Security Auditing

Scenarios

You can query operation records matching specified conditions and check whether operations have been performed by authorized users for security analysis.

Prerequisites

You have enabled CTS and the tracker is running properly. For details on how to enable CTS, see Enabling CTS.

Procedure

The following shows how you can review records of EVS disk creation and deletion over the last two weeks.

  1. Log in to the management console as an administrator.

  2. Click image1 in the upper left corner to select the desired project.

  3. Click Service List and choose Management & Deployment > Cloud Trace Service.

  4. Choose Trace List in the navigation pane on the left.

  5. Set filters in sequence: Trace Source > Resource Type > Search By > Operator > Trace Status. Then click Query to view the result.

    Note

    Select evs for Trace Source, evs for Resource Type, Trace name for Search By, and select createVolume or deleteVolume. Then, click Query to search for all EVS creation or deletion operations of the last seven days.

  6. Choose Tracker in the left navigation pane to obtain an OBS bucket name.

  7. Download traces older than seven days or all traces by following the instructions in Querying Archived Traces.

  8. In the downloaded file, locate required operation records by searching for keywords createVolume and deleteVolume.

  9. Check the traces obtained in steps 5 and 8 to see whether there are any unauthorized operations or operations that do not conform to security rules.

last updated: 2024-02-08 01:56