Process Overview
Scenario
This section describes the types and versions of databases that support agent installation and agent-free protection, as well as the process of configuring database audit.
Database audit supports auditing user-installed databases on ECS/BMS as well as RDS databases on Huawei Cloud.
Notes and Constraints
- Database audit cannot be used across regions. The database to be audited and the database audit instance to be purchased must be in the same region.
- If you use an agent to audit a user-built database or a cloud database, disable SSL for the database. Otherwise, the audit will fail. For details, see How Do I Disable SSL for a Database?
- For details about audit data storage, see How Long Is the Audit Data of Database Audit Stored by Default?
Databases That Do Not Need Agents
Databases of some types and versions can be audited without using agents, as shown in Table 1.
| Database Type | Supported Edition |
|---|---|
| TaurusDB | All editions are supported by default. |
| RDS for SQLServer | All editions are supported by default. |
| RDS for MySQL |
|
| DWS |
|
| PostgreSQL NOTICE: If the size of an SQL statement exceeds 4 KB, the SQL statement will be truncated during auditing. As a result, the SQL statement is incomplete. |
|
| RDS for MariaDB | All editions are supported by default. |
- DBSS without agents is easy to configure and use, but the following functions are not supported:
- Successful and failed login sessions cannot be counted.
- The port number of the client for accessing the database cannot be obtained.
- Data Warehouse Service (DWS) has the permission control policy for the log audit function. Only Huawei Cloud accounts and users with the Security Administrator permission can enable or disable the DWS database audit function.
Databases That Need Agents
| Database Type | Edition |
|---|---|
| MySQL |
|
| Oracle | |
| PostgreSQL |
|
| SQL Server |
|
| TaurusDB | 8.0 |
| DWS |
|
| DAMENG | DM8 |
| KINGBASE | V8 |
| SHENTONG | V7.0 |
| GBase 8a | V8.5 |
| GBase 8s | V8.8 |
| Gbase XDM Cluster | V8.0 |
| Greenplum | V6.0 |
| HighGo | V6.0 |
| GaussDB |
|
| MongoDB | V5.0 |
| DDS | 4.0 |
| Hbase (Supported by CTS instance 23.02.27.182148 and later versions) |
|
| Hive |
|
| MariaDB | 10.6 |
| TDSQL | 10.3.17.3.0 |
| Vastbase | G100 V2.2 |
| TiDB |
|
Configuring Database Audit
Create a database audit instance, connect the instance with the target database, and enable database audit.
| Step | Configuration | Description |
|---|---|---|
| 1 | After purchasing DBSS, you need to add the database to be audited to the instance. | |
| 2 | Enable database audit and connect the added database to the database audit instance. | |
| 3 | By default, database audit complies with a full audit rule, which is used to audit all databases that are connected to the database audit instance. You can view the audit result on the database audit page. NOTICE: You can set database audit rules as required. For details about how to configure an audit rule, see Configuring an Audit Scope Rule. |
| Step | Configuration | Description |
|---|---|---|
| 1 | Purchase database audit. Add a database to the database audit instance and enable audit for the database. | |
| 2 | Select an agent add mode. Database audit supports auditing databases built on ECS, BMS, and RDS on Huawei Cloud. Select an agent add mode based on your database deployed on Huawei Cloud. | |
| 3 | Configure TCP (port 8000) and UDP (ports 7000 to 7100) in the security group inbound rule of the database audit instance to allow the agent to communicate with the audit instance. | |
| 4 | Download and then install the agent on the database or application based on the add mode you chose. | |
| 5 | Enable database audit and connect the added database to the database audit instance. | |
| 6 | By default, database audit complies with a full audit rule, which is used to audit all databases that are connected to the database audit instance. You can view the audit result on the database audit page. NOTICE: You can set database audit rules as required. For details about how to configure an audit rule, see Configuring an Audit Scope Rule. |
Deploying the Database Audit Agent in a Container
For a database of any types and versions, you can deploy the agent using a container to enable database audit.
For details, see Deploying the Database Audit Agent in a Container
Verifying the Result
When you connect the added database to the database audit instance, database audit records all operations performed on the database. You can view the audit result on the database audit page.
References
- For details about how to select an agent addition mode and the node where the agent is installed, see How Do I Determine Where to Install an Agent?
- If the audit function is unavailable, see Database Audit Is Unavailable.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot