mysql审计插件

Posted 2020-12-24 xgmxm

Audit Plugin安装使用

原文：

https://www.cnblogs.com/waynechou/p/mysql_audit.html#_label0   #有卸载方法

下载地址:

https://bintray.com/mcafee/mysql-audit-plugin/release/1.1.6-784#files

安装、配置、测试

查看mysql插件目录：
mysql> SHOW GLOBAL VARIABLES LIKE \'plugin_dir\';
+---------------+------------------------+
| Variable_name | Value                  |
+---------------+------------------------+
| plugin_dir    | /opt/mysql/lib/plugin/ |
+---------------+------------------------+
1 row in set (0.00 sec)


复制下载的so文件至plugin_dir，创建日志目录
cd /opt/tools/audit-plugin-mysql-5.6-1.1.6-784/lib
cp libaudit_plugin.so /opt/mysql/lib/plugin/
mkdir /home/mysql/3306/audit_log/
chown mysql.mysql /home/mysql/3306/audit_log/

下载offset脚本，根据版本计算
wget https://raw.github.com/mcafee/mysql-audit/master/offset-extract/offset-extract.sh
chmod +x offset-extract.sh
[root@docker1 /opt/tools 19:42:56&&11]#./offset-extract.sh /opt/mysql/bin/mysqld
//offsets for: /opt/mysql/bin/mysqld (5.6.35)
{"5.6.35","c48fe13e444883af96c7f134cd0c952b", 6992, 7040, 4000, 4520, 72, 2704, 96, 0, 32, 104, 136, 7128, 4392, 2800, 2808, 2812, 536, 0, 0, 6360, 6384, 6368, 13048, 548, 516},

配置my.cnf，在mysqld块里面加入以下内容：
plugin-load=AUDIT=libaudit_plugin.so
audit_offsets=6992, 7040, 4000, 4520, 72, 2704, 96, 0, 32, 104, 136, 7128, 4392, 2800, 2808, 2812, 536, 0, 0, 6360, 6384, 6368, 13048, 548, 516
audit_json_file=ON
audit_json_log_file=/home/mysql/3306/audit_log/mysql-audit.json
audit_record_cmds=insert,delete,update,create,drop,revoke,alter,grant,set #针对这些语句来审计

重启mysql数据库
service mysql restart

验证是否生效:
SHOW GLOBAL STATUS LIKE \'AUDIT_version\';   #查看版本
SHOW GLOBAL VARIABLES LIKE \'audit_json_file\';  #查看是否开启

show plugins;  #查看安装的插件

重要的参数说明： 

1. audit_json_file #是否开启audit功能 

2. audit_json_log_file #记录文件的路径和名称信息 

3. audit_record_cmds #audit记录的命令,默认为记录所有命令可以设置为任意dml、dcl、ddl的组合 如：audit_record_cmds=select,insert,delete,update 还可以在线设置set global audit_record_cmds=NULL(表示记录所有命令) 

4.audit_record_objs

audit记录操作的对象，默认为记录所有对象，可以用SET GLOBAL audit_record_objs=NULL设置为默认。也可以指定为下面的格式：audit_record_objs=,test.*,mysql.*,information_schema.*。

其他配置参数参考： https://github.com/mcafee/mysql-audit/wiki/Configuration  
测试： 
CREATE TABLE `t1` ( `id` int(10) NOT NULL AUTO_INCREMENT, `age` tinyint(4) NOT NULL DEFAULT \'0\', `name` varchar(30) NOT NULL DEFAULT \'\', PRIMARY KEY (`id`) )DEFAULT CHARSET=utf8; 
INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'1\', \'1\'); 
INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'3\', \'3\'); 
INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'4\', \'4\'); 
INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'5\', \'5\'); 
update t1 set name=\'6\' where age=\'5\'; 
delete from t1 where age=\'1\'; select * from t1; 

