文档章节

来自Mcafee的MySQL审计插件

xxj123gogo
 xxj123gogo
发布于 2017/05/07 11:57
字数 1161
阅读 118
收藏 0

项目地址

https://github.com/mcafee/mysql-audit/

安装

将安装包libaudit_plugin.so文件复制到 plugin_dir 目录

mysql> show global variables like 'plugin_dir';
+---------------+------------------------------+
| Variable_name | Value                        |
+---------------+------------------------------+
| plugin_dir    | /usr/local/mysql/lib/plugin/ |
+---------------+------------------------------+
1 row in set (0.01 sec)

可以使用两种方式安装,

方法1:
[mysqld] 
plugin-load=AUDIT=libaudit_plugin.so 
不需要重启,生产环境建议使用这种方式

方法2:
mysql> INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';

验证

mysql>  SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'audit%';
+-------------+---------------+
| PLUGIN_NAME | PLUGIN_STATUS |
+-------------+---------------+
| AUDIT       | ACTIVE        |
+-------------+---------------+
1 row in set (0.00 sec)

开启审计

默认不开启

mysql> set global audit_json_file=on;
Query OK, 0 rows affected (0.00 sec

查看输出位置
mysql> show global variables like 'audit_json_log_file';
+---------------------+------------------+
| Variable_name       | Value            |
+---------------------+------------------+
| audit_json_log_file | mysql-audit.json |
+---------------------+------------------+
1 row in set (0.00 sec)

##测试
session1# mysql> select version();
+------------+
| version()  |
+------------+
| 5.7.18-log |
+------------+
1 row in set (0.00 sec)

session2# tail -f mysql-audit.json 
{"msg-type":"activity","date":"1494127901889","thread-id":"7","query-
id":"36","user":"root","priv_user":"root","ip":"","host":"localhost","connect_attrs":
{"_os":"linux-glibc2.5","_client_name":"libmysql","_pid":"8116","_client_version":"5.7.18","_platform":
"x86_64","program_name":"mysql"},"pid":"8116","os_user":"root","appname":"mysql","rows":"1",
"cmd":"select","query":"select version()"}

常用参数

1. audit_json_file=on|off
是否开启audit功能
 
2. audit_json_log_file
审计文件的路径和名称信息
 
3. audit_record_cmds
audit记录的命令,默认为记录所有命令
可以设置为任意dml、dcl、ddl的组合
如:audit_record_cmds="select,insert,delete,update"

 
4. audit_record_objs
audit记录操作的对象或表,默认为记录所有对象,
也可以指定为下面的格式
audit_record_objs="*.mytable,mydb.*,mydb.mytable"

5. audit_whitelist_users
白名单
如set global audit_whitelist_users="root,rpl";

更多参数详见文章最后。

 

