关于MySQL的审计功能,有三个主流的选项:
1、MySQL Enterprise Audit Plugin:仅供MySQL 企业版使用的插件,收费
2、Percona Audit Log Plugin:仅供Percona Server使用的插件,免费
3、MariaDB Audit Plugin:支持MariaDB、MySQL、Percona Server,建议使用1.2以上版本
下面以MariaDB Audit Plugin为例,实现官方社区版MySQL的审计功能
首先需要下载MariaDB的完整安装包,单独的plugin官网已不再提供
将 mariadb-10.2.8-linux-glibc_214-x86_64/lib/plugin/server_audit.so 复制到MySQL的plugin目录下,并修改权限,与其他plugin权限一致
# chown root:mysql server_audit.so
# chmod 755 server_audit.so
在登录MySQL安装插件前,先确认系统glibc版本是否匹配编译server_audit.so的glibc版本
[root@237_21 plugin]# strings /lib64/libc.so.6 |grep GLIBC_
GLIBC_2.2.5
GLIBC_2.2.6
GLIBC_2.3
GLIBC_2.3.2
GLIBC_2.3.3
GLIBC_2.3.4
GLIBC_2.4
GLIBC_2.5
GLIBC_2.6
GLIBC_2.7
GLIBC_2.8
GLIBC_2.9
GLIBC_2.10
GLIBC_2.11
GLIBC_2.12
GLIBC_PRIVATE
# wget -c http://ftp.gnu.org/gnu/libc/glibc-2.14.tar.gz
# tar zxvf glibc-2.14.tar.gz
# cd glibc-2.14
# mkdir build
# cd build
# ../configure --prefix=/usr --disable-profile --enable-add-ons --with-headers=/usr/include --with-binutils=/usr/bin
# make && make install
# LD_PRELOAD=/lib/libc-2.12.so yum -y install glibc-devel
# strings libc.so | grep GLIBC
GLIBC_2.2.5
GLIBC_2.2.6
GLIBC_2.3
GLIBC_2.3.2
GLIBC_2.3.3
GLIBC_2.3.4
GLIBC_2.4
GLIBC_2.5
GLIBC_2.6
GLIBC_2.7
GLIBC_2.8
GLIBC_2.9
GLIBC_2.10
GLIBC_2.11
GLIBC_2.12
GLIBC_2.13
GLIBC_2.14
GLIBC_PRIVATEmysql> install plugin server_audit soname 'server_audit.so';
Query OK, 0 rows affected (0.01 sec)
mysql> show variables like '%server_audit%';
+-------------------------------+-----------------------+
| Variable_name | Value |
+-------------------------------+-----------------------+
| server_audit_events | |
| server_audit_excl_users | |
| server_audit_file_path | server_audit.log |
| server_audit_file_rotate_now | OFF |
| server_audit_file_rotate_size | 1000000 |
| server_audit_file_rotations | 9 |
| server_audit_incl_users | |
| server_audit_loc_info | |
| server_audit_logging | OFF |
| server_audit_mode | 1 |
| server_audit_output_type | file |
| server_audit_query_log_limit | 1024 |
| server_audit_syslog_facility | LOG_USER |
| server_audit_syslog_ident | mysql-server_auditing |
| server_audit_syslog_info | |
| server_audit_syslog_priority | LOG_INFO |
+-------------------------------+-----------------------+
16 rows in set (0.01 sec)
编辑my.cnf,添加审计规则,关键参数如下:
server_audit_logging:审计功能的开关
server_audit_file_path:审计日志路径,默认存于数据目录下
server_audit_events:指定记录到日志的event类型,Type如下:
CONNECT、QUERY、TABLE、(1.2版本起新增QUERY_DDL,QUERY_DML,1.3版本起新增QUERY_DCL)
server_audit_incl_users:该列表中用户的行为将记录日志,但Type:CONNECT的event仍然会记录不受该参数影响。优先级较server_audit_excl_users高(同一个用户在incl和excl中都存在,以incl为准)
server_audit_excl_users:该列表中用户的行为将不记录日志,但Type:CONNECT的event仍然会记录不受该参数影响
以下为日志轮转(循环复用)设置,需设置server_audit_output_type:FILE-mode
server_audit_file_routations:轮转日志总数,当设为0表示审计日志不轮转。默认值为9
server_audit_file_rotate_size:限制单个轮转审计日志大小,超出该限值后自动轮转
server_audit_file_rotate_now:强制轮转一次
注:server_audit_output_type:SYSLOG-mode相关参数使用较少,不作介绍,参数信息可见文末参考文档
对上述参数简单测试一下:user1、user2、user3(不存在的用户)分别登录数据库,执行QUERY(show databases;),退出数据库
