按规则过滤
<p class="shortdesc">数据库审计服务支持用户按照特定的条件自定义过滤规则,规则包括客户端信息、服务端信息、SQL请求和SQL结果等条件。在资产上启用了过滤规则后,符合规则的内容将不再被审计。</p>
<section class="section prereq" id="filterbyrule__prereq_nhz_b42_psb"><div class="tasklabel"><h2 class="doc-tairway">前提条件</h2></div>
<p class="p">您已创建数据库审计实例。</p>
<p class="p">您已添加资产。</p>
</section>
<section><div class="tasklabel"><h2 class="doc-tairway">操作步骤</h2></div><ol class="ol steps"><li class="li step stepexpand">
<span class="ph cmd">登录<a class="xref" href="https://www.ocftcloud.com/console/db-audit" target="_blank" rel="external noopener">数据库审计控制台</a>,进入<span class="keyword wintitle">实例列表</span>页面。</span>
</li><li class="li step stepexpand">
<span class="ph cmd">单击目标实例<span class="ph uicontrol">操作</span>列的<span class="ph uicontrol">管理</span>,进入数据库审计控制台。</span>
<div class="itemgroup info">
<img class="image" id="filterbyrule__d23e47" src="https://obs-cn-shanghai.ocftcloud.com/pacloud/20222103110011-12277d5f94d4.png" width="700">
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">在菜单栏选择<span class="ph menucascade"><span class="ph uicontrol">规则配置</span><abbr> > </abbr><span class="ph uicontrol">过滤规则</span></span>,进入<span class="keyword wintitle">过滤规则</span>页面,选择<span class="keyword wintitle">按规则过滤</span>页签。</span>
</li><li class="li step stepexpand">
<span class="ph cmd">单击<img class="image" id="filterbyrule__image_x2f_sf2_psb" src="https://obs-cn-shanghai.ocftcloud.com/pacloud/20222103110011-1c51d629952d.png" width="20">图标,选择新增规则进入新增规则页面,根据以下信息新增规则。</span>
<div class="itemgroup info">
<img class="image" id="filterbyrule__image_wqt_jl2_psb" src="https://obs-cn-shanghai.ocftcloud.com/pacloud/20222103110011-1219e45f9a36.png" width="700">
<table class="table" id="filterbyrule__table_ckm_wf2_psb"><caption></caption><colgroup><col style="width:22.727272727272727%"><col style="width:22.727272727272727%"><col style="width:54.54545454545454%"></colgroup><thead class="thead">
<tr class="row">
<th class="entry" id="filterbyrule__table_ckm_wf2_psb__entry__1">
<p class="p">项目</p>
</th>
<th class="entry" id="filterbyrule__table_ckm_wf2_psb__entry__2">
<p class="p">配置项</p>
</th>
<th class="entry" id="filterbyrule__table_ckm_wf2_psb__entry__3">
<p class="p">说明</p>
</th>
</tr>
</thead><tbody class="tbody">
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__1 " rowspan="5">
<p class="p">基本信息</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">名称</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">规则名称,长度为1-64字符,只能包含中文、字母、数字、下划线“_”、点“.”或短横“-”。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">描述</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">规则描述。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">等级</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">规则危险等级,默认为高风险。匹配该规则将会触发产生对应等级的告警。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">上级目录</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">规则所属的组,可选择自定义的规则组,也可以选择系统预定义的<span class="ph uicontrol">缺省规则组</span>。</p>
<div class="p">
<div class="note note note_note" id="filterbyrule__note_lbc_jg2_psb"><span class="note__title">说明:</span> 您可以在<span class="keyword wintitle">规则管理</span>页签,单击<img class="image" id="filterbyrule__image_fs5_kg2_psb" src="https://obs-cn-shanghai.ocftcloud.com/pacloud/20222103110011-1c51d629952d.png" width="20">图标,选择<span class="ph uicontrol">新增目录</span>进入<span class="keyword wintitle">新增目录</span>页面新增目录。</div>
</div>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">规则类型</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">包括普通规则和统计规则:</p>
<ul class="ul" id="filterbyrule__ul_ekm_wf2_psb">
<li class="li"><strong class="ph b">普通规则</strong>:单条审计记录匹配普通规则,会触发普通告警。例如一条select语句,会触发一条普通告警。</li>
<li class="li"><strong class="ph b">统计规则</strong>:指定时间内多次匹配统计规则,会触发一条统计告警。例如,5分钟内10次select失败,会触发一条统计告警。</li>
</ul>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__1 " rowspan="8">
<p class="p">客户端</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">客户端来源</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">访问业务类型的客户端IP或IP组。可填写多个IP地址,以英文逗号“,”分隔。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">客户端工具</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">可配多个客户端工具,以英文逗号“,”分隔,例如“db2bp.exe,java.exe”。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">客户端端口</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">可配置多个端口号或端口号区间,以英文逗号“,”分隔,例如“10-15,20,25,30-40”。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">客户端MAC地址</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">可配置多个MAC地址,以英文逗号“,”分隔。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">操作系统用户</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">可填多个用户,以英文逗号“,”分隔。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">主机名</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">可填多个主机名,以英文逗号“,”分隔。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">应用IP</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">应用IP或IP组,可填多个IP或IP组,以英文逗号“,”分隔。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">应用用户名</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">应用用户或用户组,可填多个用户或用户组,以英文逗号“,”分隔。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__1 " rowspan="5">
