GaussDB(DWS)审计日志介绍和使用示例
数据库安全对数据库系统来说至关重要。GaussDB(DWS)将用户对数据库的所有操作写入审计日志。数据库安全管理员可以利用这些日志信息,重现导致数据库现状的一系列事件,找出非法操作的用户、时间和内容等。设置数据库审计可参考产品文档中设置数据库审计日志章节。建议用户在使用时合理配置审计项,对于一些数据敏感的业务和场景,强烈建议打开对表的DDL和DML审计。
说明:本帖中涉及的数据和用户信息均为测试环境信息。
1. 审计日志保存和转储
目前,常用的审计日志保存方式为记录到表中和记录到OS文件中两种方式。但是表是数据库对象,如果采用记录到表中的方式,容易出现用户非法操作审计表的情况,审计记录的准确性难以保证,因此,从数据库安全角度出发,GaussDB(DWS)采用记录到OS文件的方式来保存审计结果,保证了审计结果的可靠性。
由于审计日志会占用一定磁盘空间,为了防止本地文件过大,GaussDB(DWS)支持审计日志转储,具体方法可参考转储数据库审计日志章节。
审计日志有两种保存策略,由参数audit_resource_policy控制:
● on表示采用空间优先策略,最多存储audit_space_limit大小的日志。
● off表示采用时间优先策略,最少存储audit_file_remain_time长度时间的日志。
2. 审计日志查看
首先要确保当前审计总开关audit_enabled和对应的审计项开关均已开启(表的DML操作审计由audit_dml_state控制,默认关闭,如需查看表上的dml操作,需提前打开该开关,同时,建议审计日志保留策略audit_resource_policy设置为on)。
只有拥有AUDITADMIN属性的用户才可以查看审计记录,审计日志需通过数据库接口pg_query_audit和pgxc_query_audit查看。pg_query_audit可以查看当前CN的审计日志,pgxc_query_audit可以查看所有CN的审计日志,使用时一般用pgxc_query_audit接口查看审计。二者函数原型为:
pg_query_audit(timestamptz startime,timestamptz endtime, audit_log)
pgxc_query_audit(timestamptz startime,timestamptz endtime)
其中,startime和endtime表示查看审计记录的开始时间和结束时间,满足审计条件的记录为startime ≤ 审计记录时间 < endtime;audit_log表示所查看的审计日志信息所在的物理文件路径,当不指定audit_log时,默认查看连接当前实例的审计日志信息。
函数返回的字段如下:
用户可以根据type类型或object_name对审计结果进行过滤,根据需要查看。
常见的审计操作类型为:
unknown
login_success
login_failed
user_logout
system_start
system_stop
system_recover
system_switch
lock_user
unlock_user
grant_role
revoke_role
user_violation
ddl_database
ddl_directory
ddl_tablespace
ddl_schema
ddl_user
ddl_table
ddl_index
ddl_view
ddl_trigger
ddl_function
ddl_resourcepool
ddl_workload
ddl_serverforhadoop
ddl_datasource
ddl_nodegroup
ddl_rowlevelsecurity
ddl_synonym
ddl_type
ddl_textsearch
dml_action
dml_action_select
internal_event
function_exec
copy_to
copy_from
set_parameter
3. 审计日志使用示例
示例1:用户被锁,报错:FATAL: The account has been locked,如何查看用户被锁的原因:
postgres=# select * from pgxc_query_audit('20201230 18:00:00',current_timestamp) where type = 'login_failed';
time | type | result | username | database | client_conninfo | object_name | detail_info | node_name | thread_id | local_port | remote_port
------------------------+--------------+--------+----------+----------+--------------------------+-------------+---------------------------------------------------------------+--------------+---------------------------------+------------+-------------
2020-12-30 18:59:07+08 | login_failed | failed | doubi | postgres | [unknown]@10.144.118.217 | postgres | login db(postgres)failed,authentication for user(doubi)failed | coordinator1 | 140508124395264@662641147918967 | 32000 | 49687
2020-12-30 18:59:11+08 | login_failed | failed | doubi | postgres | [unknown]@10.144.118.217 | postgres | login db(postgres)failed,authentication for user(doubi)failed | coordinator1 | 140508124395264@662641151174956 | 32000 | 49689
2020-12-30 18:59:13+08 | login_failed | failed | doubi | postgres | [unknown]@10.144.118.217 | postgres | login db(postgres)failed,authentication for user(doubi)failed | coordinator1 | 140508124395264@662641153871953 | 32000 | 49691
