2.3.8 mysql安全之审计

6、 MySQL安全之审计管理

审计：记录你的操作，方便以后查证据，但是生产环境数据库本身不建议开启，影响性能，但可以使用第三方审计

 

6.1 开源审计功能 mysql Audit Pluging

mysq15.7企业版自带审计功能，需要付费

社区版可以用开源的 mysqL Audit Pluging（ McAfee提供的）

  

下载地址：

https://github.com/mcafee/mysql-audit

 

涉及参数：

audit_json_file = on
plugin-load = AUDIT=libaudit_plugin.so
audit_record_cmds = 'insert,delete,update,create,drop,alter,grant,truncate'
audit_json_log_file = /var/log/mysql/mysql-audit.json
audit_offsets = 7824, 7872, 3632, 4792, 456, 360, 0, 32, 64, 160, 536, 7988, 4360, 3648, 3656, 3660, 6072, 2072, 8, 7056, 7096, 7080, 13464, 148, 672

不设置 audit_record_cmds 参数，所有的DDL,DML全记录

 

 

https://github.com/mcafee/mysql-audit

https://bintray.com/mcafee/mysql-audit-plugin/release/1.1.7-866

https://bintray.com/mcatee/mysql-audit-plugin/release

https://github.com/mcafee/mysql-audit/wiki/Installation

 

mysql root@localhost:auditdb> show global variables like 'plugin_dir';
+---------------+--------------------------+
| Variable_name | Value                    |
+---------------+--------------------------+
| plugin_dir    | /usr/lib64/mysql/plugin/ |
+---------------+--------------------------+

 

 

https://bintray.com/mcafee/mysql-audit-plugin/release#files/
wget https://bintray.com/mcafee/mysql-audit-plugin/download_file?file_path=audit-plugin-percona-5.7-1.1.7-866-linux-x86_64.zip
[root@elasticsearch 09]# unzip audit-plugin-percona-5.7-1.1.7-866-linux-x86_64.zip
cd audit-plugin-percona-5.7-1.1.7-866/lib/

[root@elasticsearch lib]# cp libaudit_plugin.so /usr/lib64/mysql/plugin/
[root@elasticsearch lib]# chmod +x /usr/lib64/mysql/plugin/libaudit_plugin.so
[root@elasticsearch lib]# service mysqld restart
Redirecting to /bin/systemctl restart mysqld.service


install plugin audit soname 'libaudit_plugin.so';


mysql root@localhost:(none)> show global status like 'AUDIT_version';
+---------------+-----------+
| Variable_name | Value     |
+---------------+-----------+
| Audit_version | 1.1.7-866 |
+---------------+-----------+

 

 

mysql root@localhost:(none)> show global variables like '%audit_json%';
+---------------------------------+----------------------------------------------------+
| Variable_name                   | Value                                              |
+---------------------------------+----------------------------------------------------+
| audit_json_file                 | ON                                                 |
| audit_json_file_bufsize         | 1                                                  |
| audit_json_file_flush           | OFF                                                |
| audit_json_file_retry           | 60                                                 |
| audit_json_file_sync            | 0                                                  |
| audit_json_log_file             | /var/log/mysql/mysql-audit.json                    |
| audit_json_socket               | OFF                                                |
| audit_json_socket_name          | /var/run/db-audit/mysql.audit__var_lib_mysql_33057 |
| audit_json_socket_retry         | 10                                                 |
| audit_json_socket_write_timeout | 1000                                               |
+---------------------------------+----------------------------------------------------+

 

mysql root@localhost:(none)> show global variables like '%plugin%';
+-------------------------------+--------------------------+
| Variable_name                 | Value                    |
+-------------------------------+--------------------------+
| audit_uninstall_plugin        | OFF                      |
| default_authentication_plugin | mysql_native_password    |
| plugin_dir                    | /usr/lib64/mysql/plugin/ |
+-------------------------------+--------------------------+

mysql root@localhost:(none)> show global variables like '%load%';
+------------------------------------+-------+
| Variable_name                      | Value |
+------------------------------------+-------+
| have_dynamic_loading               | YES   |
| innodb_buffer_pool_load_abort      | OFF   |
| innodb_buffer_pool_load_at_startup | ON    |
| innodb_buffer_pool_load_now        | OFF   |
| innodb_force_load_corrupted        | OFF   |
| preload_buffer_size                | 32768 |
| slave_load_tmpdir                  | /tmp  |
+------------------------------------+-------+

 

 

[root@elasticsearch lib]# yum install jq -y

[root@elasticsearch lib]# cat /var/log/mysql/mysql-audit.json |jq

 

有bug

记录创建

创建开启后，压根没有记录创建的记录

 

6.2 mysql 自带的 init-connect + binlog 实现 MYSQL审计

my.cnf:

init-connect

 

01.创建一个存放连接信息的表

 

create database auditdb default charset utf8;

use auditdb

create table accesslog(
ID int primary key auto_increment,
ConnectionID int,
ConnUserName varchar(30), 
PrivMatchName varchar(30),
LoginTime timestamp
);

02.配置权限

 

insert into mysql.db(host,db,user,select_priv,Insert_priv) values('%','auditdb','','Y','Y');
flush privileges;

 

03.配置init-connent

my.cnf

server-id=1
init-connect='insert into auditdb.accesslog (ConnectionID,ConnUserName,PrivMatchName,LoginTime) values(connection_id(),user(),current_user(),now());'
log_bin=/var/log/mysql/binlog
log_bin_index=/var/log/mysql/binlog.index

 

目录权限要对

[root@elasticsearch ~]# chown mysql.mysql /var/log/mysql/
[root@elasticsearch ~]# ls /var/log/mysqld.log  -l
-rw-r-----. 1 mysql mysql 458598 9月  12 19:17 /var/log/mysqld.log

 

mysql root@localhost:auditdb> create database test;
Query OK, 1 row affected
Time: 0.001s
mysql root@localhost:auditdb> drop database test;
You're about to run a destructive command.
Do you want to proceed? (y/n): y
Your call!
Query OK, 0 rows affected
Time: 0.001s

 

 

mysqlbinlog /var/log/mysql/binlog.000003

 

 

 

超级管理root 不会记录日志

不记录root用户