介绍MySQL AUDIT
MySQL AUDIT Plugin是一个 MySQL安全审计插件,由McAfee提供,设计强调安全性和审计能力。该插件可用作独立审计解决方案,或配置为数据传送给外部监测工具。支持版本为MySQL (5.1, 5.5, 5.6, 5.7),MariaDB (5.5, 10.0, 10.1) ,Platform (32 or 64 bit)。从Mariadb 10.0版本开始audit插件直接内嵌了,名称为server_audit.so,可以直接加载使用。
源码地址:https://github.com/mcafee/mysql-audit/
WIKI地址:https://github.com/mcafee/mysql-audit/wiki
二进制地址:https://bintray.com/mcafee/mysql-audit-plugin/release
macfee的mysql audit插件虽然日志信息比较大,对性能影响大,但是如果想要开启审计,那也应该忍受了。
安装使用MySQL AUDIT
从Mariadb 10.0版本开始audit插件直接内嵌了,名称为server_audit.so,可以直接加载使用,关于Mariadb audit插件安装使用自信Google。
|
1
2
|
$ ll /usr/lib64/mysql/plugin/server_audit.so
-rwxr-xr-x 1 root root 240725 Aug 6 2015 /usr/lib64/mysql/plugin/server_audit.so
|
MySQL安装如下:
|
1
2
3
4
5
6
7
8
|
$ unzip audit-plugin-mysql-5.7-1.1.1-660-linux-x86_64.zip
Archive: audit-plugin-mysql-5.7-1.1.1-660-linux-x86_64.zip
creating: audit-plugin-mysql-5.7-1.1.1-660/
creating: audit-plugin-mysql-5.7-1.1.1-660/lib/
inflating: audit-plugin-mysql-5.7-1.1.1-660/lib/libaudit_plugin.so
inflating: audit-plugin-mysql-5.7-1.1.1-660/COPYING
inflating: audit-plugin-mysql-5.7-1.1.1-660/THIRDPARTY.txt
inflating: audit-plugin-mysql-5.7-1.1.1-660/README.txt
|
MySQL的插件目录为:
|
1
2
3
4
5
6
7
|
mysql> show global variables like 'plugin_dir';
+---------------+--------------------------+
| Variable_name | Value |
+---------------+--------------------------+
| plugin_dir | /usr/lib64/mysql/plugin/ |
+---------------+--------------------------+
1 row in set (0.00 sec)
|
复制库文件到MySQL库目录下
|
1
2
|
$ cp audit-plugin-mysql-5.7-1.1.1-660/lib/libaudit_plugin.so /usr/lib64/mysql/plugin/
$ chmod a+x /usr/lib64/mysql/plugin/libaudit_plugin.so
|
加载Audit插件
|
1
|
mysql> INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';
|
查看版本
|
1
2
3
4
5
6
7
8
|
mysql> show global status like '%audit%';
+------------------------+-----------+
| Variable_name | Value |
+------------------------+-----------+
| Audit_protocol_version | 1.0 |
| Audit_version | 1.1.1-660 |
+------------------------+-----------+
2 rows in set (0.01 sec)
|
开启Audit功能
|
1
2
|
mysql> SET GLOBAL audit_json_file=ON;
Query OK, 0 rows affected (0.00 sec)
|
执行任何语句(默认会记录任何语句),然后去mysql数据目录查看mysql-audit.json文件(默认为该文件)。
当然,我们还可以通过命令查看audit相关的命令。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
mysql> SHOW GLOBAL VARIABLES LIKE '%audit%';
+---------------------------------+-----------------------------------------------------------------------------------------+
| Variable_name | Value |
| audit_checksum | |
| audit_client_capabilities | OFF |
| audit_delay_cmds | |
| audit_delay_ms | 0 |
| audit_force_record_logins | OFF |
| audit_header_msg | ON |
| audit_json_file | ON |
| audit_json_file_bufsize | 1 |
| audit_json_file_flush | OFF |
| audit_json_file_retry | 60 |
| audit_json_file_sync | 0 |
| audit_json_log_file | mysql-audit.json |
| audit_json_socket | OFF |
| audit_json_socket_name | /var/run/db-audit/mysql.audit__data_mysql_3306_data_3306 |
| audit_json_socket_retry | 10 |
| audit_offsets | |
| audit_offsets_by_version | ON |
| audit_password_masking_cmds | CREATE_USER,GRANT,SET_OPTION,SLAVE_START,CREATE_SERVER,ALTER_SERVER,CHANGE_MASTER |
| audit_password_masking_regex | identified(?:/*.*?*/|s)*?by(?:/*.*?*/|s)*?(?:password)?(?:/*.*?*/|s)*? | ..... |
| audit_record_cmds | |
| audit_record_objs | |
| audit_sess_connect_attrs | ON |
| audit_uninstall_plugin | OFF |
| audit_validate_checksum | ON |
| audit_validate_offsets_extended | ON |
| audit_whitelist_cmds | BEGIN,COMMIT |
| audit_whitelist_users | |
+---------------------------------+-----------------------------------------------------------------------------------------+
|
其中我们需要关注的参数有:
1. audit_json_file
是否开启audit功能。
2. audit_json_log_file
记录文件的路径和名称信息。
3. audit_record_cmds
audit记录的命令,默认为记录所有命令。可以设置为任意dml、dcl、ddl的组合。如:audit_record_cmds=select,insert,delete,update。还可以在线设置set global audit_record_cmds=NULL。(表示记录所有命令)
4. audit_record_objs
audit记录操作的对象,默认为记录所有对象,可以用SET GLOBAL audit_record_objs=NULL设置为默认。也可以指定为下面的格式:audit_record_objs=,test.*,mysql.*,information_schema.*。
5. audit_whitelist_users
用户白名单。
查看审计数据
插入一些数据,查看一下mysql-audit.json文件信息(json格式),如下:
|
1
2
3
4
|
$ cat /data/mysql/3306/data/mysql-audit.json
{"msg-type":"activity","date":"1484735457403","thread-id":"6","query-id":"69","user":"root","priv_user":"root","ip":"","host":"localhost",
"connect_attrs":{"_os":"Linux","_client_name":"libmysql","_pid":"21284","_client_version":"5.7.17","_platform":"x86_64","program_name":"mysql"},
"cmd":"insert","objects":[{"db":"test","name":"tt","obj_type":"TABLE"}],"query":"insert into test.tt(count) values('1')"}
|
审计记录文件一般存放在mysql的数据目录下。