mysql5.5推出了相關的審計功能,但社區版是不支持審計系統的。可以使用McAfee的MySQL插件,為MySQL提供審計功能,重點是安全性和審計要求。該插件可以用作獨立的審核解決方案,也可以配置為將數據提供給外部監視工具。
安裝手冊:
Installation · mcafee/mysql-audit Wiki · GitHub
下載地址:
Releases · mcafee/mysql-audit · GitHub
參考:
參數說明,可以直接訪問官方說明:
Configuration · mcafee/mysql-audit Wiki · GitHub
部署
unzip audit-plugin-mysql-5.6-1.1.2-694-linux-x86_64.zip
cp audit-plugin-mysql-5.6-1.1.2-694/lib/libaudit_plugin.so /var/bh/lib/mysql-5.6.23/lib/plugin/
chown -R mysql.mysql /var/bh/lib/mysql-5.6.23/lib/plugin/libaudit_plugin.so
chmod +x /var/bh/lib/mysql-5.6.23/lib/plugin/libaudit_plugin.so查看 mysql 插件狀態
mysql> show global variables like 'plugin_dir';
+---------------+--------------------------------------+
| Variable_name | Value |
+---------------+--------------------------------------+
| plugin_dir | /var/bh/lib/mysql-5.6.23/lib/plugin/ |
+---------------+--------------------------------------+
1 row in set (0.00 sec)
mysql> SHOW GLOBAL VARIABLES LIKE '%audi%';
Empty set (0.00 sec)安裝插件
# mysql> INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';
ERROR 1123 (HY000): Can't initialize function 'AUDIT'; Plugin initialization function failed.
# 關閉主機名解析
#skip-external-locking
#skip-name-resolve
關閉general日志
#general_log_file = /data/log/mysql/sh151-general.log
#general_log = 0
# 獲取Offset
# which mysqld
/usr/sbin/mysqld
# bash offset-extract.sh /usr/sbin/mysqld
//offsets for: /usr/sbin/mysqld (5.6.39)
{"5.6.39","4606574f16325737d4d37c0172435ff1", 6992, 7040, 4000, 4520, 72, 2704, 96, 0, 32, 104, 136, 7128, 4392, 2800, 2808, 2812, 536, 0, 0, 6360, 6384, 6368},
修改配置文件
[mysqld]
audit_json_file=on
plugin-load=AUDIT=libaudit_plugin.so
audit_record_cmds=CREATE_USER,GRANT,SET_OPTION,SLAVE_START,CREATE_SERVER,ALTER_SERVER,CHANGE_MASTER,UPDATE
audit_offsets=6992, 7040, 4000, 4520, 72, 2704, 96, 0, 32, 104, 136, 7128, 4392, 2800, 2808, 2812, 536, 0, 0, 6360, 6384, 6368
重啟服務,在次安裝
mysql> INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';
Query OK, 0 rows affected (0.49 sec)
mysql> SET GLOBAL audit_json_file=ON;
Query OK, 0 rows affected (0.00 sec)
查看安裝插件的信息
mysql> SHOW GLOBAL VARIABLES LIKE '%audi%';
+---------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Variable_name | Value |
+---------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| audit_before_after | after |
| audit_checksum | |
| audit_client_capabilities | OFF |
| audit_delay_cmds | |
| audit_delay_ms | 0 |
| audit_force_record_logins | OFF |
| audit_header_msg | ON |
| audit_json_file | ON |
| audit_json_file_bufsize | 1 |
| audit_json_file_flush | OFF |
| audit_json_file_retry | 60 |
| audit_json_file_sync | 0 |
| audit_json_log_file | mysql-audit.json |
| audit_json_socket | OFF |
| audit_json_socket_name | /var/run/db-audit/mysql.audit__var_bh_data_mysql_3306 |
| audit_json_socket_retry | 10 |
