利用開源審計插件對mysql進行審計

阿新 • • 發佈：2019-04-01

查看版本 lib value intra schema x86_64 tab http mysq

今天寫寫mysql審計的，在這裏分享一下！

假設這麽一個情況，你是某公司mysql DBA，某日突然公司數據庫中的所有被人為刪了。盡管有數據備份，但是因服務停止而造成的損失上千萬，現在公司需要查出那個做刪除操作的人。

但是擁有數據庫操作權限的人很多，如何排查，證據又在哪？是不是覺得無能為力？mysql本身並沒有操作審計的功能，那是不是意味著遇到這種情況只能自認倒黴呢？現在企業級的審計系統非常的多，但都是要monery

本文就將討論一種簡單易行的，用於mysql訪問審計的思路。

1、MySQL Enterprise Audit Plugin – This plugin is not open source and is only available with MySQL Enterprise, which has a significant cost attached to it. It is the most stable and robust.

備註：MySQL企業版本才能使用這個audit插件哦，MySQL社區版慢慢等著吧

2、Percona Audit Log Plugin – Percona provides an open source auditing solution that installs with Percona Server 5.5.37+ and 5.6.17+. This plugin has quite a few output features as it outputs XML, JSON and to syslog. Percona’s implementation is the first to be a drop-in replacement for MySQL Enterprise Audit Plugin. As it has some internal hooks to the server to be feature-compatible with Oracle’s plugin, it is not available as a standalone for other versions of MySQL. This plugin is actively maintained by Percona.

備註：Percon說了，這個插件只能給Percona_sever使用，其他人不能用

3、McAfee MySQL Audit Plugin – Around the longest and has been used widely. It is open source and robust, while not using the official auditing API. It isn’t updated as often as one may like. There hasn’t been any new features in some time. It was recently updated to support MySQL 5.7

備註：發現該插件貌似不支持審計日誌自動切割，感覺這個查看起來不是特別的方便

下載地址：https://bintray.com/mcafee/mysql-audit-plugin/release#files ;https://github.com/mcafee/mysql-audit/

1、解壓

[root@VM_35_215_centos wjq-software]# unzip audit-plugin-mysql-5.7-1.1.6-784-linux-x86_64.zip 
[root@VM_35_215_centos wjq-software]# cd audit-plugin-mysql-5.7-1.1.6-784/lib

2、查看MySQL的插件目錄：

root@localhost [wjqtest]>show variables like ‘plugin_dir‘;
+---------------+------------------------------+
| Variable_name | Value                        |
+---------------+------------------------------+
| plugin_dir    | /usr/local/mysql/lib/plugin/ |
+---------------+------------------------------+
1 row in set (0.01 sec)

3、復制庫文件到MySQL庫目錄下

[root@VM_35_215_centos lib]# cp libaudit_plugin.so /usr/local/mysql/lib/plugin/
[root@VM_35_215_centos lib]# ll /usr/local/mysql/lib/plugin/libaudit_plugin.so
-rw-r--r-- 1 root root 1535547 Oct 22 23:22 /usr/local/mysql/lib/plugin/libaudit_plugin.so

4、安裝插件

root@localhost [wjqtest]>install plugin AUDIT soname ‘libaudit_plugin.so‘;
root@localhost [wjqtest]>install plugin AUDIT soname ‘libaudit_plugin.so‘;

5、安裝成功，查看mysql當前已經加載了哪些插件

root@localhost [wjqtest]>show plugins;

6、查看版本：

root@localhost [wjqtest]>show global status like ‘%audit%‘;
+------------------------+-----------+
| Variable_name          | Value     |
+------------------------+-----------+
| Audit_protocol_version | 1.0       |
| Audit_version          | 1.1.6-784 |
+------------------------+-----------+
2 rows in set (0.00 sec)
 
root@localhost [wjqtest]>show variables like "%audit_json_file%";
+-------------------------+-------+
| Variable_name           | Value |
+-------------------------+-------+
| audit_json_file         | OFF   |
| audit_json_file_bufsize | 1     |
| audit_json_file_flush   | OFF   |
| audit_json_file_retry   | 60    |
| audit_json_file_sync    | 0     |
+-------------------------+-------+
5 rows in set (0.00 sec)

7、開啟Audit功能

root@localhost [wjqtest]>set global audit_json_file=1;
Query OK, 0 rows affected (0.01 sec)
 
root@localhost [wjqtest]>show variables like "%audit_json_file%";
+-------------------------+-------+
| Variable_name           | Value |
+-------------------------+-------+
| audit_json_file         | ON    |
| audit_json_file_bufsize | 1     |
| audit_json_file_flush   | OFF   |
| audit_json_file_retry   | 60    |
| audit_json_file_sync    | 0     |
+-------------------------+-------+
5 rows in set (0.00 sec)

root@localhost [(none)]>SHOW GLOBAL VARIABLES LIKE ‘%audi%’;

可以查看插件有哪些可配置的參數，其中我們需要關註的參數有：

1. audit_json_file 是否開啟audit功能。

2. audit_json_log_file 記錄文件的路徑和名稱信息（默認放在mysql數據目錄下）。

3. audit_record_cmds audit記錄的命令，默認為記錄所有命令。可以設置為任意dml、dcl、ddl的組合。如：audit_record_cmds=select,insert,delete,update。還可以在線設置set global audit_record_cmds=NULL。(表示記錄所有命令)

