Enable security audit

2025-01-02 01:58:40  Updated

This topic describes how to audit specific events by using a series of filters.

Applicability

This topic applies only to OceanBase Database Enterprise Edition. OceanBase Database Community Edition does not support security audit.

Audit scope

A filter can filter events by account, event type, and event attribute, and determine whether to audit the events that meet the filter conditions.

Limitations and considerations

  • An expression must be placed directly and uniquely in an output column of a SELECT statement without being limited by a parent expression. The output column is an item specified in the SELECT statement.
  • You cannot write expressions in subqueries.
  • After you define a filter, you must configure it for a user to make it take effect.
  • One filter corresponds to multiple users. You can configure one filter for multiple users, but one user can have only one filter.
  • You must specify an audit filter for a session when you create it. The audit filter applies to the session throughout its lifecycle.

Create filters

You can create a filter to enable the audit mode for a MySQL tenant. The filter can filter audit events by event type. At present, you can create three types of filters to specify to record all events, record none of the events, and record only logins and logouts.

Syntax

You can use the AUDIT_LOG_FILTER_SET_FILTER function to create a filter. The syntax is as follows:

AUDIT_LOG_FILTER_SET_FILTER('filter_name', 'definition_of_filters');

The following table describes the fields in the syntax.

Field Description
filter_name The name of the filter.

Note

The AUDIT_LOG_FILTER_SET_FILTER function adopts the CREATE OR REPLACE semantics. It overwrites an existing object when you perform a DDL operation on the object.
definition_of_filters The definition of the audit filter, which is expressed in the JSON format. The filter design principle in the current version is compatible with that of MySQL. However, a filter can filter audit events only by event type.

At present, you can create three types of filters:

  • A filter to specify to record all events

    {
"filter": {
    "log": true
}
}

    or

    {
"filter": {
    "log": true,
    "class": [
    { "name": "connection" },
    { "name": "general" },
    { "name": "table_access" }
    ]
}
}

  • A filter to specify to record none of the events

    {
"filter": {
    "log": false
}
}

  • A filter to specify to record only logins and logouts

     {
"filter": {
    "log": true,
    "class": [
    { "name": "connection" }
    ]
}
}

The following table describes the types of audit events.

Event type Description
connection A login/logout.
table_access Execution of a DML statement.
general A parser error of a CMD command.

Examples

Create a filter named log_all to specify to record all events.

obclient [test]>SELECT AUDIT_LOG_FILTER_SET_FILTER('log_all', '{ "filter": { "log": true } }');

  • If the DDL operation is successful, the expression returns OK.

    +-------------------------------------------------------------------------+
| AUDIT_LOG_FILTER_SET_FILTER('log_all', '{ "filter": { "log": true } }') |
+-------------------------------------------------------------------------+
| OK                                                                      |
+-------------------------------------------------------------------------+
1 row in set

  • If the DDL operation fails, the SELECT statement is still successfully executed, and the expression outputs an error message.

    obclient [test]>SELECT AUDIT_LOG_FILTER_SET_FILTER('log_err', '1');

    The return result is as follows:

    +---------------------------------------------+
| AUDIT_LOG_FILTER_SET_FILTER('log_err', '1') |
+---------------------------------------------+
| ERROR: JSON parsing error.                  |
+---------------------------------------------+
1 row in set

You can query the mysql.audit_log_filter view for the definitions of audit filters.

obclient [test]> select * from mysql.audit_log_filter;

The return result is as follows:

+---------+-------------------------------+
| NAME    | FILTER                        |
+---------+-------------------------------+
| log_all | { "filter": { "log": true } } |
+---------+-------------------------------+
1 row in set (0.003 sec)

The following table describes the fields in the syntax.

Field Description
NAME The name of the filter.
FILTER The definition of the filter.

Configure filters

You must configure a filter for a user before the background thread can generate audit logs.

Syntax

You can use the AUDIT_LOG_FILTER_SET_USER function to configure a filter for a user.

AUDIT_LOG_FILTER_SET_USER('user_name', 'filter_name');

The following table describes the fields in the syntax.

Field Description
user_name The username.

Note

The value of user@host specified in the AUDIT_LOG_FILTER_SET_USER function is not necessarily the name of an existing user. It can be a wildcard character or the name of a user that does not exist. It a user that does not exist is specified, it will be used in login audit. Take note of the following limitations when specifying user_name:

  • You can use a wildcard character, namely %, to replace only the entire user_name field.
  • You cannot specify the host field, or use a wildcard character to replace only a part of the user_name field, for example, test_%. If host is specified or a value like test_% is used for user_name, the filter cannot be created.
filter_name The name of the filter.

Note

The AUDIT_LOG_FILTER_SET_USER function adopts the CREATE OR REPLACE semantics. It overwrites an existing object when you perform a DDL operation on the object. If the filter specified by filter_name does not exist, the DDL operation neither takes effect nor returns an error.

Examples

Configure the log_all filter for the user001 user.

obclient [test]> SELECT AUDIT_LOG_FILTER_SET_USER('user001', 'log_all');

  • If the DDL operation is successful, the expression returns OK.

    +-------------------------------------------------+
| AUDIT_LOG_FILTER_SET_USER('user001', 'log_all') |
+-------------------------------------------------+
| OK                                              |
+-------------------------------------------------+
1 row in set

  • If the DDL operation fails, the SELECT statement is still successfully executed, and the expression outputs an error message.

    obclient [test]>SELECT AUDIT_LOG_FILTER_SET_USER('log_err', '1');

    The return result is as follows:

    +--------------------------------------------+
| AUDIT_LOG_FILTER_SET_USER('log_err', '1')  |
+--------------------------------------------+
| ERROR: Invalid character in the user name. |
+--------------------------------------------+
1 row in set (0.001 sec)

You can query the mysql.audit_log_user view for the mappings between audit filters and users.

obclient [test]> select * from mysql.audit_log_user;

The return result is as follows:

+---------+------+------------+
| USER    | HOST | FILTERNAME |
+---------+------+------------+
| user001 | %    | log_all    |
+---------+------+------------+
1 row in set (0.003 sec)

The following table describes the fields in the syntax.

Field Description
USER The username.
HOST The name of the host.
FILTERNAME The name of the filter.

Enable security audit

You can use the audit_log_enable parameter to specify whether to enable security audit in a MySQL tenant.

obclient> ALTER SYSTEM SET audit_log_enable=TRUE;
Last
Next

OceanBaseOceanBase

OceanBase, A Highly Scalable Database for Transactional, Analytical, and AI Workloads.

Company

About OceanBaseContact UsPartner

Product

OceanBase CloudOceanBase EnterpriseQuick StartDownloadPricing

Resources

DocsBlogWhite PaperTrust Center

Follow us

LinkedInLinkedInDiscordDiscordTwitterTwitterYoutubeYoutubeForumForumGitHubGitHubStack OverflowStack Overflow

© OceanBase 2024. All rights reserved | Cloud Service Agreement | Privacy Policy | Legal | Security

Contact Us