<p class="p">服务端</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">服务端IP</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">可填多个IP地址,以英文逗号“,”分隔。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">服务端端口</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">可配置多个端口号或端口号区间,以英文逗号“,”分隔,例如“10-15,20,25,30-40”。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">数据库账号</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">数据库登录用户账号或账号组,可填多个,以英文逗号“,”分隔,例如:“system”。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">服务端MAC地址</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">可填多个MAC地址,以英文逗号“,”分隔。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">数据库名(SID)</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">Oracle数据库输入SID,其他数据库输入数据库名。可填多个数据库名,以英文逗号“,”分隔。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__1 " rowspan="7">
<p class="p">行为</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">对象组</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">指定规则所匹配的对象组。有关对象组的详细介绍请参见<a class="xref" href="https://www.ocftcloud.com/ssr/help/security/DBAudit/cfg.rules.groups.objectgroup" target="_blank" rel="external noopener">对象组</a>。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">操作类型</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">需要关注的操作类型,如select、update、delete等。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">SQL模板ID</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">可填多个SQL模板ID,以英文逗号“,”分隔。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">SQL关键字</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p"><strong class="ph b">SQL关键字</strong>:支持以正则表达式方式匹配报文。单击<span class="ph uicontrol">正则验证</span>输入报文内容,单击<span class="ph uicontrol">提交</span>,验证输入内容与执行结果关键字中的正则表达式是否匹配。单击<span class="ph uicontrol">增加条件</span>添加多个关键字。</p>
<p class="p"><strong class="ph b">条件运算逻辑表达式</strong>:填写SQL关键字后,必须填写条件运算逻辑表达式,即条件间的关系,支持与(&)、或(|)、非(~)和括号四种运算,条件使用序号表示。例如,“1&2”表示有序号为1和序号为2的两个SQL关键字条件,且同时满足两个关键字条件才能触发告警。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">SQL长度</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">取值范围1B~64KB。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">关联表数</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">设置关联表数后,当SQL操作涉及的表的个数大于等于设置的值时将触发本规则,允许输入最大值为255。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">WHERE子句</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">判断是否包含WHERE子句,可以选择“不判断”、“有WHERE子句”、“没有WHERE子句”。WHERE子句用于提取满足指定条件的SQL记录,语法如下:</p>
<p class="p">SELECT column_name,column_name</p>
<p class="p">FROM table_name</p>
<p class="p">WHERE column_name operator value;</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__1 " rowspan="5">
<p class="p">结果</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">执行时长</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">可填项,单位为微秒,取值范围为0~2147483647,SQL语句的执行时长在此范围内,则触发规则。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">影响行数</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">取值范围为0~2147483647之间的任意范围。SQL操作返回的记录数或受影响的行数在此范围内,则触发规则。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">返回结果集</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p"><strong class="ph b">SQL关键字</strong>:支持以正则表达式方式匹配结果集。单击<span class="ph uicontrol">正则验证</span>输入结果集内容,单击<span class="ph uicontrol">提交</span>,验证输入内容与返回结果关键字的正则表达式是否匹配。单击<span class="ph uicontrol">添加条件</span>可添加多个条件。</p>
<p class="p"><strong class="ph b">条件运算逻辑表达式</strong>:填写SQL关键字后,必须填写<strong class="ph b">条件运算逻辑表达式</strong>,即条件间的关系,支持与(&)、或(|)、非(~)和括号四种运算,条件使用序号表示。例如,“1&2”表示有序号为1和序号为2的两个结果集条件,且同时满足两个结果集条件才能触发告警。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">执行状态</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">包含三个执行状态:全部、成功、失败。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">执行结果描述</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">支持以正则表达式方式匹配。</p>
</td>
</tr>
<tr class="row">
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__1 ">
<p class="p">其它</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__2 ">
<p class="p">生效时间</p>
</td>
<td class="entry" headers="filterbyrule__table_ckm_wf2_psb__entry__3 ">
<p class="p">可自定义或者选择时间组。</p>
</td>
</tr>
</tbody></table>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">单击<span class="ph uicontrol">保存</span>。</span>
</li><li class="li step stepexpand">
<span class="ph cmd">添加过滤规则后,需要在资产上启用规则才能生效,操作方法如下:</span>
<ol type="a" class="ol substeps" id="filterbyrule__substeps_nsp_mp2_psb">
<li class="li substep substepexpand">
<span class="ph cmd">在菜单栏选择<span class="ph menucascade"><span class="ph uicontrol">规则配置</span><abbr> > </abbr><span class="ph uicontrol">安全规则</span></span>,进入<span class="keyword wintitle">安全规则</span>页面。</span>
</li>
<li class="li substep substepexpand">
<span class="ph cmd">选择<span class="keyword wintitle">规则使用情况</span>页签,单击数据库名称链接进入规则配置页面。</span>
<div class="itemgroup info">
<img class="image" id="filterbyrule__image_vmv_vp2_psb" src="https://obs-cn-shanghai.ocftcloud.com/pacloud/20222103110012-1c18098c985b.png" width="700">
</div>
</li>
<li class="li substep substepexpand">
<span class="ph cmd">选择<span class="keyword wintitle">过滤规则</span>页签,在未启用过滤规则列表中勾选创建的规则,单击<span class="ph uicontrol">启用</span>。</span>
<div class="itemgroup info">
<img class="image" id="filterbyrule__image_h34_xp2_psb" src="https://obs-cn-shanghai.ocftcloud.com/pacloud/20222103110012-1920f9f693d6.png" width="700">
</div>
</li>
</ol>
</li></ol></section>
提交成功!非常感谢您的反馈,我们会继续努力做到更好!