4. audit_record_objs audit記錄操作的對象，默認為記錄所有對象，可以用SET GLOBAL audit_record_objs=NULL設置為默認。也可以指定為下面的格式：audit_record_objs=,test.*,mysql.*,information_schema.*。

5. audit_whitelist_users 用戶白名單。

8、開啟後執行任何語句（默認會記錄任何語句，有語法錯誤的不會記錄），然後去mysql數據目錄查看mysql-audit.json文件（默認為該文件）。

[root@VM_35_215_centos lib]# cd /data/mysql/mysql_3306/data/
[root@VM_54_118_centos data]# ll mysql-audit.json 
-rw-r----- 1 mysql mysql 5113 Oct 22 23:47 mysql-audit.json

查看一下mysql-audit.json文件信息（json格式）

{
  "msg-type": "activity",
  "date": "1540222959299",
  "thread-id": "1356",
  "query-id": "0",
  "user": "root",
  "priv_user": "root",
  "ip": "123.249.13.24",
  "host": "123.249.13.24",
  "cmd": "Connect",
  "query": "Connect"
}
{
  "msg-type": "activity",
  "date": "1540223138021",
  "thread-id": "573",
  "query-id": "633108",
  "user": "root",
  "priv_user": "root",
  "ip": "",
  "host": "localhost",
  "connect_attrs": {
    "_os": "linux-glibc2.12",
    "_client_name": "libmysql",
    "_pid": "6472",
    "_client_version": "5.7.19",
    "_platform": "x86_64",
    "program_name": "mysql"
  },
  "client_port": "29044",
  "status": "0",
  "cmd": "show_variables",
  "objects": [
    {
      "db": "",
      "obj_type": "TABLE"
    },
    {
      "db": "performance_schema",
      "name": "session_variables",
      "obj_type": "TABLE"
    }
  ],
  "query": "show variables like ‘%audit‘"
}
{
  "msg-type": "activity",
  "date": "1540223144979",
  "thread-id": "573",
  "query-id": "633109",
  "user": "root",
  "priv_user": "root",
  "ip": "",
  "host": "localhost",
  "connect_attrs": {
    "_os": "linux-glibc2.12",
    "_client_name": "libmysql",
    "_pid": "6472",
    "_client_version": "5.7.19",
    "_platform": "x86_64",
    "program_name": "mysql"
  },
  "client_port": "29044",
  "rows": "30",
  "status": "0",
  "cmd": "show_variables",
  "objects": [
    {
      "db": "",
      "obj_type": "TABLE"
    },
    {
      "db": "performance_schema",
      "name": "session_variables",
      "obj_type": "TABLE"
    }
  ],
  "query": "show variables like ‘%audit%‘"
}
{
  "msg-type": "activity",
  "date": "1540223230669",
  "thread-id": "573",
  "query-id": "633110",
  "user": "root",
  "priv_user": "root",
  "ip": "",
  "host": "localhost",
  "connect_attrs": {
    "_os": "linux-glibc2.12",
    "_client_name": "libmysql",
    "_pid": "6472",
    "_client_version": "5.7.19",
    "_platform": "x86_64",
    "program_name": "mysql"
  },
  "client_port": "29044",
  "rows": "1",
  "status": "0",
  "cmd": "show_variables",
  "objects": [
    {
      "db": "",
      "obj_type": "TABLE"
    },
    {
      "db": "performance_schema",
      "name": "session_variables",
      "obj_type": "TABLE"
    }
  ],
  "query": "show variables like ‘%audit_record_cmds%‘"
}

最後為了保證重啟數據庫，配置不丟失，修改my.cnf 配置文件，將下面的配置添加到[mysqld]中，所以在配置文件中my.cnf加入參數：

audit_json_file=on

#保證mysql重啟後自動啟動插件
plugin-load=AUDIT=libaudit_plugin.so

#防止刪除了插件，重啟後又會加載
audit_record_cmds=’insert,delete,update,create,drop,alter,grant,truncate’ #要記錄哪些命令語句,因為默認記錄所有操作；

保存重啟即可看到效果。

利用開源審計插件對mysql進行審計

查看版本 lib value intra schema x86_64 tab http mysq 今天寫寫mysql審計的，在這裏分享一下！假設這麽一個情況，你是某公司mysql DBA，某日突然公司數據庫中的所有被人為刪了。盡管有數據備份，但是因服務停止而造成的損失上

利用開源審計插件對mysql進行審計

利用開源審計插件對mysql進行審計

利用kibana插件對Elasticsearch進行映射

利用kibana插件對Elasticsearch進行bool查詢

mysql審計插件

Django中models利用ORM對Mysql進行查表的語句

利用jquery mobiscroll插件選擇日期、select、treeList的具體運用

安卓端通過http對Mysql進行增刪改查

jmeter插件如何協助進行內存監控之 PerfMon Metrics Collector設置

實現多種方式對MYSQL進行備份

天兔插件監控mysql

【MySQL】【壓測】使用sysbench對MySQL進行壓力測試

通過maven-war-plugin插件對war包分環境打包

asp.net core webapi 使用ef 對mysql進行增刪改查，並生成Docker鏡像構建容器運行

ubuntu下c語言對mysql進行CRUD（增刪改查）

利用C++實現插件系統

如何用zabbix+percona對mysql進行監控？

Vue元件中利用.sync修飾符實現對prop進行雙向資料繫結

mybatis對mysql進行分頁

利用Android Studio、MAT對Android進行記憶體洩漏檢測

使用c語言對mysql進行增刪查改

利用開源審計插件對mysql進行審計

相關推薦