mcafee审计安装部署

环境:
OS:Centos 7
mysql:5.7.29

 

1.下载
https://github.com/mcafee/mysql-audit
找到与mysql版本匹配的版本下载
我这里下载的是
audit-plugin-mysql-5.7-1.1.7-913-linux-x86_64.zip

该版本支持的mysql如下
MySQL64 8.0.22, 9.0.21, 8.0.20, 8.0.19, 8.0.18, 8.0.17, 8.0.16, 8.0.15, 8.0.14, 8.0.13, 8.0.12, 8.0.11,
5.6.49, 5.7.31, 5.6.46, 5.6.47, 5.6.48, 5.7.30, 5.7.29, 5.7.28, 5.6.45, 5.7.27, 5.6.44, 5.7.26

 

2.解压
[root@localhost ~]# unzip audit-plugin-mysql-5.7-1.1.7-913-linux-x86_64.zip

 

3.查看当前Mysql的插件目录
mysql> show global variables like 'plugin_dir';
+---------------+----------------------------------+
| Variable_name | Value |
+---------------+----------------------------------+
| plugin_dir | /data/middle/mysql57/lib/plugin/ |
+---------------+----------------------------------+
1 row in set (0.00 sec)

 

4、拷贝插件到插件目录并授权
[root@localhost ~]# cp /soft/audit-plugin-mysql-5.7-1.1.7-913/lib/libaudit_plugin.so /data/middle/mysql57/lib/plugin/
[root@localhost ~]# chown -R mysql:mysql /data/middle/mysql57/lib/plugin/libaudit_plugin.so

 

5.安装插件
mysql> INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';
Query OK, 0 rows affected (0.61 sec)

查看
mysql> select plugin_name, plugin_status from information_schema.plugins where plugin_name like '%audit%';
mysql> show plugins;

5.不重启启动审计
mysql> INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';
Query OK, 0 rows affected (4.91 sec)

set global audit_json_file = on;
set global audit_record_cmds="create,delete,update,create,drop,alter,grant,truncate,insert";
set global audit_json_log_file='/data/middle/mysql57/audit/mysql-audit.json';

说明:
a.发现 audit_json_log_file 参数不起作用,生成的日志文件存放在data目录的
/data/middle/mysql57/data/mysql-audit.json
需要重启才能生效.

 

b.audit_record_cmds设置
set global audit_record_cmds=""; ##记录所有

set global audit_record_cmds="create_index,drop_index,create_db,drop_db,create_user,drop_user,create_table,drop_table,alter_user,alter_db,alter_table,alter_tablespace,grant,revoke,revoke_all,truncate,quit,connect"; ##ddl

set global audit_record_cmds="delete,update,insert"; ##记录

 

 

 

6、开启审计，写入my.cnf配置文件

[root@localhost ~]# vi /data/middle/mysql57/conf/my.cnf
添加[mysqld]段以下内容
audit_json_file = on
plugin-load=AUDIT=libaudit_plugin.so
audit_record_cmds='insert,delete,update,create,drop,alter,grant,truncate'
audit_json_log_file='/data/middle/mysql57/audit/mysql-audit.json'
audit_uninstall_plugin=1 ##用于在线删除插件

show variables like '%audit_record_cmds%';
show variables like '%audit%';

set global audit_record_cmds="";
set global audit_record_objs="";

7.查看审计插件版本
mysql> SHOW GLOBAL STATUS LIKE 'AUDIT_version';
+---------------+-----------+
| Variable_name | Value |
+---------------+-----------+
| Audit_version | 1.1.7-913 |
+---------------+-----------+
1 row in set (0.00 sec)

8.关闭审计
set global audit_json_file = off;

9.卸载插件
mysql> uninstall plugin AUDIT;
ERROR 1148 (42000): Uninstall AUDIT plugin disabled
直接删除会报错误

mysql> set global audit_uninstall_plugin=on;
ERROR 1238 (HY000): Variable 'audit_uninstall_plugin' is a read only variable
该参数是只读的,无法在线设置

vi /data/middle/mysql57/conf/my.cnf
注释掉审计的配置项,同时加上audit_uninstall_plugin=1
##audit_json_file = on
##plugin-load=AUDIT=libaudit_plugin.so
##audit_record_cmds='insert,delete,update,create,drop,alter,grant,truncate'
##audit_json_log_file='/data/middle/mysql57/audit/mysql-audit.json'
audit_uninstall_plugin=1

重启动mysql,执行如下命令2次即可卸载

mysql> UNINSTALL PLUGIN AUDIT;
ERROR 1620 (HY000): Uninstall AUDIT plugin must be called again to complete
mysql> UNINSTALL PLUGIN AUDIT;
Query OK, 0 rows affected, 1 warning (0.00 sec)

 

10.卸载完成后需要将audit_uninstall_plugin=1配置想从配置文件中删除掉,并重启mysql

 

11.设置白名单不审计具体的用户

set global audit_whitelist_users="hxl";