Dear experts, are there any commands for TiDB data security assessment? Is there a remediation tutorial?

Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: 各位大佬们,TIDB数据等保测评的命令有?有整改教程?

| username: TiDBer_gx5GT8b0

Dear experts, are there any commands for TiDB data security assessment? Is there a remediation tutorial?

| username: Kongdom | Original post link

You can ask this buddy

| username: Fly-bird | Original post link

When our unit went through the level three protection assessment, the testing only evaluated aspects related to data backup, the principle of separation of duties in the database, database field encryption, and encryption of database backup files. It did not involve requiring any rectification of the TiDB product itself. If there are any needs, we can discuss them.

| username: TiDBer_gx5GT8b0 | Original post link

How can logs be queried and rectified to meet compliance requirements?

| username: Fly-bird | Original post link

What are the requirements of the evaluation agency?

| username: 像风一样的男子 | Original post link

As long as you give enough red envelopes, you’ll pass!

| username: Fly-bird | Original post link

Even if you want to, you might not be able to fit it in.

| username: zhanggame1 | Original post link

The compliance itself is achieved by spending money, giving money to the compliance agency. Even a level two system would cost tens of thousands, right?

| username: Fly-bird | Original post link

Jiangsu Level 2: 50,000 (one-time), Level 3: 80,000 (annually), fixed price. Apart from system security rectification, there are no other costs.

| username: TiDBer_gx5GT8b0 | Original post link

Did you test enabling logs? Did you test log backups?

| username: TiDBer_gx5GT8b0 | Original post link

Enable the common logging feature to perform auditing and backup logs. In which directory path are the logs located?

| username: Fly-bird | Original post link

I understand that you mean the compliance requirements need to audit database login logs, SQL operations such as insert, delete, update, and select logs, and database operation logs, is that correct?

| username: forever | Original post link

The auditing part is a bit vague; is it the operation logs of the cluster or the SQL records of the database? As for the backup, is it the logs left after backing up by yourself?

| username: TiDBer_gx5GT8b0 | Original post link

Yes, and also cluster logs.

| username: ShawnYan | Original post link

This term seems familiar, is it required by the Classified Protection of Cybersecurity?

| username: 像风一样的男子 | Original post link

It’s written in the Constitution of the United States.

| username: TiDBer_vfJBUcxl | Original post link

Separation of powers: audit administrator user, security administrator user, system administrator user

| username: 像风一样的男子 | Original post link

For the requirements of the classified protection, just give them whatever they ask for. If it doesn’t work, make something up. If you don’t intend to take the auditor exam, there’s no need to delve deeply into it; it’s a waste of time.

| username: zhanggame1 | Original post link

We are the big fools who spent hundreds of thousands.

| username: cassblanca | Original post link

It depends on the industry. In finance and energy sectors, there are many wealthy individuals, but also many who are easily taken advantage of.