background
Database is the data core of enterprise business, and its security issues have become an important source of leakage and tampering in the traditional environment. Therefore, the operation behavior of the database, especially the audit log of the full SQL execution record, is particularly important.
SLS and RDS jointly launched the RDS SQL audit function, which delivers RDS SQL audit logs to SLS in real time; SLS provides real-time query, visual analysis, alarms and other functions.
The RDS SQL audit log records all operations performed on the database. This information is obtained by the system through network protocol analysis, which consumes extremely low CPU and does not affect the efficiency of SQL execution. The RDS SQL audit log includes but is not limited to the following operations:
• Database login and logout operations.
• DDL (Data Definition Language) operations: SQL statements defined for the database structure, including CREATE, ALTER DROP, TRUNCATE, COMMENT, etc.
• DML (Data Manipulation Language) operations: SQL operation statements, including SELECT, INSERT, UPDATE, DELETE, etc.
• Other SQL execution operations, including any other control executed through SQL, such as rollback, control, etc.
• Information about the delay of SQL execution, execution results, and number of rows affected.
In addition, SLS also monitors the operational compliance of RDS, discovers RDS configuration abnormalities in time, and ensures database security.
RDS log audit-collection
At present, there are two ways to collect RDS SQL audit logs to SLS:
• Cloud product collection channels
Advantages: A small number of instances in the same region can be collected in a simple configuration.
Disadvantages: does not support cross-regional, cross-account; does not support dynamic discovery of instances. If you need to cross-regions and cross-accounts, you need to build your own data processing tasks.
• Log audit channel
Advantages:
Support cross-account and cross-regional centralized collection, which is convenient for audit report analysis.
Support case discovery, one-click to start automatic collection; and support to control collection range through collection strategy.
Disadvantages:
AK authorization or manual authorization is required to open the log audit APP.
The SQL insight function of the collection instance will be automatically turned on, and automatic turning off is not supported. If you need to turn off SQL Insight, you need to turn off the log audit RDS collection function as a whole or control the instance not to collect through the collection strategy, and then turn off SQL Insight on the RDS console instance by instance.
Cloud product collection channels
Single account collection scenario in the same region (only RDS audit logs can be collected to the log library in the same region)
• In the "Access Data" area on the home page of the SLS console, select "RDS Audit". The following takes the example of Zhangjiakou as an example.
• Because the collected instance is located in Zhangjiakou, you need to create a new project and logstore in Zhangjiakou or select an existing project and logstore.
• Note: The collected RDS instance audit logs can only be collected in the same region.
• On the "Data Source Configuration" page, you can view the information of all RDS instances in Zhangjiakou after completing RAM authorization. The log delivery function is disabled by default. Afterwards, you can check the corresponding "Enable Delivery" button according to the log collection requirements to enable the log delivery function of the corresponding instance.
• At this point, the SQL audit log collection is started, and you can view the RDS instance log by jumping to the logstore configured above.
Cross-region and cross-account collection scenarios
Because cloud product collection channels have the limitation that RDS audit logs can only be collected to log libraries in the same region, to break this time limit to achieve cross-account and cross-region collection, it is necessary to build cross-domain or cross-account data processing tasks.
Because self-built data processing tasks require more complicated authorization, we will not introduce them in detail here. If necessary, see:
1. Configure custom role authorization
2. Best practice: Transmit data
across regions 3. Best practice: "Cross-account distribution" in multi-target Logstore data distribution.
It can be seen that the cloud product collection channel only has the advantage of convenient collection in simple collection scenarios, but when dealing with cross-regional and cross-account collection, not only the data synchronization link is longer, but also a more complicated authorization process is required; and as an example When a change (or even a new instance appears), the synchronization link needs to be manually maintained, and the maintenance cost is extremely high. The log audit channel can solve the pain points of cross-regional, cross-account collection, and high cost of instance change and maintenance.
Log audit collection channels
Log audit authorization
It is recommended to use Alibaba Cloud RAM user operations.
• Create an Aliyun RAM user and grant the user AliyunRAMFullAccess and AliyunLogFullAccess permissions to create an AK.
• Log in to the above RAM user and select "Log Audit Service" in the SLS console.
• The first entry requires authorization to open. Enter the AK created in the first step here, and select the central Project area where the audit log is stored.