1、my.cnf配置:用户user1的行为记录审计日志,用户user2的行为不记录审计日志:
plugin_dir=/usr/local/mysql3306/lib/plugin
plugin_load = "rpl_semi_sync_master=semisync_master.so;rpl_semi_sync_slave=semisync_slave.so;server_audit=server_audit.so"
########audit plugin########
server_audit_logging = 1
server_audit_events = 'CONNECT,QUERY,TABLE'
server_audit_incl_users = 'user1'
server_audit_excl_users = 'user2'使用user1、user2分别进行登录操作,查看server_audit.log输出情况:
20170915 10:00:53,237_21,user1,127.0.0.1,4,0,CONNECT,,,0
20170915 10:00:53,237_21,user1,127.0.0.1,4,74,QUERY,,'select @@version_comment limit 1',0
20170915 10:01:03,237_21,user1,127.0.0.1,4,75,QUERY,,'show databases',0
20170915 10:01:21,237_21,user1,127.0.0.1,4,0,DISCONNECT,,,0
20170915 10:01:26,237_21,user2,127.0.0.1,5,0,CONNECT,,,0
20170915 10:01:26,237_21,user2,127.0.0.1,5,77,QUERY,,'select @@version_comment limit 1',0
20170915 10:01:31,237_21,user2,127.0.0.1,5,78,QUERY,,'show databases',0
20170915 10:01:33,237_21,user2,127.0.0.1,5,0,DISCONNECT,,,0
20170915 10:01:42,237_21,user3,127.0.0.1,6,0,FAILED_CONNECT,,,1045
20170915 10:01:42,237_21,user3,127.0.0.1,6,0,DISCONNECT,,,0 user1、user2除了CONNECT信息之外,还记录QUERY信息,excl_参数设置无效。
2、my.cnf配置:用户user2的行为设置为不记录审计日志,server_audit_incl_users不作设置:
server_audit_logging = 1
server_audit_events = 'CONNECT,QUERY,TABLE'
#server_audit_incl_users = 'user1'
server_audit_excl_users = 'user2'
20170915 10:47:59,237_21,user1,127.0.0.1,1,0,CONNECT,,,0
20170915 10:47:59,237_21,user1,127.0.0.1,1,1,QUERY,,'select @@version_comment limit 1',0
20170915 10:48:14,237_21,user1,127.0.0.1,1,2,QUERY,,'show databases',0
20170915 10:48:16,237_21,user1,127.0.0.1,1,0,DISCONNECT,,,0
20170915 10:48:34,237_21,user2,127.0.0.1,2,0,CONNECT,,,0
20170915 10:48:40,237_21,user2,127.0.0.1,2,0,DISCONNECT,,,0
20170915 10:48:46,237_21,user3,127.0.0.1,3,0,FAILED_CONNECT,,,1045
20170915 10:48:46,237_21,user3,127.0.0.1,3,0,DISCONNECT,,,0
3、user1记录审计日志,excl_参数不作设置
server_audit_logging = 1
server_audit_events = 'CONNECT,QUERY,TABLE'
server_audit_incl_users = 'user1'
#server_audit_excl_users = 'user2'
20170915 10:54:24,237_21,user1,127.0.0.1,1,0,CONNECT,,,0
20170915 10:54:24,237_21,user1,127.0.0.1,1,1,QUERY,,'select @@version_comment limit 1',0
20170915 10:54:29,237_21,user1,127.0.0.1,1,2,QUERY,,'show databases',0
20170915 10:54:31,237_21,user1,127.0.0.1,1,0,DISCONNECT,,,0
20170915 10:54:36,237_21,user2,127.0.0.1,2,0,CONNECT,,,0
20170915 10:54:44,237_21,user2,127.0.0.1,2,0,DISCONNECT,,,0
20170915 10:54:47,237_21,user3,127.0.0.1,3,0,FAILED_CONNECT,,,1045
20170915 10:54:47,237_21,user3,127.0.0.1,3,0,DISCONNECT,,,0
user1记录CONNECT、QUERY信息,user2仅记录CONNECT,user3登录失败的信息也被记录
参考文档:
1、MySQL Auditing with MariaDB Auditing Plugin
https://www.percona.com/blog/2016/02/15/mysql-mariadb-with-mariadb-auditing-plugin/
2、MariaDB Audit Plugin - Log Settings
https://mariadb.com/kb/en/library/mariadb-audit-plugin-log-settings/
3、MariaDB Audit Plugin - System Variables
https://mariadb.com/kb/en/library/mariadb-audit-plugin-system-variables/