No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI CLOUD Stack 6.5.0 Alarm and Event Reference 04

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ALM-73404 Malicious Access to GaussDB Has Been Detected

ALM-73404 Malicious Access to GaussDB Has Been Detected

Description

The system periodically checks GaussDB logs for certain keywords every 60 seconds. GaussDB may be accessed by unauthorized or ill-intentioned visitors if these keywords are detected. In this case, maintenance engineers must take measures to prevent malicious access. This is alarm is generated when the system detects these keywords in the GaussDB logs.

Attribute

Alarm ID

Alarm Severity

Auto Clear

73404

Major

No

Parameters

Name

Meaning

Fault Location Info

host_id: specifies the ID of the host for which the alarm is generated.

Additional Info

  • detail_info: provides detailed information about the alarm.
  • host_id: specifies the ID of the host for which the alarm is generated.
  • hostname: specifies the name of the host for which the alarm is generated.

Impact on the System

If this alarm is generated, the GaussDB database may be accessed by unauthorized or ill-intentioned visitors.

Possible Causes

  • Alarm reporting in normal scenarios
    • Alarm reporting due to GaussDB restoration using the backup
    • Alarm reporting in abnormal scenarios, for example, improper configuration
  • Malicious access to GaussDB

Procedure

  1. Use PuTTY to log in to the first FusionSphere OpenStack node through the IP address of the External OM plane.

    The default user name is fsp. The default password is Huawei@CLOUD8.

    The system supports both password and public-private key pair for identity authentication. If the public-private key pair is used for login authentication, see detailed operations in Using PuTTY to Log In to a Node in Key Pair Authentication Mode.

    NOTE:
    To obtain the IP address of the External OM plane, search for the required parameter on the Tool-generated IP Parameters sheet of the xxx_export_all.xlsm file exported from HUAWEI CLOUD Stack Deploy during software installation. The parameter names in different scenarios are as follows:
    • Region Type I scenario:

      Cascading system: Cascading-ExternalOM-Reverse-Proxy

      Cascaded system: Cascaded-ExternalOM-Reverse-Proxy

    • Region Type II and Region Type III scenarios: ExternalOM-Reverse-Proxy

  2. Run the following command and enter the password of user root to switch to user root:

    su - root

    The default password of user root is Huawei@CLOUD8!.

  3. Run the following command to disable user logout upon system timeout:

    TMOUT=0

  4. Run the following command to import environment variables:

    source set_env

    Information similar to the following is displayed:

      please choose environment variable which you want to import: 
      (1) openstack environment variable (keystone v3) 
      (2) cps environment variable 
      (3) openstack environment variable legacy (keystone v2) 
      (4) openstack environment variable of cloud_admin (keystone v3) 
      please choose:[1|2|3|4] 

  5. Enter 1 to enable Keystone V3 authentication and enter the password of OS_USERNAME as prompted.

    Default account format: DCname_admin; default password: FusionSphere123.

Check whether alarms are generated in normal scenarios.

  1. Run the following command to switch to the directory storing GaussDB logs:

    cd /var/log/fusionsphere/component/gaussdb/

  2. Search the GaussDB logs for the detected keyword, which can be obtained from the additional information of the alarm. If permission denied is used as an example. Run the zgrep "permission denied" * command to search for the keyword in the logs.

    Run the zgrep "permission denied" * command to search for the keyword in the logs.

  3. Check whether GaussDB was being accessed by unauthorized or ill-intentioned visitors at the time when the keyword was printed in the logs.

    • If yes, go to 10 to report system security risks and take corresponding measures.
    • If no, go to 9.

  4. Manually clear the alarm.

    No further action is required.

  5. Contact technical support for assistance.

Related Information

None

Translation
Download
Updated: 2019-08-30

Document ID: EDOC1100062365

Views: 46501

Downloads: 33

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next