Logo
Database Firewall Algorithms

Database Firewall Algorithms #

Matching Algorithms #

Risk DDL Matching Algorithm #

Type: RISK_DDL

Configurable Properties:

Property NameData TypeDescriptionDefault Value
truncate-tablebooleanMatch TRUNCATE TABLE statementstrue
drop-tablebooleanMatch DROP TABLE statementstrue
alter-tablebooleanMatch ALTER TABLE statementstrue

Risk DML Matching Algorithm #

Type: RISK_DML

Configurable Properties:

Property NameData TypeDescriptionDefault Value
full-table-updatebooleanMatch full table update statementstrue
full-table-deletebooleanMatch full table delete statementstrue

Note: Full table update and full table delete refer to UPDATE and DELETE statements that do not include a WHERE clause.

Join Query Matching Algorithm #

Type: JOIN_QUERY

Configurable Properties:

Property NameData TypeDescriptionDefault Value
max-allowed-join-table-countintMaximum allowed number of joined tables3

Note: This algorithm does not differentiate between JOIN types, such as LEFT JOIN, RIGHT JOIN, etc.

Subquery Matching Algorithm #

Type: SUBQUERY

Configurable Properties:

Property NameData TypeDescriptionDefault Value
max-allowed-subquery-countintMaximum allowed depth of nested subqueries1

Sharding Condition Matching Algorithm #

Type: SHARDING

Configurable Properties:

Property NameData TypeDescriptionDefault Value
select-without-sharding-columnbooleanMatch SELECT statements without sharding columnstrue
update-without-sharding-columnbooleanMatch UPDATE statements without sharding columnstrue
delete-without-sharding-columnbooleanMatch DELETE statements without sharding columnstrue

Note: INSERT statements are required to have sharding keys and are not checked by the database firewall rules.

Missing WHERE condition matching algorithm #

Type: MISSING_WHERE_CONDITION

Configurable Properties:

Property NameData TypeDescriptionDefault Value
columnsstringColumn to matchNone
insertbooleanWhether to match the INSERT statementtrue
selectbooleanWhether to match the SELECT statementtrue
updatebooleanWhether to match the UPDATE statementtrue
deletebooleanWhether to match the DELETE statementtrue

Note: If the DML statement does not contain the where condition of the column corresponding to columns, the match will be successful.

Host Address Matching Algorithm #

Type: HOST

Configurable Properties:

Property NameData TypeDescriptionDefault Value
blacklistStringBlacklist specifying addresses to matchNone
whitelistStringWhitelist specifying addresses to allowNone

Explanation:

  1. When declaring the algorithm, either the blacklist or whitelist must be defined; both cannot be empty simultaneously.
  2. Only supports IP addresses, such as ‘127.0.0.1’; does not support hostname format.
  3. Both blacklist and whitelist support multiple elements, separated by commas, e.g., ‘127.0.0.1, 10.9.100.5’.
  4. Algorithm rules: The current address is considered a match if it is in the blacklist or [the whitelist is not empty and the current address is not in the whitelist].
  5. In case of duplicate elements in the blacklist and whitelist, the blacklist takes priority.

Username Matching Algorithm #

Type: USERNAME

Configurable Properties:

Property NameData TypeDescriptionDefault Value
blacklistStringBlacklist specifying usernames to matchNone
whitelistStringWhitelist specifying usernames to allowNone

Explanation:

  1. When declaring the algorithm, either the blacklist or whitelist must be defined; both cannot be empty simultaneously.
  2. Matches only the username, without considering the login address.
  3. Both blacklist and whitelist support multiple elements, separated by commas, e.g., ‘root, sharding’.
  4. Algorithm rules: The current user is considered a match if they are in the blacklist or [the whitelist is not empty and the current username is not in the whitelist].
  5. In case of duplicate elements in the blacklist and whitelist, the blacklist takes priority.

Role Matching Algorithm #

Type: ROLE

Configurable Properties:

Property NameData TypeDescriptionDefault Value
blacklistStringBlacklist specifying roles to matchNone
whitelistStringWhitelist specifying roles to allowNone

Explanation:

  1. When declaring the algorithm, either the blacklist or whitelist must be defined; both cannot be empty simultaneously.
  2. Both blacklist and whitelist support multiple elements, separated by commas, e.g., ‘role_dml, admin’.
  3. Algorithm rules: The current user’s role is considered a match if any of their roles are in the blacklist or [the whitelist is not empty and none of the user’s roles are in the whitelist].
  4. In case of duplicate elements in the blacklist and whitelist, the blacklist takes priority.

Disable encrypted field association query algorithm #

Type: ENCRYPT_JOIN_QUERY

Configurable Properties: None

Description:

  1. After configuring this algorithm, it will be prohibited to perform related queries on encrypted fields.

Database Firewall Action Algorithms #

Logging #

Type: LOG

Configurable Properties:

Property NameData TypeDescriptionDefault Value
log-levelStringOutput log level, supports DEBUG, INFO, WARN, ERRORWARN

Explanation: Logs database firewall events, including database, user, host, and matched policy name, e.g., [WARN] date time [THREAD] AUDIT - log by strategy: risk_dml_strategy db: sharding_db user: root host: 127.0.0.1

Blocking #

Type: BLOCK

Explanation:

  1. Logs database firewall events and blocks them by throwing an exception. The log includes the database, user, host, and matched policy name, e.g., [WARN] date time [THREAD] AUDIT - block by strategy: risk_dml_strategy db: sharding_db user: root host: 127.0.0.1
  2. The log level for blocked events is uniformly set to WARN and is not currently modifiable.