mysql审计插件
Posted xgmxm
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了mysql审计插件相关的知识,希望对你有一定的参考价值。
Audit Plugin安装使用
原文:
https://www.cnblogs.com/waynechou/p/mysql_audit.html#_label0 #有卸载方法
下载地址:
https://bintray.com/mcafee/mysql-audit-plugin/release/1.1.6-784#files
安装、配置、测试
查看mysql插件目录: mysql> SHOW GLOBAL VARIABLES LIKE \'plugin_dir\'; +---------------+------------------------+ | Variable_name | Value | +---------------+------------------------+ | plugin_dir | /opt/mysql/lib/plugin/ | +---------------+------------------------+ 1 row in set (0.00 sec) 复制下载的so文件至plugin_dir,创建日志目录 cd /opt/tools/audit-plugin-mysql-5.6-1.1.6-784/lib cp libaudit_plugin.so /opt/mysql/lib/plugin/ mkdir /home/mysql/3306/audit_log/ chown mysql.mysql /home/mysql/3306/audit_log/ 下载offset脚本,根据版本计算 wget https://raw.github.com/mcafee/mysql-audit/master/offset-extract/offset-extract.sh chmod +x offset-extract.sh [root@docker1 /opt/tools 19:42:56&&11]#./offset-extract.sh /opt/mysql/bin/mysqld //offsets for: /opt/mysql/bin/mysqld (5.6.35) {"5.6.35","c48fe13e444883af96c7f134cd0c952b", 6992, 7040, 4000, 4520, 72, 2704, 96, 0, 32, 104, 136, 7128, 4392, 2800, 2808, 2812, 536, 0, 0, 6360, 6384, 6368, 13048, 548, 516}, 配置my.cnf,在mysqld块里面加入以下内容: plugin-load=AUDIT=libaudit_plugin.so audit_offsets=6992, 7040, 4000, 4520, 72, 2704, 96, 0, 32, 104, 136, 7128, 4392, 2800, 2808, 2812, 536, 0, 0, 6360, 6384, 6368, 13048, 548, 516 audit_json_file=ON audit_json_log_file=/home/mysql/3306/audit_log/mysql-audit.json audit_record_cmds=insert,delete,update,create,drop,revoke,alter,grant,set #针对这些语句来审计 重启mysql数据库 service mysql restart 验证是否生效: SHOW GLOBAL STATUS LIKE \'AUDIT_version\'; #查看版本 SHOW GLOBAL VARIABLES LIKE \'audit_json_file\'; #查看是否开启
show plugins; #查看安装的插件
重要的参数说明:
1. audit_json_file #是否开启audit功能
2. audit_json_log_file #记录文件的路径和名称信息
3. audit_record_cmds #audit记录的命令,默认为记录所有命令可以设置为任意dml、dcl、ddl的组合 如:audit_record_cmds=select,insert,delete,update 还可以在线设置set global audit_record_cmds=NULL(表示记录所有命令)
4.audit_record_objs
audit记录操作的对象,默认为记录所有对象,可以用SET GLOBAL audit_record_objs=NULL设置为默认。也可以指定为下面的格式:audit_record_objs=,test.*,mysql.*,information_schema.*。
其他配置参数参考: https://github.com/mcafee/mysql-audit/wiki/Configuration
测试:
CREATE TABLE `t1` ( `id` int(10) NOT NULL AUTO_INCREMENT, `age` tinyint(4) NOT NULL DEFAULT \'0\', `name` varchar(30) NOT NULL DEFAULT \'\', PRIMARY KEY (`id`) )DEFAULT CHARSET=utf8;
INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'1\', \'1\');
INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'3\', \'3\');
INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'4\', \'4\');
INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'5\', \'5\');
update t1 set name=\'6\' where age=\'5\';
delete from t1 where age=\'1\'; select * from t1;
#查看审计日志
[root@docker1 /opt/tools 19:43:00&&12]#cat /home/mysql/3306/audit_log/mysql-audit.json
