Help Center/ Database Security Service/ User Guide/ Configuring Audit Rules/ Configuring Privacy Data Protection Rules
Updated on 2022-09-16 GMT+08:00

Configuring Privacy Data Protection Rules

To mask sensitive information in entered SQL statements, you can enable the function of masking privacy data and configure masking rules to prevent sensitive information leakage.

Prerequisites

  • You have purchased a database audit instance and the Status is Running.
  • Database audit has been enabled.

Procedure

  1. Log in to the management console.
  2. Select a region, click , and choose Security & Compliance > Database Security Service. The Dashboard page is displayed.
  3. In the navigation tree, choose Rules.
  4. In the Instance drop-down list, select the instance whose privacy data protection rule is to be configured.
  5. Click the Privacy Data Protection tab.
  6. Enable or disable Store Result Set and Mask Privacy Data.

    • Store Result Set

      You are advised to disable . After this function is disabled, database audit will not store the result sets of user SQL statements.

      Do not enable this function if you want to prepare for PCI DSS/PCI 3DS CSS certification.

    • Mask Privacy Data

      You are advised to enable . After this function is enabled, you can configure masking rules to prevent privacy data leakage.

  7. Click Add Rule. In the displayed Add Rule dialog box, set the data masking rule, as shown in Figure 1. For details about related parameters, see Table 1.

    Figure 1 Add Rule dialog box
    Table 1 Rule parameters

    Parameter

    Description

    Example Value

    Rule Name

    Name of a rule

    test

    Regular Expression

    Regular expression that specifies the sensitive data pattern

    -

    Substitution Value

    Value used to replace sensitive data specified by the regular expression

    ###

  8. Click OK.

    A masking rule in the Enabled status is added to the rule list.

Verifying a Rule

Perform the following steps to check whether a rule takes effect. The audit information about military officer card No. in a MySQL database is used as an example.

  1. Enable Mask Privacy Data, and ensure the "Military officer card NO." masking rule is enabled, as shown in Figure 2.

    Figure 2 Enabling privacy data protection

  2. Log in to the database as user root through the MySQL database client.
  3. On the database client, enter an SQL statement.

    select * from db where HOST="Military officer card No.";

  4. In the navigation pane, choose Dashboard.
  5. In the Instance drop-down list, select the instance whose SQL statement information you want to view. Click the Statements tab.
  6. Set filtering conditions to find the entered SQL statement.
  7. In the row containing the SQL statement, click Details in the Operation column.
  8. Check the SQL statement information. The content of SQL Statement is shown in Figure 3, indicating that the masking function is normal.

    Figure 3 SQL statement with sensitive data masked

Common Operations

After adding a user-defined masking rule, you can perform the following operations on it:

  • Disable

    Locate the row that contains the rule to be disabled and click Disable in the Operation column. A disabled rule cannot be used.

  • Edit

    Locate the row that contains the rule to be modified, click Edit in the Operation column, and modify the rule in the displayed dialog box.

  • Delete

    Locate the row that contains the rule to be deleted, click Delete in the Operation column, and click OK in the displayed dialog box.