCompliance(4)
WVPcOperationCompliance(3)
CloudfirewalloperationCompliance(1)
AlertDashboard
kBsSecurity(3)
TDIOperation
RDSSecurity(13)
inCompliance(1)
APICall(1)
EventPiplineCenter
A
KBsFlowSecurity(4)
ossFlowSecurity(7)
APIGatewayFlowSecurity(3)
SLBFIowSecurity(6)
RuleCenter
ossDataSecurity[2)
TDISecurityEvent(5)
wAFSecurityEvent(2)
NASDataSecurity(2)
Troubleshooting
CloudfirewallsecurityEvent(2)
Hide
PolicySettings
HideA
AlertRules
Pause
SearchbytemplateIDordescriptio!
Enable
Disable
Upgrade
Delete
Resume
AlertPolicy
Actions
Status
Type
MonitoringRule
ActionPolicy
RDSInstancesQLInsightDisabled
CloudPlatformAlicloud
ContentTemplate
EnableSettings
NotCreated
Alcrt?
Show
目
MotaData
CloudPlatformAlicloud
AddDisablePauseDeleteSettings
RDSSlowSQLDetection?
Enabled(1)
UserManagement
Show
USerGroup
Threshold
Severity
Actions
AlertName
Status
User
RDSSlowSQLDetection?
DisablePauseDeleteSettings
5000
Enabled
CloudPIatformAlicloud
RDSDataMassDeletionAlert?
NotCreated
AddSettings
Show
CloudPlattormAlicloud
DetectionofRDSVisitthrough
EnableSettings
NotCreated
lnternet?
Show
Settheparameters.
CloudPlatformAlicloud
RDSQuerySQLAverageExecution
AddSettings
Alert Test
# table desc mysql> desc test;+-----------------+------------------+------+-----+---------+----------------+| Field | Type | Null | Key | Default | Extra | +-----------------+------------------+------+-----+---------+----------------+| id | int(10) unsigned | NO | PRI | NULL | auto_increment | | title | varchar(100) | NO | MUL | NULL | | | author | varchar(40) | NO | | NULL | | | submission_date | date | YES | MUL | NULL | | +-----------------+------------------+------+-----+---------+----------------+4 rows inset (0.04 sec) # mysql> select * from test limit 5;+----+--------+---------+-----------------+| id | title | author | submission_date | +----+--------+---------+-----------------+| 1 | title1 | author1 | 2021-01-12 | | 2 | title1 | author1 | 2021-01-12 | | 3 | title1 | author1 | 2021-01-12 | | 4 | title1 | author1 | 2021-01-12 | | 5 | title1 | author1 | 2021-01-12 | +----+--------+---------+-----------------+# Use index to group by# mysql> select title, count(1) as cnt from test where submission_date='2021-01-12' group by title;+--------+-------+| title | cnt | +--------+-------+| title1 | 59392 | | title2 | 8448 | +--------+-------+2 rows inset (0.06 sec) # makes the index invalid.# mysql> select title, count(1) as cnt from test where day(submission_date)=12 group by title;+--------+-------+| title | cnt | +--------+-------+| title1 | 59392 | | title2 | 8448 | +--------+-------+2 rows inset (0.58 sec)
SLS monitors slow SQL and sends alert notification to user.
