Logo of Trend Micro

Enable SQL Auditing for SQL Server Database Instances

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (Not acceptable risk)
Rule ID: AlibabaCloud-RDS-005

Ensure that SQL auditing is enabled for SQL Server RDS database instances in order to help you identify security vulnerabilities and performance challenges in your databases through the collection and analysis of raw SQL logs.

Performance
efficiency
Operational
excellence

SQL auditing monitors database events for SQL Server instances and records them in an audit log within your Alibaba Cloud account. This process supports the adherence to regulatory standards, facilitates comprehension of database operations, and provides a means to detect irregularities and anomalies that may signify business issues or potential security breaches.

Audit

To determine if SQL auditing is enabled for your SQL Server database instances, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Select the cloud region where your RDS instances reside from the top navigation bar:

  1. For the following cloud regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Zhangjiakou), China (Hohhot), China (Chengdu), China (Guangzhou), China (Heyuan), China (Ulanqab), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), and Indonesia (Jakarta), SQL auditing is managed by the SQL Explorer and Audit feature. SQL Explorer and Audit is an upgrade to SQL Explorer and requires the DAS Enterprise Edition for Database Autonomy Service (DAS). These regions will be referred to as DAS supported regions.
  2. For all regions other than the preceding regions, SQL auditing is managed by the SQL Explorer feature (formerly SQL Audit). These regions will be referred to as DAS unsupported regions.

05 Click on the filter icon in the Database Engine column, select SQL Server, and choose OK to list only the SQL Server database instances available in the selected region.

06 Click on the ID (link) of the database instance that you want to examine, listed in the Instance ID/Name column.

07 Based on the cloud region used by your RDS database instance, perform one of the following actions:

  1. For DAS supported regions: choose SQL Explorer and Audit under Autonomy Services, and check for the SQL Explorer and Audit dashboard. If the dashboard is not available, instead a Getting Started page with an Enable button is displayed, SQL auditing with the SQL Explorer and Audit feature is not enabled for the selected SQL Server database instance.
  2. For DAS unsupported regions: choose Data Security, select the SQL Audit tab, and check for the SQL Explorer dashboard. If the dashboard is not available, instead the following message is displayed: SQL audit is disabled. You must enable the feature, SQL auditing with SQL Explorer is not enabled for the selected SQL Server database instance.

08 Repeat steps no. 6 and 7 for each SQL Server database instance available in the selected region.

09 Change the cloud region from the top navigation bar and perform the Audit process for other regions.

Using Alibaba Cloud CLI

01 Run DescribeDBInstances command (OSX/Linux/UNIX) with custom output filters to list the ID of each SQL Server database instance available within the specified region: 

aliyun rds DescribeDBInstances
  --RegionId 'eu-west-1'
  --Engine SQLServer
  --output cols=Items.DBInstance[].DBInstanceId

02 The command output should return a list with the requested RDS instance identifiers: 

Items.DBInstance[].DBInstanceId
-------------------------------
[rm-1234abcd1234abcda]
[rm-abcd1234abcd1234a]

03 Run DescribeSQLCollectorPolicy command (OSX/Linux/UNIX) with the name of the SQL Server database instance that you want to examine as the identifier parameter, to determine if SQL auditing is enabled for the selected RDS instance: 

aliyun rds DescribeSQLCollectorPolicy
  --DBInstanceId 'rm-1234abcd1234abcda'
  --output cols=SQLCollectorStatus

04 The command output should return the requested feature status: 

SQLCollectorStatus
------------------
Disabled

If the "SQLCollectorStatus" attribute value is set to Disabled, as shown in the example above, SQL auditing is not enabled for the selected SQL Server database instance.

05 Repeat steps no. 3 and 4 for each SQL Server database instance available within the selected region.

06 Change the cloud region using the --RegionId parameter and perform the Audit process for other regions.

Remediation / Resolution

To enable SQL auditing for your SQL Server RDS database instances, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Select the cloud region where your RDS instances reside from the top navigation bar:

  1. For the following cloud regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Zhangjiakou), China (Hohhot), China (Chengdu), China (Guangzhou), China (Heyuan), China (Ulanqab), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), and Indonesia (Jakarta), SQL auditing is managed by the SQL Explorer and Audit feature. SQL Explorer and Audit is an upgrade to SQL Explorer and requires the DAS Enterprise Edition for Database Autonomy Service (DAS). These regions will be referred to as DAS supported regions.
  2. For all regions other than the preceding regions, SQL auditing is managed by the SQL Explorer feature (formerly SQL Audit). These regions will be referred to as DAS unsupported regions.

05 Click on the filter icon in the Database Engine column, select SQL Server, and choose OK to list only the SQL Server database instances available in the selected region.

06 Click on the ID (link) of the database instance that you want to configure, listed in the Instance ID/Name column.

07 Based on the cloud region used by the selected RDS database instance, perform one of the following actions:

  1. For DAS supported regions: select SQL Explorer and Audit under Autonomy Services and choose Enable from the SQL Explorer and Audit section to enable SQL auditing with SQL Explorer and Audit for the selected SQL Server database instance. On the DAS Professional Edition page, select Professional Edition, choose Buy Now, select I have read and agree to DAS Professional Edition Agreement of Service, and choose Pay to complete the upgrade process. You can also upgrade to DAS Enterprise Edition using the (Database Autonomy Service (DAS) console)(https://hdm.console.aliyun.com/).
  2. For DAS unsupported regions: choose Data Security, select the SQL Audit tab, and choose Enable SQL Auditing. Select OK to enable SQL auditing with SQL Explorer for the selected SQL Server database instance.

08 Repeat steps no. 6 and 7 for each SQL Server database instance provisioned in the selected region.

09 Change the cloud region from the top navigation bar and perform the Remediation process for other regions.

Using Alibaba Cloud CLI

01 Run ModifySQLCollectorPolicy command (OSX/Linux/UNIX) to enable SQL auditing for the selected SQL Server database instance. SQL auditing requires the DAS Enterprise Edition for Database Autonomy Service (DAS). To use the ModifySQLCollectorPolicy command, you must first upgrade to DAS Enterprise Edition: 

aliyun rds ModifySQLCollectorPolicy
  --DBInstanceId 'rm-1234abcd1234abcda'
  --SQLCollectorStatus Enable

02 If successful, the output should return the command request ID: 

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

03 Repeat steps no. 1 and 2 for each SQL Server database instance provisioned within the selected region.

04 Perform the Remediation process for other supported Alibaba Cloud regions.

References

Publication date May 15, 2024

Related AlibabaCloud-RDS rules