Manage database assets

更新时间:
复制 MD 格式

To audit a database, you must first add it to Database Audit. This topic describes how to manage database assets in Database Audit.

Background information

For information about the database types supported by Database Audit, see Supported database types.

Add a database

Follow these steps to add a database instance to Database Audit.

  1. Log on to the Database Audit console. For more information, see Log on to Database Audit.

  2. In the navigation pane, choose assets > asset management.

  3. On the asset management page, click Add.

    Note

    You can also click overview in the navigation pane. On the overview page, click add asset in the asset key metrics section.

  4. In the add asset panel, configure the database parameters and click Save.

    By default, the system is in basic configuration mode, which includes only required parameters. You can click advanced configuration to switch to a mode that includes both required and optional parameters.

    Parameter

    Required

    Description

    Type

    Yes

    Select the type and version of the database that you want to audit. For more information, see Supported database types.

    Instance name

    Yes

    From the drop-down list, select the ID of the RDS instance to audit.

    If you have not yet created the required RDS instance, you can create one in the RDS Management Console. For more information about how to create a database instance, see Quickly create an RDS for MySQL instance, Quickly create an RDS for PostgreSQL instance, Quickly create and use an RDS for SQL Server instance, and Quickly create an RDS for MariaDB instance.

    Note

    This parameter is displayed only when you set Type to RDS.

    Asset group

    Yes

    Select the asset group for the database. The default value is default asset group. To create an asset group, click Manage.

    Name

    Yes

    Specify a name for the database. If you select an RDS instance, the instance name is used by default. You can change the name.

    Operating system

    Yes

    From the drop-down list, select the operating system of the database server. The available operating systems vary by database type.

    Note

    For some asset types, you do not need to configure an operating system. The parameters displayed in the console are the ones that apply.

    Encoding

    No

    From the drop-down list, select the audit data encoding. The following options are available:

    • Auto-detect (default)

    • UTF-8 (AL32UTF8)

    • UTF-16

    • GBK (ZHS16GBK)

    • ASCII

    • ISO-8859-1

    • GB2312

    • GB13000

    • GB18030

    • UCS-2

    • BIG5 (ZHT16BIG5,ZHT32EUC)

    Note

    If you are not sure about the database encoding, you can keep the default value, Auto-detect. If the audited content is incorrect or contains garbled characters, try a different encoding.

    IP address and port

    Yes

    • If you set Type to RDS, Database Audit automatically retrieves the IP address and port. You cannot modify these values.

      Note

      After you add the database, you can modify its IP address and port. For more information, see Edit a database.

    • If you select a database type other than RDS, you must manually enter the IP address and port. Click Add IP and port to add multiple entries.

      Note

      In scenarios such as Oracle Real Application Clusters (RAC) or MySQL read/write splitting, you can add multiple IP addresses and ports to audit the entire cluster.

    Status

    No

    Specifies the audit status for the database. Valid options are:

    • Enabled

    • Disabled

    Traffic direction

    No

    Select bidirectional audit or unidirectional audit.

    • Bidirectional audit: Captures requests, client information, server information, and returned information.

    • Unidirectional audit: Captures requests, client information, and server information.

    Number of rows to save

    No

    If Traffic direction is set to bidirectional audit, this parameter specifies how many rows of returned information to save. The default value is 5. The value can range from 0 to 999. A value of 0 indicates that no returned results are saved.

    Note
    • This parameter is not displayed if Traffic direction is set to unidirectional audit.

    • For some database types, this parameter is not required even if bidirectional audit is selected. The parameters displayed in the console are the ones that apply.

    Maximum save length

    No

    If Traffic direction is set to bidirectional audit, this parameter specifies the maximum length of returned information to save. The value can range from 1 KB to 64 KB. We recommend that you set a reasonable length to ensure the integrity of the saved audit results.

    Note
    • This parameter is not displayed if Traffic direction is set to unidirectional audit.

    • For some database types, this parameter is not required even if bidirectional audit is selected. The parameters displayed in the console are the ones that apply.

    Decryption private key

    No

    Important
    • The encrypted audit feature is available only for non-Alibaba Cloud databases that are supported by the Database Audit service. For more information, see Supported database types.

    • Your certificate must use the RSA algorithm. Otherwise, Database Audit cannot parse the encrypted traffic.

    • Contact your database vendor to obtain a security certificate.

    If the database to be audited uses a certificate, you must upload its certificate or private key file. If your database does not use a certificate, you can skip this parameter.

    You can import the certificate or private key file in one of the following ways:

    • Import a file: Click Import and select the certificate file to upload.

      Certificates must be in PEM format. If your certificate uses a different format, you must convert it first. For more information about certificate format conversion, see How do I convert certificate formats?

    • Paste the content: In the Decryption private key text box, paste the PEM-encoded content of the certificate file.

      You can use a text editor to open the PEM-formatted certificate file, copy its content, and paste it into the text box.

    After you configure the certificate, Database Audit uses it to parse encrypted database traffic and audits the access traffic based on your configured rules.

    Certificate password

    No

    Enter the certificate password.

    If no certificate is configured for the database that you want to audit, or if the configured certificate does not have a password, you do not need to configure this parameter.

    Note

    Database Audit securely stores your certificate password. The password is encrypted and stored in the C100 Database Audit instance and is used only to parse encrypted traffic for the current database.

    Note
    • If you need to add multiple database assets at once, you can select Keep the panel open to continue adding databases at the top of the Add Asset panel. This allows you to add another database after you finish the configuration for the current database and click Save.

    • To enable all built-in rules for the database, select Enable all built-in rules on save at the top of the add asset panel. You can view all built-in rules on the security rules page. To go to this page, choose rule configuration > security rules in the Database Audit console.

    • Unidirectional/Bidirectional Audit Configuration: After you add a database, the system uses Bidirectional Audit by default, and audit results are not saved. You can select unidirectional or bidirectional audit in the Unidirectional/Bidirectional Audit Configuration section. The setting for the number of audit results to save takes effect only if you select bidirectional audit.

    Once added, the database appears on the asset management page and in the asset overview section of the overview page.

After adding the database, you must deploy the Database Audit agent on its server. The agent collects traffic data from the database. For instructions, see Install an agent. You can also configure security rules for the database to trigger alerts for specific audit events. For instructions, see Configure security rules.

Edit a database

If a database asset's configuration changes, you must update it in Database Audit.

  1. Log on to the Database Audit console. For more information, see Log on to Database Audit.

  2. In the navigation pane, choose assets > asset management.

  3. In the Actions column of the target database, click Edit.

  4. In the edit asset panel, modify the database configuration and click Save.

    For parameter descriptions, see Step 4 of the "Add a database" procedure.

Delete a database

If you no longer need to audit a database, you can delete it from Database Audit.

  1. Log on to the Database Audit console. For more information, see Log on to Database Audit.

  2. In the navigation pane, choose assets > asset management.

  3. In the Actions column of the target database, click Delete. In the confirmation dialog box that appears, click OK.