| audit_offsets | |
| audit_offsets_by_version | ON |
| audit_password_masking_cmds | CREATE_USER,GRANT,SET_OPTION,SLAVE_START,CREATE_SERVER,ALTER_SERVER,CHANGE_MASTER,UPDATE |
| audit_password_masking_regex | identified(?:/\*.*?\*/|\s)*?by(?:/\*.*?\*/|\s)*?(?:password)?(?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"]|password(?:/\*.*?\*/|\s)*?\((?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"](?:/\*.*?\*/|\s)*?\)|password(?:/\*.*?\*/|\s)*?(?:for(?:/\*.*?\*/|\s)*?\S+?)?(?:/\*.*?\*/|\s)*?=(?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"]|password(?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"] |
| audit_record_cmds | |
| audit_record_objs | |
| audit_sess_connect_attrs | ON |
| audit_socket_creds | ON |
| audit_uninstall_plugin | OFF |
| audit_validate_checksum | ON |
| audit_validate_offsets_extended | ON |
| audit_whitelist_cmds | BEGIN,COMMIT,PING |
| audit_whitelist_users | |
+---------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
29 rows in set (0.00 sec)
查看插件版本
mysql> show global status like 'AUDIT_version';
+---------------+-----------+
| Variable_name | Value |
+---------------+-----------+
| Audit_version | 1.1.2-694 |
+---------------+-----------+
1 row in set (0.00 sec)
查看審計日志
# find / -name mysql-audit.json
/data/mysql/mysql-audit.json
白名單 設置:
用於不審計的部分
mysql > set global audit_whitelist_users = 'z';
常用參數說明:
audit_json_file #是否開啟audit功能(ON\OFF)
audit_json_log_file #log日志名稱及存儲位置,默認mysql的data目錄
audit_record_cmds='' #設置需要監控的SQL命令,默認全部
即audit記錄的命令,默認為記錄所有命令。可以設置為任意dml、dcl、ddl的組合。如:audit_record_cmds=select,insert,delete,update。
還可以在線設置set global audit_record_cmds=NULL。(表示記錄所有命令)
audit_record_objs=‘db.*’ #設置需要監控的數據庫名稱和表名,默認全部。
即audit記錄操作的對象,默認為記錄所有對象,可以用SET GLOBAL audit_record_objs=NULL設置為默認。
也可以指定為下面的格式:audit_record_objs=,test.*,mysql.*,information_schema.*。
audit_whitelist_users #用戶白名單
最后為了保證重啟數據庫,配置不丟失,修改my.cnf 配置文件,將下面的配置添加到[mysqld]中,所以在配置文件中my.cnf加入參數:
audit_json_file=on #保證mysql重啟后自動啟動插件
plugin-load=AUDIT=libaudit_plugin.so #防止刪除了插件,重啟后又會加載
audit_record_cmds='insert,delete,update,create,drop,alter,grant,truncate' #要記錄哪些命令語句,因為默認記錄所有操作;
插件卸載
直接執行 UNINSTALL PLUGIN AUDIT 卸載會報錯:
> uninstall plugin AUDIT;
ERROR 1148 (42000): Uninstall AUDIT plugin disabled
> set audit_uninstall_plugin=on;
ERROR 1238 (HY000): Variable 'audit_uninstall_plugin' is a read only variable需要在 my.cnf 中 [mysqld] 下添加 audit_uninstall_plugin=1,重啟mysql。重啟完畢后執行兩次 UNINSTALL PLUGIN AUDIT; 即可卸載。
> UNINSTALL PLUGIN AUDIT;
ERROR 1620 (HY000): Uninstall AUDIT plugin must be called again to complete
> UNINSTALL PLUGIN AUDIT;
Query OK, 0 rows affected, 1 warning (0.01 sec)卸載完成后需要從 my.cnf 中刪除 audit_uninstall_plugin=1 ,否則下次mysql啟動會報錯:
[ERROR] /data/mysql/bin/mysqld: unknown variable 'audit_uninstall_plugin=1'