所有调优参数

  • audit_json_log_file: json log file name. If audit_json_file option is enabled will write audit trail to this file. Value may be either an absolute path or relative to the MySQL datadir. Default value: mysql-audit.json.
  • audit_json_file: json log file ON|OFF.
  • audit_json_file_sync: json log file sync period. If the value of this variable is greater than 0, audit log will sync to disk after every audit_json_file_sync writes. Default value: 0.
  • audit_json_file_flush: Calling set global audit_json_file_flush=on will cause a flush of the log file (close and reopen of the log). This can be used to rotate logs similarly to how MySQL manages its log files. See: http://dev.mysql.com/doc/refman/5.5/en/log-file-maintenance.html. For further clarification, see issue #140.
  • audit_json_socket_name: json UNIX socket name. If audit_json_socket option is enabled will write audit trail to this UNIX socket.
  • audit_json_socket: json UNIX socket ON|OFF.
  • audit_uninstall_plugin: AUDIT uninstall plugin ON|OFF (command line/conf file only). If disabled attempts to uninstall the AUDIT plugin via the sql UNINSTALL command will fail. Provides added security from uninstalling the plugin. Also protection from CVE-2010-1621affecting versions up to 5.1.46.
  • audit_validate_checksum: mysqld binary checksum validation ON|OFF. See Troubleshooting section in Installation page.
  • audit_checksum: Checksum for mysqld to validate (command line/conf file only). Used when audit_offsets are present. The plugin will not load if the specified checksum doesn't match the calculated one. This is useful when offsets have been set manually and you want to avoid using the manual offsets without validation after an upgrade of mysqld.
  • audit_record_cmds: Comma separated list of commands to log to the audit trail. For example:insert,update,delete.
  • audit_record_objs: Comma separated list of objects (tables) to log to the audit trail. Table name should be specified as: database.table. Wild cards are supported and it is possible to specify: *.mytable or mydb.*. Specify: {} as part of the list to include the empty set to catch also cases where an activity has no objects (for example connect and quit).
  • audit_whitelist_users: Comma separated list of white-listed users whose queries are not recorded. Specify: {} as part of the list to include the empty user.
  • audit_whitelist_cmds: Comma separated list of white-listed cmds whose queries are not recorded. Introduced in version 1.0.6.
  • audit_force_record_logins: Force logging: Connect, Quit and Failed Login commands, regardless of the settings in audit_record_cmds and audit_record_objs variables. ON|OFF. Default value: OFF. Introduced in version 1.0.8.
  • audit_header_msg: Header message logging ON|OFF. Default value: ON. Introduced in version 1.0.6.
  • audit_password_masking_cmds: Comma separated list of commands for which the password masking regex will be applied. Default value includes MySQL commands that may include a password clause:CREATE_USER,GRANT,SET_OPTION,SLAVE_START,CREATE_SERVER,ALTER_SERVER,CHANGE_MASTER. Introduced in version 1.0.6.
  • audit_password_masking_regex: PCRE compliant regular expression used for password masking. Regex will be applied only to statements with command type as specified at:audit_password_masking_cmds. Introduced at version 1.0.6.
  • audit_json_file_retry: json log file retry interval. If the plugin fails to open/write to the json log file, will retry to open every specified interval in seconds. Set for 0 to disable retrying. Defaults to 60 seconds. Introduced in version 1.0.6.
  • audit_json_socket_retry: json socket retry interval. If the plugin fails to connect/write to the json audit socket, will retry to connect every specified interval in seconds. Set for 0 to disable retrying. Defaults to 10 seconds. Introduced in version 1.0.6.
  • audit_json_file_bufsize: json file buffer size in bytes used for logging. Value of 0 means default size, value of 1 means no buffering. Max value: 262144 (256KB). A larger value may improve performance when logging large statements (log entries larger than 4KB). Defaults to 0. If changed during run-time need, to perform a flush for the new value to take affect. Default is ON. Introduced in version 1.0.8.
  • audit_client_capabilities: If enabled, the plugin sends the value of client capabilities bit map as an unsigned 64-bit value. Default is OFF. Introduced in version 1.1.1.
  • audit_sess_connect_attrs: If enabled, the plugin sends session connection attributes. Default is ON. Currently supported only on MySQL 5.6 and 5.7. Introduced in version 1.1.1. Note: logging of connection attributes requires also a client of MySQL 5.6 and up to connect to the server. The connection attributes where added in 5.6 as part of the communication protocol. When enabled a json entry of the form will be added to each log entry: "connect_attrs":{"_os":"Linux","_client_name":"libmysql","_pid":"11450","_client_version":"5.6.20-68.0","_platform":"x86_64","program_name":"mysql"}. For further info on connection attributes in MySQL see: https://dev.mysql.com/doc/refman/5.6/en/performance-schema-connection-attribute-tables.html.
  • audit_socket_creds: If enabled, the plugin sends information about the client process, such as the PID, application name and user name who owns it. Default is ON. Introduced in version 1.1.2.
  • audit_before_after: Controls whether the plugin writes its log records before or after execution of the current SQL statement, or both. Possible values are 'before''after', or 'both'. Default is 'after'. Introduced in version 1.1.2.

