Function

Database Configuration

Database audit supports databases built on ECS, BMS, and RDS on Huawei Cloud. After purchasing a database audit instance, you need to add the database to be audited to the instance. After adding a database successfully, you can view, disable or delete the database.

Configuring an Agent

Add a new agent or choose an existing agent for the database to be audited, depending on your database type. The agent will obtain database access traffic, upload traffic statistics to the audit system, receive audit system configuration commands, and report database monitoring data. You can enable database audit only after the agent is installed. The Agent can be installed in Linux and Windows. After adding an agent to the database, you can view, disable or delete the agent.

Configuring Security Group Rules

Configure TCP (port 8000) and UDP (ports 7000 to 7100) in the security group inbound rule of the database audit instance to allow the agent to communicate with the audit instance.

Configuring the Audit Scope

By default, database audit complies with a full audit rule, which is used to audit all databases that are connected to the database audit instance. You can also add audit scope and specify the databases to be audited. After adding an audit scope, you can view, enable, edit, disable, or delete the audit scope.

SQL Injection

SQL injection detection is enabled by default. You can disable or enable the detection rules. One piece of audited data can match only one SQL injection detection rule.

Privacy Protection

To mask sensitive information in entered SQL statements, you can enable the function of masking privacy data and configure masking rules to prevent sensitive information leakage.

Alarm Notifications

After configuring alarm notifications, you can receive DBSS alarms on database risks. If this function is not enabled, you have to log in to the management console to view alarms. Alarm notifications may be mistakenly blocked. If you have enabled notifications but not received any, check whether they have been blocked as spam. The system collects alarm statistics every 5 minutes and sends alarm notifications (if any).

Audit Logs

Database audit logs can be backed up to OBS buckets to achieve high availability for disaster recovery. You can back up or restore database audit logs as required. After backing up audit logs, you can view or delete backup audit logs.

Instance Management

After purchasing a database audit instance, you can view, enable, restart, and disable the instance.

Risky Operation Management

After adding a risky operation, you can view the risk, enable, edit, disable, or delete the risky operation, or set its priority.

Managing Reports

By default, database audit complies with a full audit rule, which is used to audit all databases that are successfully connected to the database audit instance. After connecting the database to the database audit instance, view report templates and report results.

Database Security Encryption

• Data Encryption

  The system supports data encryption and integrity verification, meeting the evaluation requirements of graded protection and sub-protection as well as the evaluation requirements of storage data integrity and confidentiality assurance in the application and security evaluation of commercial cryptographic systems.

  • Encryption algorithm: AES and SM4 Chinese national cryptographic algorithm are supported.
  • Integrity check algorithm: AES-GCM and SM3-HMAC are supported.
• Access Control

  The system has an access authorization mechanism independent of the database. Authorized users can access encrypted data, but unauthorized users cannot access encrypted data. This effectively prevents administrators from accessing the database without authorization and hackers from dragging the database.

  The system allows system administrators, security administrators, and audit administrators to manage separation of permissions, enhancing database security compliance.