2020-12-30 18:59:16+08 | login_failed | failed | doubi | postgres | [unknown]@10.144.118.217 | postgres | login db(postgres)failed,authentication for user(doubi)failed | coordinator1 | 140508124395264@662641156887905 | 32000 | 49692
2020-12-30 18:59:20+08 | login_failed | failed | doubi | postgres | [unknown]@10.144.118.217 | postgres | login db(postgres)failed,authentication for user(doubi)failed | coordinator1 | 140508124395264@662641160061866 | 32000 | 49696
2020-12-30 18:59:23+08 | login_failed | failed | doubi | postgres | [unknown]@10.144.118.217 | postgres | login db(postgres)failed,authentication for user(doubi)failed | coordinator1 | 140508124395264@662641163187840 | 32000 | 49698
2020-12-30 18:59:25+08 | login_failed | failed | doubi | postgres | [unknown]@10.144.118.217 | postgres | login db(postgres)failed,authentication for user(doubi)failed | coordinator1 | 140508124395264@662641165671562 | 32000 | 49699
2020-12-30 18:59:28+08 | login_failed | failed | doubi | postgres | [unknown]@10.144.118.217 | postgres | login db(postgres)failed,authentication for user(doubi)failed | coordinator1 | 140508124395264@662641168137151 | 32000 | 49700
2020-12-30 18:59:31+08 | login_failed | failed | doubi | postgres | [unknown]@10.144.118.217 | postgres | login db(postgres)failed,authentication for user(doubi)failed | coordinator1 | 140508124395264@662641171124971 | 32000 | 49702
2020-12-30 18:59:33+08 | login_failed | failed | doubi | postgres | [unknown]@10.144.118.217 | postgres | login db(postgres)failed,authentication for user(doubi)failed | coordinator1 | 140508124395264@662641173650325 | 32000 | 49858
2020-12-30 18:59:36+08 | login_failed | failed | doubi | postgres | [unknown]@10.144.118.217 | postgres | login db(postgres)failed,the account(doubi)has been locked | coordinator1 | 140508124395264@662641176080044 | 32000 | 51402
(11 rows)
根据审计结果可以看到,IP为10.144.118.217的用户连续输入密码错误超过10次,导致doubi账户被锁。
示例2:某张表数据为空,通过审计日志查看在该表上的操作(前提:已打开表的DML和DDL审计):
postgres=# select * from pgxc_query_audit('20201230 19:15:00',current_timestamp) where object_name = 't1';
time | type | result | username | database | client_conninfo | object_name | detail_info | node_name | thread_id | local_port | remote_port
------------------------+------------+--------+----------+----------+----------------------------+-------------+-------------------------------------------------+--------------+---------------------------------+------------+-------------
2020-12-30 19:16:40+08 | dml_action | ok | dbadmin | postgres | Data Studio@10.144.118.217 | t1 | insert into t1 values (1,2) | coordinator1 | 140722584413952@662642200541821 | 32000 | 50437
2020-12-30 19:17:01+08 | dml_action | ok | dbadmin | postgres | Data Studio@10.144.118.217 | t1 | insert into t1 values (generate_series(1,10),2) | coordinator1 | 140722584413952@662642200541821 | 32000 | 50437
2020-12-30 19:17:11+08 | dml_action | ok | dbadmin | postgres | Data Studio@10.144.118.217 | t1 | delete from t1 | coordinator1 | 140722584413952@662642200541821 | 32000 | 50437
(3 rows)
通过审计日志可以看到,19:17:01 时刻,IP为10.144.118.217的用户通过Data Studio客户端向t1表中插入了数据,19:17:11 时该用户又对该表执行了delete操作导致数据为空。
- 点赞
- 收藏
- 关注作者
评论(0)