© 著作权归作者所有

下一篇: DRBD 配置
xxj123gogo
粉丝 0
博文 61
码字总数 83696
作品 0
其它
程序员
私信 提问
mysql5.7安装审计插件libaudit_plugin.so

1.下载插件: https://bintray.com/mcafee/mysql-audit-plugin/release/1.1.7-805#files 2.解压插件复制到mysql lib库插件目录下: unzip audit-plugin-mysql-5.7-1.1.7-805-linux-x8664.zip......

the_script
01/30
0
0
mysql 5.7 操作审计

mysql 5.7 操作审计 注:percona,mcafee,mariadb都有提供审计插件 1.下载 #wget https://downloads.mariadb.org/interstitial/mariadb-10.1.21/bintar-linux-x8664/mariadb-10.1.21-linux-......

yikayi
2017/03/10
0
0
CentOS 7.2 mysql-5.7.17 审计插件安装、开启与设定

最近因为一些事情的发生,出现了好端端的页面,变成了空页面。转头开发同事就来质问我,是不是我动了什么,后来经过调查发现,是平台运营的同事误删资料导致的。 所以如果运维或者开发部门有...

翘楚秦歌
2017/05/12
0
0
干货 | MySQL数据库安全之审计

2 Query OK, 1 row affected (0.03 sec)3 MySQL> flush privileges;4 Query OK, 0 rows affected (0.00 sec) 2 initconnect='insert into auditdb.accesslog(connectionid, connectionuser,l......

京东云技术新知
05/31
39
0
Lynis 2.1.0 发布,Linux 系统审计工具

Lynis 2.1.0 发布,此版本更新内容如下: 常规改进 --------- 改进屏幕输出,提供额外的信息 OS 支持 ------------ 改进 Mac OS X 上的 CUPS 检测 软件 ---------- 扩展 McAfee 检测 Sessio...

oschina
2015/04/26
1K
1

没有更多内容

加载失败,请刷新页面

加载更多

Blockstack-2 :Blockstack ID注册

本篇文章主要记录Blockstack ID注册的流程; 在介绍注册流程之前,先简单的介绍一下Blockstack ID; 相对于传统互联网来说,Blockstack ID更像是统一的账号系统;即一个账号即可登录和授权所...

Riverzhou
24分钟前
1
0
面试官问:平时碰到系统CPU飙高和频繁GC,你会怎么排查?

处理过线上问题的同学基本上都会遇到系统突然运行缓慢,CPU 100%,以及Full GC次数过多的问题。当然,这些问题的最终导致的直观现象就是系统运行缓慢,并且有大量的报警。本文主要针对系统运...

Java高级架构师n
49分钟前
21
0
面向对象编程

1、类和对象 类是对象的蓝图和模板,而对象是实例;即对象是具体的实例,类是一个抽象的模板 当我们把一大堆拥有共同特征的对象的静态特征(属性)和动态特征(行为)都抽取出来后,就可以定...

huijue
今天
21
0
redis异常解决 :idea启动本地redis出现 jedis.exceptions.JedisDataException: NOAUTH Authentication required

第一次安装在本地redis服务,试试跑项目,结果却出现nested exception is redis.clients.jedis.exceptions.JedisDataException: NOAUTH Authentication required错误,真是让人头疼 先检查一...

青慕
今天
33
0
Spring 之 IoC 源码分析 (基于注解方式)

一、 IoC 理论 IoC 全称为 Inversion of Control,翻译为 “控制反转”,它还有一个别名为 DI(Dependency Injection),即依赖注入。 二、IoC方式 Spring为IoC提供了2种方式,一种是基于xml...

星爵22
今天
34
0

没有更多内容

加载失败,请刷新页面

加载更多

返回顶部
顶部