mysql mcafee audit_ libaudit

前言

• 适用于MySQL的AUDIT插件*
• McAfee的MySQL插件，提供针对MySQL的审核功能，其设计重点是安全性和审核要求。该插件可以用作独立的审核解决方案，也可以配置为将数据提供给外部监视工具。
• percona，mcafee，mariadb都有提供审计插件

下载插件

• https://dl.bintray.com/mcafee/mysql-audit-plugin

 解压mysql audit plugin安装包

yum instrall unzip && unzip audit-plugin-mysql-5.7-1.1.7-866-linux-x86_64.zip

查看mysql audit plugin插件安装目录 

mysql> show global variables like 'plugin_dir';
+---------------+--------------------------+
| Variable_name | Value                    |
+---------------+--------------------------+
| plugin_dir    | /usr/lib64/mysql/plugin/ |
+---------------+--------------------------+
1 row in set (0.00 sec)

拷贝目录下 libaudit_plugin.so到/usr/lib64/mysql/plugin/，赋予权

cp -rf /audit-plugin-mysql-5.7-1.1.7-866/lib/libaudit_plugin.so /usr/lib64/mysql/plugin/ && chmod +x /usr/lib64/mysql/plugin/libaudit_plugin.so

 获取mysql audit plugin值，赋予权限，执行获取

cd /audit-plugin-mysql-5.7-1.1.7-866/utils && chmod +x /audit-plugin-mysql-5.7-1.1.7-866/utils/offset-extract.sh

[root@web utils]# ./offset-extract.sh /usr/sbin/mysqld
//offsets for: /usr/sbin/mysqld (5.7.25)
{"5.7.25","a54988b2de26ea37c2601aa40ae478bb", 7824, 7872, 3632, 4792, 456, 360, 0, 32, 64, 160, 536, 7988, 4360, 3648, 3656, 3660, 6072, 2072, 8, 7056, 7096, 7080, 13472, 148, 672},

配置mysql 配置文件

• vim /etc/my.cnf

audit_offsets=7824, 7872, 3632, 4792, 456, 360, 0, 32, 64, 160, 536, 7988, 4360, 3648, 3656, 3660, 6072, 2072, 8, 7056, 7096, 7080, 13472, 148, 672
plugin-load=AUDIT=libaudit_plugin.so
audit_json_file=on
audit_record_cmds='insert,delete,update,create,drop,alter,grant,truncate'
general_log=ON

查看mysql audit plugin插件安装是否完成 

mysql> show plugins;
| ngram                      | ACTIVE   | FTPARSER           | NULL               | GPL     |
| AUDIT                      | ACTIVE   | AUDIT              | libaudit_plugin.so | GPL     |

 查看mysql audit plugin可以配置的一些参数

mysql> SHOW GLOBAL VARIABLES LIKE '%audi%';

查看mysql audit plugin审计功能是否开启

mysql> Show variables like "audit_json_file";
+-----------------+-------+
| Variable_name   | Value |
+-----------------+-------+
| audit_json_file | ON    |
+-----------------+-------+
1 row in set (0.00 sec)

 查看数据存储目录

mysql> show global variables like 'datadir';
+---------------+-----------------+
| Variable_name | Value           |
+---------------+-----------------+
| datadir       | /var/lib/mysql/ |
+---------------+-----------------+
1 row in set (0.00 sec)

​查看审计日志

tail -f /var/lib/mysql/mysql-audit.json

审计命令种类

mysql> show global variables like 'audit_record_cmds';
+-------------------+-------------------------------------------------------+
| Variable_name     | Value                                                 |
+-------------------+-------------------------------------------------------+
| audit_record_cmds | insert,delete,update,create,drop,alter,grant,truncate |
+-------------------+-------------------------------------------------------+
1 row in set (0.00 sec)

monyog 审计日志