2.3.8 mysql安全之审计
6、 MySQL安全之审计管理
审计:记录你的操作,方便以后查证据,但是生产环境数据库本身不建议开启,影响性能,但可以使用第三方审计
6.1 开源审计功能 mysql Audit Pluging
mysq15.7企业版自带审计功能,需要付费
社区版可以用开源的 mysqL Audit Pluging( McAfee提供的)
下载地址:
https://github.com/mcafee/mysql-audit
涉及参数:
audit_json_file = on
plugin-load = AUDIT=libaudit_plugin.so
audit_record_cmds = 'insert,delete,update,create,drop,alter,grant,truncate'
audit_json_log_file = /var/log/mysql/mysql-audit.json
audit_offsets = 7824, 7872, 3632, 4792, 456, 360, 0, 32, 64, 160, 536, 7988, 4360, 3648, 3656, 3660, 6072, 2072, 8, 7056, 7096, 7080, 13464, 148, 672不设置 audit_record_cmds 参数,所有的DDL,DML全记录
https://github.com/mcafee/mysql-audit
https://bintray.com/mcafee/mysql-audit-plugin/release/1.1.7-866
https://bintray.com/mcatee/mysql-audit-plugin/release
mysql root@localhost:auditdb> show global variables like 'plugin_dir';
+---------------+--------------------------+
| Variable_name | Value |
+---------------+--------------------------+
| plugin_dir | /usr/lib64/mysql/plugin/ |
+---------------+--------------------------+https://bintray.com/mcafee/mysql-audit-plugin/release#files/
wget https://bintray.com/mcafee/mysql-audit-plugin/download_file?file_path=audit-plugin-percona-5.7-1.1.7-866-linux-x86_64.zip
[root@elasticsearch 09]# unzip audit-plugin-percona-5.7-1.1.7-866-linux-x86_64.zip
cd audit-plugin-percona-5.7-1.1.7-866/lib/
[root@elasticsearch lib]# cp libaudit_plugin.so /usr/lib64/mysql/plugin/
[root@elasticsearch lib]# chmod +x /usr/lib64/mysql/plugin/libaudit_plugin.so
[root@elasticsearch lib]# service mysqld restart
Redirecting to /bin/systemctl restart mysqld.service
install plugin audit soname 'libaudit_plugin.so';
mysql root@localhost:(none)> show global status like 'AUDIT_version';
+---------------+-----------+
| Variable_name | Value |
+---------------+-----------+
| Audit_version | 1.1.7-866 |
+---------------+-----------+mysql root@localhost:(none)> show global variables like '%audit_json%';
+---------------------------------+----------------------------------------------------+
| Variable_name | Value |
+---------------------------------+----------------------------------------------------+
| audit_json_file | ON |
| audit_json_file_bufsize | 1 |
| audit_json_file_flush | OFF |
| audit_json_file_retry | 60 |
| audit_json_file_sync | 0 |
| audit_json_log_file | /var/log/mysql/mysql-audit.json |
| audit_json_socket | OFF |
| audit_json_socket_name | /var/run/db-audit/mysql.audit__var_lib_mysql_33057 |
| audit_json_socket_retry | 10 |
| audit_json_socket_write_timeout | 1000 |
+---------------------------------+----------------------------------------------------+mysql root@localhost:(none)> show global variables like '%plugin%';
+-------------------------------+--------------------------+
| Variable_name | Value |
+-------------------------------+--------------------------+
| audit_uninstall_plugin | OFF |
| default_authentication_plugin | mysql_native_password |
| plugin_dir | /usr/lib64/mysql/plugin/ |
+-------------------------------+--------------------------+
mysql root@localhost:(none)> show global variables like '%load%';
+------------------------------------+-------+
| Variable_name | Value |
+------------------------------------+-------+
| have_dynamic_loading | YES |
| innodb_buffer_pool_load_abort | OFF |
| innodb_buffer_pool_load_at_startup | ON |
| innodb_buffer_pool_load_now | OFF |
| innodb_force_load_corrupted | OFF |
| preload_buffer_size | 32768 |
| slave_load_tmpdir | /tmp |
+------------------------------------+-------+
[root@elasticsearch lib]# yum install jq -y
[root@elasticsearch lib]# cat /var/log/mysql/mysql-audit.json |jq
有bug
记录创建
创建开启后,压根没有记录创建的记录
6.2 mysql 自带的 init-connect + binlog 实现 MYSQL审计
my.cnf:
init-connect
01.创建一个存放连接信息的表
create database auditdb default charset utf8;
use auditdb
create table accesslog(
ID int primary key auto_increment,
ConnectionID int,
ConnUserName varchar(30),
PrivMatchName varchar(30),
LoginTime timestamp
);02.配置权限
insert into mysql.db(host,db,user,select_priv,Insert_priv) values('%','auditdb','','Y','Y');
flush privileges;03.配置init-connent
my.cnf
server-id=1
init-connect='insert into auditdb.accesslog (ConnectionID,ConnUserName,PrivMatchName,LoginTime) values(connection_id(),user(),current_user(),now());'
log_bin=/var/log/mysql/binlog
log_bin_index=/var/log/mysql/binlog.index目录权限要对
[root@elasticsearch ~]# chown mysql.mysql /var/log/mysql/
[root@elasticsearch ~]# ls /var/log/mysqld.log -l
-rw-r-----. 1 mysql mysql 458598 9月 12 19:17 /var/log/mysqld.logmysql root@localhost:auditdb> create database test;
Query OK, 1 row affected
Time: 0.001s
mysql root@localhost:auditdb> drop database test;
You're about to run a destructive command.
Do you want to proceed? (y/n): y
Your call!
Query OK, 0 rows affected
Time: 0.001smysqlbinlog /var/log/mysql/binlog.000003
超级管理root 不会记录日志
不记录root用户
