環境:
OS:Centos
DB:mysql 5.7
1.獲取到安全審計插件
可以下載mariadb后,解壓找到server_audit.so
我這里下載的mariadb版本是10.4
2.將server_audit.so 拷貝到mysql插件的路徑下
[root@localhost plugin]#cp /soft/server_audit.so /opt/mysql57/lib/plugin/
3.拷貝過去后注意修改下權限
[root@localhost plugin]# chown mysql:mysql ./server_audit.so
4.登錄mysql安裝插件
mysql> INSTALL PLUGIN server_audit SONAME 'server_audit.so';
Query OK, 0 rows affected (0.06 sec)
5.檢查審計功能是否開啟,沒有開啟則開啟
mysql> show variables like '%audit%';
+-------------------------------+-----------------------+
| Variable_name | Value |
+-------------------------------+-----------------------+
| server_audit_events | |
| server_audit_excl_users | |
| server_audit_file_path | server_audit.log |
| server_audit_file_rotate_now | OFF |
| server_audit_file_rotate_size | 1000000 |
| server_audit_file_rotations | 9 |
| server_audit_incl_users | |
| server_audit_loc_info | |
| server_audit_logging | OFF |
| server_audit_mode | 1 |
| server_audit_output_type | file |
| server_audit_query_log_limit | 1024 |
| server_audit_syslog_facility | LOG_USER |
| server_audit_syslog_ident | mysql-server_auditing |
| server_audit_syslog_info | |
| server_audit_syslog_priority | LOG_INFO |
+-------------------------------+-----------------------+
16 rows in set (0.03 sec)
6.開啟審計功能
先創建審計存儲目錄
[root@localhost mysql57]#mkdir -p /opt/mysql57/audit
[root@localhost mysql57]#chown -R mysql:mysql ./audit/
開啟審計
mysql>set global server_audit_logging=on;
mysql>set global server_audit_file_path='/opt/mysql57/audit';
mysql>set global server_audit_file_rotate_size=200000000;
mysql>set global server_audit_file_rotations=200;
mysql>set global server_audit_file_rotate_now=ON;
7.將如下配置添加到初始化文件
server_audit_logging=on
server_audit_file_path =/opt/mysql57/audit
server_audit_file_rotate_size=200000000
server_audit_file_rotations=200
server_audit_file_rotate_now=ON
8.驗證
mysql> create database db_hxl;
Query OK, 1 row affected (0.04 sec)
查看審計日志
[root@localhost audit]# more server_audit.log
20200414 09:02:53,localhost.localdomain,root,localhost,6,10,QUERY,,'set global server_audit_file_rotate_now=ON',0
20200414 09:03:09,localhost.localdomain,root,localhost,6,11,QUERY,,'show variables like \'%audit%\'',0
20200414 09:05:25,localhost.localdomain,root,localhost,6,12,QUERY,,'show databases',0
20200414 09:05:33,localhost.localdomain,root,localhost,6,13,QUERY,,'create database db_hxl',0
20200414 09:06:36,localhost.localdomain,root,localhost,6,14,QUERY,,'SELECT DATABASE()',0
9.參數說明:
詳細請參考:https://mariadb.com/kb/en/mariadb/server_audit-system-variables/
server_audit_output_type:指定日志輸出類型,可為SYSLOG或FILE
server_audit_logging:啟動或關閉審計
server_audit_events:指定記錄事件的類型,可以用逗號分隔的多個值(connect,query,table),如果開啟了查詢緩存(query cache),查詢直接從查詢緩存返回數據,將沒有table記錄
server_audit_file_path:如server_audit_output_type為FILE,使用該變量設置存儲日志的文件,可以指定目錄,默認存放在數據目錄的server_audit.log文件中
server_audit_file_rotate_size:限制日志文件的大小
server_audit_file_rotations:指定日志文件的數量,如果為0日志將從不輪轉
server_audit_file_rotate_now:強制日志文件輪轉
server_audit_incl_users:指定哪些用戶的活動將記錄,connect將不受此變量影響,該變量比server_audit_excl_users優先級高
server_audit_syslog_facility:默認為LOG_USER,指定facility
server_audit_syslog_ident:設置ident,作為每個syslog記錄的一部分
server_audit_syslog_info:指定的info字符串將添加到syslog記錄
server_audit_syslog_priority:定義記錄日志的syslogd priority
server_audit_excl_users:該列表的用戶行為將不記錄,connect將不受該設置影響
server_audit_mode:標識版本,用於開發測試
10.卸載server_audit
mysql> UNINSTALL PLUGIN server_audit;
mysql> show variables like '%audit%';
Empty set (0.00 sec)
防止server_audit 插件被卸載,需要在配置文件中添加:
[mysqld]
server_audit=FORCE_PLUS_PERMANENT
重啟MySQL生效
值得注意的是,應該在server_audit插件被安裝好,並且已經運行之后添加這些配置,否則過早在配置文件添加這個選項,會導致MySQL發生啟動錯誤!
mysql> UNINSTALL PLUGIN server_audit;
ERROR 1702 (HY000): Plugin 'server_audit' is force_plus_permanent and can not be unloaded
11.關閉審計
set global server_audit_logging=off;
12.不審計查詢
set global server_audit_events='connect,table,query_ddl,query_dcl,query_dml_no_select';
-- The End --