Updated on 2024-10-30 GMT+08:00

Security Auditing

Scenario

You can query operation records matching specified conditions and check whether operations have been performed by authorized users for security analysis.

Prerequisites

You have enabled CTS and trackers are running properly.

Procedure (for New Console)

The following takes the records of EVS disk creation and deletion in the last two weeks as an example.

  1. Log in to the management console as a CTS administrator.
  2. Click in the upper left corner to select the desired region and project.
  3. Click in the upper left corner and choose Management & Governance > Cloud Trace Service. The CTS console is displayed.
  4. Choose Trace List in the left navigation pane.
  5. Set the time range to Last 1 week and set filters as follows:

    • For creation operations: Select EVS for Trace Source, evs for Resource Type, and createVolume for Trace Name. View the filtering result.

    • For deletion operations: Select EVS for Trace Source, evs for Resource Type, and deleteVolume for Trace Name. View the filtering result.

    • By default, all EVS creation or deletion operations performed in the last hour are queried. You can also set the time range to query all EVS creation or deletion operations performed in the last seven days at most.
    • For all cloud services and operations that can be audited by CTS, see Supported Services and Operations.
    To obtain the operation records of the last week, query them in the OBS bucket. Choose Tracker List in the left navigation pane. In the displayed tracker list, click the OBS bucket name in the row of the management tracker.

    To store operation records for more than seven days, you must configure the management tracker to transfer them to an OBS bucket. Otherwise, you cannot query the operation records generated seven days ago.

  6. Download traces older than seven days or all traces by following the instructions in Querying Transferred Traces.
  7. In the trace files, search traces using keywords createVolume or deleteVolume.
  8. Check the traces obtained in steps 5 and 7 to see whether there are any unauthorized operations or operations that do not conform to security rules.

Procedure (for Old Console)

The following takes the records of EVS disk creation and deletion in the last two weeks as an example.

  1. Log in to the management console as a CTS administrator.
  2. Click in the upper left corner to select the desired region and project.
  3. Click in the upper left corner and choose Management & Governance > Cloud Trace Service. The CTS console is displayed.
  4. Choose Trace List in the left navigation pane.
  5. Set the time range to Last 1 week, set filters in sequence, and click Query.

    Select Management for Trace Type, evs for Trace Source, evs for Resource Type, Trace name for Search By, select createVolume or deleteVolume, and click Query. By default, all EVS disk creation or deletion operations performed in the last hour are queried. You can also set the time range to query all EVS creation or deletion operations performed in the last seven days at most.

  6. To obtain the operation records of the last week, query them in the OBS bucket. Choose Tracker List in the navigation pane on the left.

    To store operation records for more than seven days, you must configure the management tracker to transfer them to an OBS bucket. Otherwise, you cannot query the operation records generated seven days ago.

  7. Download traces older than seven days or all traces by following the instructions in Querying Transferred Traces.
  8. In the trace files, search traces using keywords createVolume or deleteVolume.
  9. Check the traces obtained from steps 5 and 8 to see whether there are any unauthorized operations or operations that do not conform to security rules.