• If the following page appears, the authorization has been completed. After that, you can open the corresponding cloud product logs according to the needs of collecting logs. For example, here you need to collect Actiontrail logs and RDS SQL audit logs.
Configure SQL audit collection
This article focuses on how to enable the RDS SQL audit log and manage the log collection scope through the collection strategy. To enable the SQL audit log, you first need to configure the collection strategy. The complete syntax description is detailed in the collection strategy document. Here are some commonly used strategies.
• Collect instance logs in a specific area. For example: only collect the instances of Hangzhou and Shanghai.
• No instances of specific tags are collected. For example: tag the test instance with the type tag and take the value test.
• Only collect limited instance logs.
SQL audit
RDS log audit-report
The SLS-based SQL audit log provides three audit reports:
• RDS Audit Center: Mainly displays information such as SQL execution indicators, distribution, and trends of all databases. For example: PV, UV, operation database/data table, etc. statistics.
• RDS Audit Security Center: Mainly displays the failed SQL and dangerous SQL of all databases, as well as the details, distribution and trends of mass deletion or modification events.
• RDS Audit Performance Center: Mainly displays the specific performance indicators of all databases, such as the peak SQL execution, the average time of SQL execution, the specific distribution and source of slow SQL, etc.
RDS log audit--alarm
SLS log audit newly released built-in alarm rules, including 19 built-in rules for RDS SQL audit (will continue to be expanded in the future).
Rule view
Go to the SLS homepage -> Log Audit Service -> Audit Alarm on the left side of the console -> Rule Configuration/Alarm Rule, you can enter the audit alarm rule configuration page. The rules are mainly divided into two categories:
• SQL audit rules (RDS security): mainly for monitoring abnormal SQL execution. For example, slow SQL, or batch delete, etc.
• Prerequisite: Enable RDS SQL audit log collection through the log audit APP.
• RDS operational compliance rules: It is mainly based on CIS rules to monitor the operational configuration of RDS.
• Prerequisite: Enable Actiontrail operation log collection through the log audit APP.
Alarm configuration
Action strategy configuration
• Dingding channel notifications
• The following example: All alarms will be sent Dingding notifications.
• SMS/voice channel notification:
• The following example: when the alarm level is greater than severe, a voice alarm is sent to the "SLS Audit Built-in User Group". For specific information such as the telephone number of the notifier, see Creating Users and User Groups for details.
Alarm sample
Next, we use two specific examples to introduce the use of RDS audit alerts.
SQL audit sample-slow SQL audit
Turn on the alarm
• Set the alarm parameters according to user needs. For example, slow SQL detection threshold, filtering whitelist, etc.
• Click the open button to open the alarm.
Structure anomaly
• Test data set
# 表结构
mysql> desc test;
+-----------------+------------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------------+------------------+------+-----+---------+----------------+
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
| title | varchar(100) | NO | MUL | NULL | |
| author | varchar(40) | NO | | NULL | |
| submission_date | date | YES | MUL | NULL | |
+-----------------+------------------+------+-----+---------+----------------+
4 rows in set (0.04 sec)
# 数据
mysql> select * from test limit 5;
+----+--------+---------+-----------------+
| id | title | author | submission_date |
+----+--------+---------+-----------------+
| 1 | title1 | author1 | 2021-01-12 |
| 2 | title1 | author1 | 2021-01-12 |
| 3 | title1 | author1 | 2021-01-12 |
| 4 | title1 | author1 | 2021-01-12 |
| 5 | title1 | author1 | 2021-01-12 |
+----+--------+---------+-----------------+• Slow SQL
# 使用索引字段group by
mysql> select title, count(1) as cnt from test where submission_date='2021-01-12' group by title;
+--------+-------+
| title | cnt |
+--------+-------+
| title1 | 59392 |
| title2 | 8448 |
+--------+-------+
2 rows in set (0.06 sec)
# 索引字段经过运算后group by,使得索引失效。
mysql> select title, count(1) as cnt from test where day(submission_date)=12 group by title;
+--------+-------+
| title | cnt |
+--------+-------+
| title1 | 59392 |
| title2 | 8448 |
+--------+-------+
2 rows in set (0.58 sec)• The alarm monitors slow SQL and initiates an alarm notification.
RDS operation compliance sample-abnormal configuration of instance access whitelist
This article is the original content of Alibaba Cloud and may not be reproduced without permission.