mysql審計插件

Audit Plugin安裝使用

原文：

https://www.cnblogs.com/waynechou/p/mysql_audit.html#_label0   #有卸載方法

下載地址:

https://bintray.com/mcafee/mysql-audit-plugin/release/1.1.6-784#files

安裝、配置、測試

查看mysql插件目錄：
mysql> SHOW GLOBAL VARIABLES LIKE 'plugin_dir';
+---------------+------------------------+
| Variable_name | Value                  |
+---------------+------------------------+
| plugin_dir    | /opt/mysql/lib/plugin/ |
+---------------+------------------------+
1 row in set (0.00 sec)


復制下載的so文件至plugin_dir，創建日志目錄
cd /opt/tools/audit-plugin-mysql-5.6-1.1.6-784/lib
cp libaudit_plugin.so /opt/mysql/lib/plugin/
mkdir /home/mysql/3306/audit_log/
chown mysql.mysql /home/mysql/3306/audit_log/ 下載offset腳本，根據版本計算
wget https://raw.github.com/mcafee/mysql-audit/master/offset-extract/offset-extract.sh
chmod +x offset-extract.sh
[root@docker1 /opt/tools 19:42:56&&11]#./offset-extract.sh /opt/mysql/bin/mysqld
//offsets for: /opt/mysql/bin/mysqld (5.6.35)
{"5.6.35","c48fe13e444883af96c7f134cd0c952b", 6992, 7040, 4000, 4520, 72, 2704, 96, 0, 32, 104, 136, 7128, 4392, 2800, 2808, 2812, 536, 0, 0, 6360, 6384, 6368, 13048, 548, 516},

配置my.cnf，在mysqld塊里面加入以下內容：
plugin-load=AUDIT=libaudit_plugin.so
audit_offsets=6992, 7040, 4000, 4520, 72, 2704, 96, 0, 32, 104, 136, 7128, 4392, 2800, 2808, 2812, 536, 0, 0, 6360, 6384, 6368, 13048, 548, 516
audit_json_file=ON
audit_json_log_file=/home/mysql/3306/audit_log/mysql-audit.json
audit_record_cmds=insert,delete,update,create,drop,revoke,alter,grant,set #針對這些語句來審計

重啟mysql數據庫
service mysql restart

驗證是否生效:
SHOW GLOBAL STATUS LIKE 'AUDIT_version';   #查看版本
SHOW GLOBAL VARIABLES LIKE 'audit_json_file';  #查看是否開啟

show plugins;  #查看安裝的插件

重要的參數說明： 

1. audit_json_file #是否開啟audit功能 

2. audit_json_log_file #記錄文件的路徑和名稱信息 

3. audit_record_cmds #audit記錄的命令,默認為記錄所有命令可以設置為任意dml、dcl、ddl的組合 如：audit_record_cmds=select,insert,delete,update 還可以在線設置set global audit_record_cmds=NULL(表示記錄所有命令) 

4.audit_record_objs

audit記錄操作的對象，默認為記錄所有對象，可以用SET GLOBAL audit_record_objs=NULL設置為默認。也可以指定為下面的格式：audit_record_objs=,test.*,mysql.*,information_schema.*。

其他配置參數參考： https://github.com/mcafee/mysql-audit/wiki/Configuration  
測試： 
CREATE TABLE `t1` ( `id` int(10) NOT NULL AUTO_INCREMENT, `age` tinyint(4) NOT NULL DEFAULT '0', `name` varchar(30) NOT NULL DEFAULT '', PRIMARY KEY (`id`) )DEFAULT CHARSET=utf8; 
INSERT INTO `test`.`t1` (`age`, `name`) VALUES ('1', '1'); 
INSERT INTO `test`.`t1` (`age`, `name`) VALUES ('3', '3'); 
INSERT INTO `test`.`t1` (`age`, `name`) VALUES ('4', '4'); 
INSERT INTO `test`.`t1` (`age`, `name`) VALUES ('5', '5'); 
update t1 set name='6' where age='5'; 
delete from t1 where age='1'; select * from t1; 