{"msg-type":"header","date":"1532167436580","audit-version":"1.1.6-784","audit-protocol-version":"1.0","hostname":"docker1","mysql-version":"5.6.35-log","mysql-program":"/opt/mysql/bin/mysqld","mysql-socket":"/tmp/my3306.sock","mysql-port":"3306","server_pid":"43306"} {"msg-type":"activity","date":"1532167889630","thread-id":"9","query-id":"54","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `t1` (`age`, `name`) VALUES (\'2\', \'2\')"} {"msg-type":"activity","date":"1532167962813","thread-id":"8","query-id":"68","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'1\', \'1\')"} {"msg-type":"activity","date":"1532167962831","thread-id":"8","query-id":"69","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'3\', \'3\')"} {"msg-type":"activity","date":"1532167962849","thread-id":"8","query-id":"70","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'4\', \'4\')"} {"msg-type":"activity","date":"1532167962867","thread-id":"8","query-id":"71","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'5\', \'5\')"} {"msg-type":"activity","date":"1532168079332","thread-id":"8","query-id":"87","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"update","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"update t1 set name=\'6\' where age=\'5\'"} {"msg-type":"activity","date":"1532168113498","thread-id":"8","query-id":"103","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"delete","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"delete from t1 where age=\'1\'"}
MariaDB server_audit 审计插件
下载:
http://ftp.kaist.ac.kr/mariadb/
原文:
https://www.cnblogs.com/waynechou/p/mysql_audit.html#_label0
安装、配置、测试
复制插件文件 cp -av /opt/tools/mariadb-5.5.60-linux-glibc_214-x86_64/lib/plugin/server_audit.so /opt/mysql/lib/plugin/ chmod a+x /opt/mysql/lib/plugin/server_audit.so 安装插件 INSTALL PLUGIN server_audit SONAME \'server_audit.so\'; 配置my.cnf server_audit_events=\'CONNECT,QUERY,TABLE,QUERY_DDL,QUERY_DML,QUERY_DCL\' server_audit_logging=on server_audit_file_path =/home/mysql/3306/audit_log/ server_audit_file_rotate_size=200000000 server_audit_file_rotations=200 server_audit_file_rotate_now=ON 值得注意的是,应该在server_audit插件被安装好,并且已经运行之后添加这些配置,否则过早在配置文件添加这个选项,会导致MySQL发生启动错误! 参数说明: server_audit_output_type:指定日志输出类型,可为SYSLOG或FILE server_audit_logging:启动或关闭审计 server_audit_events:指定记录事件的类型,可以用逗号分隔的多个值(connect,query,table),如果开启了查询缓存(query cache),查询直接从查询缓存返回数据,将没有table记录 server_audit_file_path:如server_audit_output_type为FILE,使用该变量设置存储日志的文件,可以指定目录,默认存放在数据目录的server_audit.log文件中 server_audit_file_rotate_size:限制日志文件的大小 server_audit_file_rotations:指定日志文件的数量,如果为0日志将从不轮转 server_audit_file_rotate_now:强制日志文件轮转 server_audit_incl_users:指定哪些用户的活动将记录,connect将不受此变量影响,该变量比server_audit_excl_users优先级高 server_audit_syslog_facility:默认为LOG_USER,指定facility server_audit_syslog_ident:设置ident,作为每个syslog记录的一部分 server_audit_syslog_info:指定的info字符串将添加到syslog记录 server_audit_syslog_priority:定义记录日志的syslogd priority server_audit_excl_users:该列表的用户行为将不记录,connect将不受该设置影响 server_audit_mode:标识版本,用于开发测试 重启mysql /opt/mysql/scripts/my3306.sh restart 测试: 测试同Audit Plugin 卸载 server_audit mysql> UNINSTALL PLUGIN server_audit; mysql> show variables like \'%audit%\'; Empty set (0.00 sec) 防止 server_audit 插件被卸载,需要在配置文件中添加: [mysqld] server_audit=FORCE_PLUS_PERMANENT 重启MySQL生效
以上是关于mysql审计插件的主要内容,如果未能解决你的问题,请参考以下文章