Databases

Keep tabs on your tables: Cloud SQL for MySQL launches database auditing

#databases

If you manage sensitive data in your MySQL database, you might be obligated to record and monitor user database activity, especially if you work in a regulated industry. Although you could set up MySQL’s slow query log or general log to create an audit trail of user activity, these logs significantly impact database performance and aren’t formatted optimally for auditing. Purpose-built, open source audit plugins are better, but they lack some of the advanced security features that enterprise users need, such as rule-based auditing and results masking.

Cloud SQL for MySQL has developed a new audit plugin called the Cloud SQL for MySQL Audit Plugin that offers enterprise-grade database auditing to help you maintain a strong, compliant security posture. You can now define audit rules that govern which database activity is recorded. This activity is recorded in the form of database audit logs. The plugin masks sensitive data out of the audit logs, such as user passwords, and processed database audit logs are then sent to Cloud Logging, where you can view them to understand who performed what operations on which data, when. You can also route these logs using a user-defined log sink to a Google Cloud Storage bucket or BigQuery for long-term storage for compliance reasons or Splunk or another log management tool to detect unusual activity in real-time. 

How to audit a MySQL database

Say you’re a security engineer at Money Buckets Bank and you’ve been asked by the compliance department to audit activity on the “bank-prod” Cloud SQL instance in the “money-buckets” project. You’re asked to audit two types of activity: 

  1. Any write activity by any user on the sensitive “transactions” table in the “finance” database.

  2. Any activity by the “dba1” and “dba2” superuser accounts. 

As a security engineer, you want to narrowly define rules that only audit the sensitive activity, ensuring minimal impact to database performance. After enabling MySQL database auditing, you would call MySQL stored procedures to configure the two audit rules:

  //Rule 1: Any write activity on ‘transactions’ table in ‘finance’ database
CALL mysql.cloudsql_create_audit_rule('*','finance','transactions','dml','B',0,@outval,@outmsg);
SELECT @outval, @outmsg;

//Rule 2: Any activity by ‘dba1’ or ‘dba2’ users
CALL mysql.cloudsql_create_audit_rule('dba1@*,dba2@*','*','*','*','B',0,@outval,@outmsg);
SELECT @outval, @outmsg;

//Load rules
CALL mysql.cloudsql_reload_audit_rule(1);

The plugin stores these audit rules in the “mysql” system database. The plugin monitors database activity from MySQL’s Audit API and, when activity matches the audit rules, records a log to send to Cloud Logging.

Later that month, you decide to review these audit logs in the Logs Explorer. To isolate all the MySQL database auditing log entries from the “money-buckets” project, you’d enter in the following query filter:

  resource.type="cloudsql_database"
logName="projects/money-buckets/logs/cloudaudit.googleapis.com%2Fdata_access"
protoPayload.request.@type="type.googleapis.com/google.cloud.sql.audit.v1.MysqlAuditEntry"

You can now use these audit log entries in your audit trail in order to comply with the key finance regulations that govern Money Buckets Bank.

Learn More

With MySQL database auditing, you can collect audit records of user database activity for security and compliance purposes. To learn more about database auditing for Cloud SQL for MySQL, see the documentation.