mysql审计插件

Posted xgmxm

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了mysql审计插件相关的知识,希望对你有一定的参考价值。

Audit Plugin安装使用

原文:

https://www.cnblogs.com/waynechou/p/mysql_audit.html#_label0   #有卸载方法

下载地址:

https://bintray.com/mcafee/mysql-audit-plugin/release/1.1.6-784#files

安装、配置、测试

查看mysql插件目录:
mysql> SHOW GLOBAL VARIABLES LIKE \'plugin_dir\';
+---------------+------------------------+
| Variable_name | Value                  |
+---------------+------------------------+
| plugin_dir    | /opt/mysql/lib/plugin/ |
+---------------+------------------------+
1 row in set (0.00 sec)


复制下载的so文件至plugin_dir,创建日志目录
cd /opt/tools/audit-plugin-mysql-5.6-1.1.6-784/lib
cp libaudit_plugin.so /opt/mysql/lib/plugin/
mkdir /home/mysql/3306/audit_log/
chown mysql.mysql /home/mysql/3306/audit_log/

下载offset脚本,根据版本计算
wget https://raw.github.com/mcafee/mysql-audit/master/offset-extract/offset-extract.sh
chmod +x offset-extract.sh
[root@docker1 /opt/tools 19:42:56&&11]#./offset-extract.sh /opt/mysql/bin/mysqld
//offsets for: /opt/mysql/bin/mysqld (5.6.35)
{"5.6.35","c48fe13e444883af96c7f134cd0c952b", 6992, 7040, 4000, 4520, 72, 2704, 96, 0, 32, 104, 136, 7128, 4392, 2800, 2808, 2812, 536, 0, 0, 6360, 6384, 6368, 13048, 548, 516},

配置my.cnf,在mysqld块里面加入以下内容:
plugin-load=AUDIT=libaudit_plugin.so
audit_offsets=6992, 7040, 4000, 4520, 72, 2704, 96, 0, 32, 104, 136, 7128, 4392, 2800, 2808, 2812, 536, 0, 0, 6360, 6384, 6368, 13048, 548, 516
audit_json_file=ON
audit_json_log_file=/home/mysql/3306/audit_log/mysql-audit.json
audit_record_cmds=insert,delete,update,create,drop,revoke,alter,grant,set #针对这些语句来审计

重启mysql数据库
service mysql restart

验证是否生效:
SHOW GLOBAL STATUS LIKE \'AUDIT_version\';   #查看版本
SHOW GLOBAL VARIABLES LIKE \'audit_json_file\';  #查看是否开启
show plugins;  #查看安装的插件
重要的参数说明: 

1. audit_json_file #是否开启audit功能

2. audit_json_log_file #记录文件的路径和名称信息

3. audit_record_cmds #audit记录的命令,默认为记录所有命令可以设置为任意dml、dcl、ddl的组合 如:audit_record_cmds=select,insert,delete,update 还可以在线设置set global audit_record_cmds=NULL(表示记录所有命令)

4.audit_record_objs

audit记录操作的对象,默认为记录所有对象,可以用SET GLOBAL audit_record_objs=NULL设置为默认。也可以指定为下面的格式:audit_record_objs=,test.*,mysql.*,information_schema.*。


其他配置参数参考: https:
//github.com/mcafee/mysql-audit/wiki/Configuration
测试:

CREATE TABLE `t1` ( `id`
int(10) NOT NULL AUTO_INCREMENT, `age` tinyint(4) NOT NULL DEFAULT \'0\', `name` varchar(30) NOT NULL DEFAULT \'\', PRIMARY KEY (`id`) )DEFAULT CHARSET=utf8;
INSERT INTO `test`.`t1` (`age`, `name`) VALUES (
\'1\', \'1\');
INSERT INTO `test`.`t1` (`age`, `name`) VALUES (
\'3\', \'3\');
INSERT INTO `test`.`t1` (`age`, `name`) VALUES (
\'4\', \'4\');
INSERT INTO `test`.`t1` (`age`, `name`) VALUES (
\'5\', \'5\');
update t1
set name=\'6\' where age=\'5\';
delete
from t1 where age=\'1\'; select * from t1;

#查看审计日志
[root@docker1
/opt/tools 19:43:00&&12]#cat /home/mysql/3306/audit_log/mysql-audit.json
{
"msg-type":"header","date":"1532167436580","audit-version":"1.1.6-784","audit-protocol-version":"1.0","hostname":"docker1","mysql-version":"5.6.35-log","mysql-program":"/opt/mysql/bin/mysqld","mysql-socket":"/tmp/my3306.sock","mysql-port":"3306","server_pid":"43306"} {"msg-type":"activity","date":"1532167889630","thread-id":"9","query-id":"54","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `t1` (`age`, `name`) VALUES (\'2\', \'2\')"} {"msg-type":"activity","date":"1532167962813","thread-id":"8","query-id":"68","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'1\', \'1\')"} {"msg-type":"activity","date":"1532167962831","thread-id":"8","query-id":"69","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'3\', \'3\')"} {"msg-type":"activity","date":"1532167962849","thread-id":"8","query-id":"70","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'4\', \'4\')"} {"msg-type":"activity","date":"1532167962867","thread-id":"8","query-id":"71","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'5\', \'5\')"} {"msg-type":"activity","date":"1532168079332","thread-id":"8","query-id":"87","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"update","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"update t1 set name=\'6\' where age=\'5\'"} {"msg-type":"activity","date":"1532168113498","thread-id":"8","query-id":"103","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"delete","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"delete from t1 where age=\'1\'"}

 MariaDB server_audit 审计插件

下载:

http://ftp.kaist.ac.kr/mariadb/

原文:

https://www.cnblogs.com/waynechou/p/mysql_audit.html#_label0

安装、配置、测试

复制插件文件
cp -av /opt/tools/mariadb-5.5.60-linux-glibc_214-x86_64/lib/plugin/server_audit.so /opt/mysql/lib/plugin/
chmod a+x /opt/mysql/lib/plugin/server_audit.so

安装插件
INSTALL PLUGIN server_audit SONAME \'server_audit.so\';

配置my.cnf
server_audit_events=\'CONNECT,QUERY,TABLE,QUERY_DDL,QUERY_DML,QUERY_DCL\'
server_audit_logging=on
server_audit_file_path =/home/mysql/3306/audit_log/
server_audit_file_rotate_size=200000000
server_audit_file_rotations=200
server_audit_file_rotate_now=ON
值得注意的是,应该在server_audit插件被安装好,并且已经运行之后添加这些配置,否则过早在配置文件添加这个选项,会导致MySQL发生启动错误!

参数说明:
server_audit_output_type:指定日志输出类型,可为SYSLOG或FILE
server_audit_logging:启动或关闭审计
server_audit_events:指定记录事件的类型,可以用逗号分隔的多个值(connect,query,table),如果开启了查询缓存(query cache),查询直接从查询缓存返回数据,将没有table记录
server_audit_file_path:如server_audit_output_type为FILE,使用该变量设置存储日志的文件,可以指定目录,默认存放在数据目录的server_audit.log文件中
server_audit_file_rotate_size:限制日志文件的大小
server_audit_file_rotations:指定日志文件的数量,如果为0日志将从不轮转
server_audit_file_rotate_now:强制日志文件轮转
server_audit_incl_users:指定哪些用户的活动将记录,connect将不受此变量影响,该变量比server_audit_excl_users优先级高
server_audit_syslog_facility:默认为LOG_USER,指定facility
server_audit_syslog_ident:设置ident,作为每个syslog记录的一部分
server_audit_syslog_info:指定的info字符串将添加到syslog记录
server_audit_syslog_priority:定义记录日志的syslogd priority
server_audit_excl_users:该列表的用户行为将不记录,connect将不受该设置影响
server_audit_mode:标识版本,用于开发测试

重启mysql
/opt/mysql/scripts/my3306.sh restart

测试:
测试同Audit Plugin


卸载 server_audit
mysql> UNINSTALL PLUGIN server_audit;
mysql> show variables like \'%audit%\';
Empty set (0.00 sec)

防止 server_audit 插件被卸载,需要在配置文件中添加:
[mysqld]
server_audit=FORCE_PLUS_PERMANENT

重启MySQL生效

 

以上是关于mysql审计插件的主要内容,如果未能解决你的问题,请参考以下文章

Mysql的审计插件

审计插件在社区版MySQL 8.0上适配

MySQL审计工具Audit插件使用

mysql添加mcafee 审计插件

mysql审计插件

sequoiasql-mysql 部署审计插件