Managing Risky Operation Rules
Database audit has four built-in detection rules, including database reduction detection, slow SQL statements detection, batch data tampering detection, and batch data deletion detection, helping you detect database security risks in a timely manner. You can also add risky operations and customize detection rules.
Prerequisites
The database audit instance is in the Running state.
- Before enabling the risky operation, ensure that its status is Disabled.
- Before disabling the risky operation, ensure that its status is Enabled.
Constraints and Limitations
- One piece of audited data can match only one risky operation rule.
- For a risky operation rule whose Rule Category is System rules, you cannot edit, delete, or set priority for it.
Managing Risky Operation Rules
- Log in to the DBSS console.
- Click
in the upper left corner on the displayed page and select a region. - In the navigation tree on the left, choose Rules.
- In the Instance drop-down list, select an instance.
- Click the Risky Operations tab.
Adding a Risky Operation Rule
- Click Add above the risky operation list.
- On the Add Risky Operation page, set the basic information and IP address or IP range. For details, see Table 1. Figure 1 Configuring basic information and IP addresses or IP address segments
Table 1 Risk operation parameters Parameter
Description
Example Value
Name
Custom name of a risky operation.
test
Risk Level
Level of a risky operation. The options are as follows:
- High
- Medium
- Low
- No risk
High
Status
Status of a risky operation.
- Enabled
- Disabled
Enabled
Select Database
Select databases to apply the risky operation rule.
You can select ALL or a specific database.
-
Exception Client IP Address/IP Address Segment
IP addresses or IP address ranges which are trusted and will not be audited.
The IP address can be an IPv4 address (for example, 192.168.1.2) or an IPv6 address (for example, fe80:0000:0000:0000:0000:0000:0000:0000).
192.168.xx.xx
Client IP Address/IP Address Segment
Enter the IP address or IP address segment of the client that is not in the trusted client IP address or IP address segment, which is used to report alarms for risky operations set by users.
The IP address can be an IPv4 address (for example, 192.168.1.1) or an IPv6 address (for example, fe80:0000:0000:0000:0000:0000:0000:0000).
192.168.xx.xx
- Set the operation type, operation object, and execution result. For details about related parameters, see Table 2. Figure 2 Setting the operation type, operation object, and execution result
Table 2 Parameters for adding a risk rule Parameter
Description
Example Value
Operations
Types of risky operations.
- Login
- Operation
- All operations
- DDL
- DML
- DCL
Login
Objects
Click Add Operation Object. Enter the target database, target table, and field information. Click OK to add an operation object.
-
Results
Set Affected Rows and Operation Duration. The operation conditions are as follows:
- Greater than
- Less than
- Equal to
- Equal to or greater than
- Less than or equal to
Equal to or greater than
- Click OK.
Checking the Risky Operation Rule List
Check the risky operation information. For details, see Table 3.
You can select an attribute from the search box above the list or enter a keyword to search for a specified risky operation.
| Parameter | Description |
|---|---|
| Name | Name of a risky operation. |
| Rule Category | Risky operation type. The options are as follows:
|
| Priority | Priority of a risky operation. |
| Category | Category of the risky operation. |
| Feature | Feature of a risky operation. |
| Risk Level | Risk level of an operation. The options are as follows:
|
| Status | Status of a risky operation. The options are as follows:
|
Setting the Priority of a Risky Operation Rule
- In the row containing the risky operation for which you want to set a priority, click
in the Priority column. Figure 4 Setting the priority
- Click OK. Figure 5 Setting the priority
Enabling a Risky Operation Rule
- In the Operation column of a risky operation rule, click Enable. Figure 6 Enabling a risky operation rule
- Check the risk operation rule status. It will change to Enabled. Database audit will audit this risky operation.
Disabling a Risky Operation Rule
- In the Operation column of a risky operation rule, click Disable. Figure 7 Disabling a risky operation rule
- In the displayed dialog box, click OK.
- Check the risky operation rule status. The status will change to Disabled and the rule will not be implemented for audit.
Editing a Risky Operation Rule
- In the Operation column of a risky operation rule, click Edit. Figure 8 Editing a risky operation rule
- On the risky operation rule page, edit the rule.
- Confirm the information and click OK.
Deleting a Risky Operation Rule
- In the Operation column of a risky operation rule, click Delete. Figure 9 Deleting a risky operation rule
- In the displayed dialog box, enter DELETE and click OK.
After the rule is deleted, if you need to configure database risky operations for the instance, add a risky operation rule again.
References
- You can add an audit scope rule. For details, see Configuring an Audit Scope Rule.
- You can add a custom SQL rule to audit all the database connected to database audit. For details, see Configuring SQL Injection Rules.
- To mask sensitive information in entered SQL statements, you can enable the function of masking privacy data and configure masking rules to prevent sensitive information leakage. For details, see Configuring Privacy Data Protection Rules.
- You can add trusted SQL statements to the whitelist. Database audit will ignore whitelisted SQL statements. For details, see Configuring SQL Whitelist.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot