Database Autonomy Service (DAS) provides the security audit feature to automatically identify risks, such as high-risk SQL statements, SQL injections, and new access sources. This topic describes how to use the security audit feature.
Prerequisites
The database instance that you want to manage is of one of the following types:
ApsaraDB RDS for MySQL
PolarDB for MySQL
The database instance is connected to DAS and is in the Normal Access state.
The SQL Explorer and Audit feature is enabled for the database instance. For more information, see the Enable SQL Explorer and Audit section of the "Overview" topic.
Storage duration
Audit data generated in real time by using the security audit feature can be stored for up to 30 days.
Limits
The security audit feature cannot identify all SQL injection attacks due to technical limits.
To prevent a large amount of audit data from being stored in a short period, DAS throttles the output of security audit results.
Procedure
Log on to the DAS console.
In the left-side navigation pane, click Instance Monitoring.
On the page that appears, find the database instance that you want to manage and click the instance ID. The instance details page appears.
In the left-side navigation pane, choose Request Analysis > SQL Explorer and Audit. On the page that appears, click Security Audit.
If you have enabled DAS Enterprise Edition V3, click the SQL Explorer tab on the SQL Explorer and Audit page. On the SQL Explorer tab, click the Security Audit tab.
Specify a time range for security audit and click Search. The security audit results on an hourly basis within the specified time range are displayed.
When you select a time range, make sure that the end time is later than the start time and that the interval between the start time and the end time does not exceed 30 days. The time range to query data must be later than the time when DAS Enterprise Edition is enabled and must fall within the data storage duration of SQL Explorer.
Click a point in time in the trend chart to view the security audit details of the hour after the point in time.
Item
Description
Risk level
High-risk Operation
DAS automatically identifies the following types of High-risk Operation based on preset rules:
DDL statements, such as those used to create a table, modify the schema of a table, modify an index, or rename a table
Statements used to update or delete full tables
Statements used to run large queries that meet one of the following default conditions:
The number of scanned rows is equal to or greater than 1,000,000.
The number of returned rows is equal to or greater than 100,000.
The number of updated rows is equal to or greater than 100,000.
DDL statements: low risk
Statements used to update full tables: high risk
Statements used to run large queries: medium risk
SQL Injection
SQL injections are attacks during which malicious SQL statements are inserted into web forms, domain names, or page requests to trick servers into executing these SQL statements. This type of attack compromises database security.
NoteDAS continuously monitors SQL injections in databases and identifies the access sources.
High risk
Add access
DAS automatically identifies new access sources by comparing them with access source records to determine whether the access requests are sent from unknown servers.
NoteAccess sources that did not access your database within the previous seven days are considered new access sources.
After the security audit feature is enabled for a new database instance, no data of new access sources is provided for the first seven days.
If the security audit feature has never been enabled for an existing database instance, no data of new access sources is provided for the first seven days after this feature is enabled.
Medium risk