#查看审计日志 
[root@docker1 /opt/tools 19:43:00&&12]#cat /home/mysql/3306/audit_log/mysql-audit.json 
{"msg-type":"header","date":"1532167436580","audit-version":"1.1.6-784","audit-protocol-version":"1.0","hostname":"docker1","mysql-version":"5.6.35-log","mysql-program":"/opt/mysql/bin/mysqld","mysql-socket":"/tmp/my3306.sock","mysql-port":"3306","server_pid":"43306"} {"msg-type":"activity","date":"1532167889630","thread-id":"9","query-id":"54","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `t1` (`age`, `name`) VALUES (\'2\', \'2\')"} {"msg-type":"activity","date":"1532167962813","thread-id":"8","query-id":"68","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'1\', \'1\')"} {"msg-type":"activity","date":"1532167962831","thread-id":"8","query-id":"69","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'3\', \'3\')"} {"msg-type":"activity","date":"1532167962849","thread-id":"8","query-id":"70","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'4\', \'4\')"} {"msg-type":"activity","date":"1532167962867","thread-id":"8","query-id":"71","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES (\'5\', \'5\')"} {"msg-type":"activity","date":"1532168079332","thread-id":"8","query-id":"87","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"update","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"update t1 set name=\'6\' where age=\'5\'"} {"msg-type":"activity","date":"1532168113498","thread-id":"8","query-id":"103","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"delete","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"delete from t1 where age=\'1\'"}

 MariaDB server_audit 审计插件

下载:

http://ftp.kaist.ac.kr/mariadb/

原文：

https://www.cnblogs.com/waynechou/p/mysql_audit.html#_label0

安装、配置、测试

复制插件文件
cp -av /opt/tools/mariadb-5.5.60-linux-glibc_214-x86_64/lib/plugin/server_audit.so /opt/mysql/lib/plugin/
chmod a+x /opt/mysql/lib/plugin/server_audit.so

安装插件
INSTALL PLUGIN server_audit SONAME \'server_audit.so\';

配置my.cnf
server_audit_events=\'CONNECT,QUERY,TABLE,QUERY_DDL,QUERY_DML,QUERY_DCL\'
server_audit_logging=on
server_audit_file_path =/home/mysql/3306/audit_log/
server_audit_file_rotate_size=200000000
server_audit_file_rotations=200
server_audit_file_rotate_now=ON
值得注意的是，应该在server_audit插件被安装好，并且已经运行之后添加这些配置，否则过早在配置文件添加这个选项，会导致MySQL发生启动错误！

参数说明：
server_audit_output_type：指定日志输出类型，可为SYSLOG或FILE
server_audit_logging：启动或关闭审计
server_audit_events：指定记录事件的类型，可以用逗号分隔的多个值(connect,query,table)，如果开启了查询缓存(query cache)，查询直接从查询缓存返回数据，将没有table记录
server_audit_file_path：如server_audit_output_type为FILE，使用该变量设置存储日志的文件，可以指定目录，默认存放在数据目录的server_audit.log文件中
server_audit_file_rotate_size：限制日志文件的大小
server_audit_file_rotations：指定日志文件的数量，如果为0日志将从不轮转
server_audit_file_rotate_now：强制日志文件轮转
server_audit_incl_users：指定哪些用户的活动将记录，connect将不受此变量影响，该变量比server_audit_excl_users优先级高
server_audit_syslog_facility：默认为LOG_USER，指定facility
server_audit_syslog_ident：设置ident，作为每个syslog记录的一部分
server_audit_syslog_info：指定的info字符串将添加到syslog记录
server_audit_syslog_priority：定义记录日志的syslogd priority
server_audit_excl_users：该列表的用户行为将不记录，connect将不受该设置影响
server_audit_mode：标识版本，用于开发测试

重启mysql
/opt/mysql/scripts/my3306.sh restart

测试：
测试同Audit Plugin


卸载 server_audit
mysql> UNINSTALL PLUGIN server_audit;
mysql> show variables like \'%audit%\';
Empty set (0.00 sec)

防止 server_audit 插件被卸载，需要在配置文件中添加：
[mysqld]
server_audit=FORCE_PLUS_PERMANENT

重启MySQL生效