mysql5.5推出了相关的审计功能,但社区版是不支持审计系统的。可以使用McAfee的MySQL插件,为MySQL提供审计功能,重点是安全性和审计要求。该插件可以用作独立的审核解决方案,也可以配置为将数据提供给外部监视工具。
安装手册:
Installation · mcafee/mysql-audit Wiki · GitHub
下载地址:
Releases · mcafee/mysql-audit · GitHub
参考:
参数说明,可以直接访问官方说明:
Configuration · mcafee/mysql-audit Wiki · GitHub
部署
unzip audit-plugin-mysql-5.6-1.1.2-694-linux-x86_64.zip
cp audit-plugin-mysql-5.6-1.1.2-694/lib/libaudit_plugin.so /var/bh/lib/mysql-5.6.23/lib/plugin/
chown -R mysql.mysql /var/bh/lib/mysql-5.6.23/lib/plugin/libaudit_plugin.so
chmod +x /var/bh/lib/mysql-5.6.23/lib/plugin/libaudit_plugin.so查看 mysql 插件状态
mysql> show global variables like 'plugin_dir';
+---------------+--------------------------------------+
| Variable_name | Value |
+---------------+--------------------------------------+
| plugin_dir | /var/bh/lib/mysql-5.6.23/lib/plugin/ |
+---------------+--------------------------------------+
1 row in set (0.00 sec)
mysql> SHOW GLOBAL VARIABLES LIKE '%audi%';
Empty set (0.00 sec)安装插件
# mysql> INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';
ERROR 1123 (HY000): Can't initialize function 'AUDIT'; Plugin initialization function failed.
# 关闭主机名解析
#skip-external-locking
#skip-name-resolve
关闭general日志
#general_log_file = /data/log/mysql/sh151-general.log
#general_log = 0
# 获取Offset
# which mysqld
/usr/sbin/mysqld
# bash offset-extract.sh /usr/sbin/mysqld
//offsets for: /usr/sbin/mysqld (5.6.39)
{"5.6.39","4606574f16325737d4d37c0172435ff1", 6992, 7040, 4000, 4520, 72, 2704, 96, 0, 32, 104, 136, 7128, 4392, 2800, 2808, 2812, 536, 0, 0, 6360, 6384, 6368},
修改配置文件
[mysqld]
audit_json_file=on
plugin-load=AUDIT=libaudit_plugin.so
audit_record_cmds=CREATE_USER,GRANT,SET_OPTION,SLAVE_START,CREATE_SERVER,ALTER_SERVER,CHANGE_MASTER,UPDATE
audit_offsets=6992, 7040, 4000, 4520, 72, 2704, 96, 0, 32, 104, 136, 7128, 4392, 2800, 2808, 2812, 536, 0, 0, 6360, 6384, 6368
重启服务,在次安装
mysql> INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';
Query OK, 0 rows affected (0.49 sec)
mysql> SET GLOBAL audit_json_file=ON;
Query OK, 0 rows affected (0.00 sec)
查看安装插件的信息
mysql> SHOW GLOBAL VARIABLES LIKE '%audi%';
+---------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Variable_name | Value |
+---------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| audit_before_after | after |
| audit_checksum | |
| audit_client_capabilities | OFF |
| audit_delay_cmds | |
| audit_delay_ms | 0 |
| audit_force_record_logins | OFF |
| audit_header_msg | ON |
| audit_json_file | ON |
| audit_json_file_bufsize | 1 |
| audit_json_file_flush | OFF |
| audit_json_file_retry | 60 |
| audit_json_file_sync | 0 |
| audit_json_log_file | mysql-audit.json |
| audit_json_socket | OFF |
| audit_json_socket_name | /var/run/db-audit/mysql.audit__var_bh_data_mysql_3306 |
| audit_json_socket_retry | 10 |
| audit_offsets | |
| audit_offsets_by_version | ON |
| audit_password_masking_cmds | CREATE_USER,GRANT,SET_OPTION,SLAVE_START,CREATE_SERVER,ALTER_SERVER,CHANGE_MASTER,UPDATE |
| audit_password_masking_regex | identified(?:/\*.*?\*/|\s)*?by(?:/\*.*?\*/|\s)*?(?:password)?(?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"]|password(?:/\*.*?\*/|\s)*?\((?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"](?:/\*.*?\*/|\s)*?\)|password(?:/\*.*?\*/|\s)*?(?:for(?:/\*.*?\*/|\s)*?\S+?)?(?:/\*.*?\*/|\s)*?=(?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"]|password(?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"] |
| audit_record_cmds | |
| audit_record_objs | |
| audit_sess_connect_attrs | ON |
| audit_socket_creds | ON |
| audit_uninstall_plugin | OFF |
| audit_validate_checksum | ON |
| audit_validate_offsets_extended | ON |
| audit_whitelist_cmds | BEGIN,COMMIT,PING |
| audit_whitelist_users | |
+---------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
29 rows in set (0.00 sec)
查看插件版本
mysql> show global status like 'AUDIT_version';
+---------------+-----------+
| Variable_name | Value |
+---------------+-----------+
| Audit_version | 1.1.2-694 |
+---------------+-----------+
1 row in set (0.00 sec)
查看审计日志
# find / -name mysql-audit.json
/data/mysql/mysql-audit.json
白名单 设置:
用于不审计的部分
mysql > set global audit_whitelist_users = 'z';
常用参数说明:
audit_json_file #是否开启audit功能(ON\OFF)
audit_json_log_file #log日志名称及存储位置,默认mysql的data目录
audit_record_cmds='' #设置需要监控的SQL命令,默认全部
即audit记录的命令,默认为记录所有命令。可以设置为任意dml、dcl、ddl的组合。如:audit_record_cmds=select,insert,delete,update。
还可以在线设置set global audit_record_cmds=NULL。(表示记录所有命令)
audit_record_objs=‘db.*’ #设置需要监控的数据库名称和表名,默认全部。
即audit记录操作的对象,默认为记录所有对象,可以用SET GLOBAL audit_record_objs=NULL设置为默认。
也可以指定为下面的格式:audit_record_objs=,test.*,mysql.*,information_schema.*。
audit_whitelist_users #用户白名单
最后为了保证重启数据库,配置不丢失,修改my.cnf 配置文件,将下面的配置添加到[mysqld]中,所以在配置文件中my.cnf加入参数:
audit_json_file=on #保证mysql重启后自动启动插件
plugin-load=AUDIT=libaudit_plugin.so #防止删除了插件,重启后又会加载
audit_record_cmds='insert,delete,update,create,drop,alter,grant,truncate' #要记录哪些命令语句,因为默认记录所有操作;
插件卸载
直接执行 UNINSTALL PLUGIN AUDIT 卸载会报错:
> uninstall plugin AUDIT;
ERROR 1148 (42000): Uninstall AUDIT plugin disabled
> set audit_uninstall_plugin=on;
ERROR 1238 (HY000): Variable 'audit_uninstall_plugin' is a read only variable需要在 my.cnf 中 [mysqld] 下添加 audit_uninstall_plugin=1,重启mysql。重启完毕后执行两次 UNINSTALL PLUGIN AUDIT; 即可卸载。
> UNINSTALL PLUGIN AUDIT;
ERROR 1620 (HY000): Uninstall AUDIT plugin must be called again to complete
> UNINSTALL PLUGIN AUDIT;
Query OK, 0 rows affected, 1 warning (0.01 sec)卸载完成后需要从 my.cnf 中删除 audit_uninstall_plugin=1 ,否则下次mysql启动会报错:
[ERROR] /data/mysql/bin/mysqld: unknown variable 'audit_uninstall_plugin=1'