#查看審計日志 
[root@docker1 /opt/tools 19:43:00&&12]#cat /home/mysql/3306/audit_log/mysql-audit.json 
{"msg-type":"header","date":"1532167436580","audit-version":"1.1.6-784","audit-protocol-version":"1.0","hostname":"docker1","mysql-version":"5.6.35-log","mysql-program":"/opt/mysql/bin/mysqld","mysql-socket":"/tmp/my3306.sock","mysql-port":"3306","server_pid":"43306"} {"msg-type":"activity","date":"1532167889630","thread-id":"9","query-id":"54","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `t1` (`age`, `name`) VALUES ('2', '2')"} {"msg-type":"activity","date":"1532167962813","thread-id":"8","query-id":"68","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES ('1', '1')"} {"msg-type":"activity","date":"1532167962831","thread-id":"8","query-id":"69","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES ('3', '3')"} {"msg-type":"activity","date":"1532167962849","thread-id":"8","query-id":"70","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES ('4', '4')"} {"msg-type":"activity","date":"1532167962867","thread-id":"8","query-id":"71","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES ('5', '5')"} {"msg-type":"activity","date":"1532168079332","thread-id":"8","query-id":"87","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"update","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"update t1 set name='6' where age='5'"} {"msg-type":"activity","date":"1532168113498","thread-id":"8","query-id":"103","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"1","status":"0","cmd":"delete","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"delete from t1 where age='1'"}

 MariaDB server_audit 審計插件

下載:

http://ftp.kaist.ac.kr/mariadb/

原文：

https://www.cnblogs.com/waynechou/p/mysql_audit.html#_label0

安裝、配置、測試

復制插件文件
cp -av /opt/tools/mariadb-5.5.60-linux-glibc_214-x86_64/lib/plugin/server_audit.so /opt/mysql/lib/plugin/
chmod a+x /opt/mysql/lib/plugin/server_audit.so

安裝插件
INSTALL PLUGIN server_audit SONAME 'server_audit.so';

配置my.cnf
server_audit_events='CONNECT,QUERY,TABLE,QUERY_DDL,QUERY_DML,QUERY_DCL'
server_audit_logging=on
server_audit_file_path =/home/mysql/3306/audit_log/
server_audit_file_rotate_size=200000000
server_audit_file_rotations=200
server_audit_file_rotate_now=ON
值得注意的是，應該在server_audit插件被安裝好，並且已經運行之后添加這些配置，否則過早在配置文件添加這個選項，會導致MySQL發生啟動錯誤！

參數說明：
server_audit_output_type：指定日志輸出類型，可為SYSLOG或FILE
server_audit_logging：啟動或關閉審計
server_audit_events：指定記錄事件的類型，可以用逗號分隔的多個值(connect,query,table)，如果開啟了查詢緩存(query cache)，查詢直接從查詢緩存返回數據，將沒有table記錄
server_audit_file_path：如server_audit_output_type為FILE，使用該變量設置存儲日志的文件，可以指定目錄，默認存放在數據目錄的server_audit.log文件中
server_audit_file_rotate_size：限制日志文件的大小
server_audit_file_rotations：指定日志文件的數量，如果為0日志將從不輪轉
server_audit_file_rotate_now：強制日志文件輪轉
server_audit_incl_users：指定哪些用戶的活動將記錄，connect將不受此變量影響，該變量比server_audit_excl_users優先級高
server_audit_syslog_facility：默認為LOG_USER，指定facility
server_audit_syslog_ident：設置ident，作為每個syslog記錄的一部分
server_audit_syslog_info：指定的info字符串將添加到syslog記錄
server_audit_syslog_priority：定義記錄日志的syslogd priority
server_audit_excl_users：該列表的用戶行為將不記錄，connect將不受該設置影響
server_audit_mode：標識版本，用於開發測試

重啟mysql /opt/mysql/scripts/my3306.sh restart

測試：
測試同Audit Plugin


卸載 server_audit
mysql> UNINSTALL PLUGIN server_audit;
mysql> show variables like '%audit%';
Empty set (0.00 sec)

防止 server_audit 插件被卸載，需要在配置文件中添加：
[mysqld]
server_audit=FORCE_PLUS_PERMANENT

重啟MySQL生效