SQL Insight (Database Audit) is a professional, efficient, comprehensive, and real-time database security auditing product independently developed by Tencent Cloud. This feature can record TencentDB activities in real time, perform fine-grained auditing for compliance management of database operations, and alarm on risky behaviors encountered by databases.
TencentDB for MySQL provides SQL Insight (Database Audit) capability, which records database access and SQL statement execution to help enterprises control risks and improve the data security level. It also supports customizing frequent and infrequent access storage types, significantly reducing the feature usage costs.
The feature supports post-event alerts and allows configuring alarm policies for high, medium, and low risk level events. Audit logs triggered by policies can send alarm notifications to bound users. While also enabling viewing alarm history, alarm policy management (alarm switch), and alarm suppression in TCOP to help enterprises promptly obtain relevant alerts and pinpoint audit logs that trigger issues.
Use Cases
Address audit risk
Incomplete audit logs make it difficult to trace and locate security incidents.
It fails to meet the explicit requirements in the National Standard for Classified Protection of Cybersecurity (Level 3).
It fails to meet the requirements specified in industry information security compliance documents.
Address management risks
Misoperations, non-compliant operations, and overstepped operations by technical personnel compromise the secure operation of business systems.
Misoperations, malicious operations, and tampering by third-party development and maintenance personnel.
Super admin permissions are excessive and cannot be audited or monitored.
Address technical pain points
SQL injection in the database system, maliciously retrieving database table information.
A surge in database requests not caused by slow logs makes it difficult to quickly locate the issue.
Billing
Billing is based on the storage volume of audit logs using a pay-as-you-go model. Each billing cycle is one hour, and any partial hour consumed is billed as a full hour.
Supported Versions and Architecture
The feature currently supports database kernel versions MySQL 5.6 20180122 and later, MySQL 5.7 20190429 and later, and MySQL 8.0 20210330 and later.
The feature supports two-node, three-node, and cloud disk edition instance architectures, with read-only instances also supported.
Instances of MySQL 5.5, single-node (cloud disk) architecture, read-only analysis engines, and two-node economical editions do not support this feature.
Advantages
Full Audit
Database Audit comprehensively records database access and SQL statement execution, meeting user auditing requirements to the greatest extent and enhancing database security.
Rule audit
Setting audit rules for attributes such as client IP address, username, and database name to record database access and SQL statement execution based on customized audit rules.
Efficient Audit
Unlike bypass audit modes, TencentDB records operations via database kernel plugins for more accurate auditing.
Long-Term Retention
Users are supported to store logs long-term based on business needs to meet compliance requirements.
Architectural Features
Adopting a multi-point deployment architecture to ensure service availability. Implementing streaming log recording to prevent tampering. Utilizing multi-replica storage to guarantee data reliability.
Data Security
Data Collection Integrity
SQL Insight (Database Audit) for TencentDB for MySQL is implemented through MySQL kernel plugins, serving as a native and critical step in MySQL's SQL statement execution process. Each SQL statement undergoes a complete lifecycle: connection, parsing, analysis, rewriting, optimization, execution, result return, auditing, and connection release. When SQL Insight (Database Audit) is enabled and it is connected to TencentDB for MySQL servers, every SQL statement is audited during execution. Therefore, if auditing fails, the SQL statement execution is unsuccessful. Conversely, if an SQL statement executes successfully, it is always audited. Even failed SQL executions are recorded along with failure reasons. Additionally, all login attempts—successful or not—are logged. The SQL request connection is only released after auditing completes, thus ensuring the integrity of audit data collection.
Data Collection Reliability
SQL Insight (Database Audit) for TencentDB for MySQL captures data synchronously at MySQL's own execution layer, rather than through bypass asynchronous capture. This ensures that audited SQL statements are synchronized in real time and consistent with those executed by TencentDB for MySQL, preventing data capture errors and guaranteeing the reliability of audit data collection.
Data Tamper-Proofing
The audit control system incorporates behavior monitoring mechanisms. When vulnerabilities are exploited for attacks, vulnerability scanning captures relevant session information in real time and triggers alarms to monitor intrusion behaviors. When audit data is accessed, all operations are fully recorded in access logs, identifying which users accessed data from which source IP addresses at what time to promptly detect high-risk access operations. For operators, permission control is implemented through account and role authentication, granting different read/write permissions to personnel with different roles to prevent account sharing. When high-risk operations occur, real-time tamper alarms are triggered to promptly detect, trace, analyze, and block such activities.
Data Transmission Integrity
After audit data is collected, during processing at the transmission link layer, the data undergoes steps such as CRC (Cyclic Redundancy Check), globally unique message ID, link MQ redundancy, and Flink stream processing, and is verified from multiple dimensions and angles to ensure data integrity during transmission.
Data Storage Integrity
At the data storage end, the SQL Insight (Database Audit) system encrypts audit log files to ensure data security. Only users with decryption access rights can view audit logs, effectively preventing internal data leaks caused by plaintext storage and data theft by privileged users. This prevents audit data leakage at the source and ensures data storage integrity.