版权声明:本文为博主原创文章,转载请标明出处。 https://blog.csdn.net/ctypyb2002/article/details/85098593
os: ubuntu 16.04
db: postgresql 9.6.8
pgaudit: 1.1.1
pgaudit 是作为 postgresql 的一个 extension 形式存在的,通过标准postgresql日志工具提供详细的会话和/或对象审计日志记录。
pgaudit 的目标是为postgresql生成审计日志。
版本
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial
$ psql
psql (9.6.8)
Type "help" for help.
postgres=# select version();
version
----------------------------------------------------------------------------------------------------------------------------------------------
PostgreSQL 9.6.8 on x86_64-pc-linux-gnu (Ubuntu 9.6.8-1.pgdg16.04+1), compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.9) 5.4.0 20160609, 64-bit
(1 row)
postgres=#
下载安装
pgAudit versions relate to PostgreSQL major versions as follows:
pgAudit v1.3.X is intended to support PostgreSQL 11.
pgAudit v1.2.X is intended to support PostgreSQL 10.
pgAudit v1.1.X is intended to support PostgreSQL 9.6.
pgAudit v1.0.X is intended to support PostgreSQL 9.5.
# su - postgres
$ wget https://github.com/pgaudit/pgaudit/archive/1.1.1.zip
$ unzip 1.1.1.zip
$ ls -l
total 172
-rw-rw-r-- 1 postgres postgres 35875 Dec 19 14:28 1.1.1.zip
drwxr-xr-x 3 postgres postgres 4096 Nov 7 09:02 9.6
drwxrwxr-x 5 postgres postgres 4096 Jun 27 2017 pgaudit-1.1.1
$ cd pgaudit-1.1.1
$ make USE_PGXS=1
gcc -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement -Wendif-labels -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -fexcess-precision=standard -g -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fPIC -pie -fno-omit-frame-pointer -fPIC -I. -I./ -I/usr/include/postgresql/9.6/server -I/usr/include/postgresql/internal -Wdate-time -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -I/usr/include/libxml2 -I/usr/include/mit-krb5 -c -o pgaudit.o pgaudit.c
In file included from /usr/include/postgresql/9.6/server/libpq/auth.h:17:0,
from pgaudit.c:26:
/usr/include/postgresql/9.6/server/libpq/libpq-be.h:36:27: fatal error: gssapi/gssapi.h: No such file or directory
compilation terminated.
<builtin>: recipe for target 'pgaudit.o' failed
make: *** [pgaudit.o] Error 1
做make时报错,发现是缺少包导致的。
$ sudo apt install libkrb5-dev
postgresql 是使用apt install 安装的,所以要使用root的权限 make install
$ make USE_PGXS=1
$ sudo make install USE_PGXS=1
查看安装后的文件列表
$ ls -l /usr/lib/postgresql/9.6/lib |grep -i audit
-rwxr-xr-x 1 root root 103024 Dec 19 14:49 pgaudit.so
$ ls -l /usr/share/postgresql/9.6/extension |grep -i audit
-rw-r--r-- 1 root root 248 Dec 19 14:49 pgaudit--1.0--1.1.1.sql
-rw-r--r-- 1 root root 615 Dec 19 14:49 pgaudit--1.1.1.sql
-rw-r--r-- 1 root root 145 Dec 19 14:49 pgaudit.control
至此,安装完毕。
创建 pgaudit
$ vi /etc/postgresql/9.6/main/postgresql.conf
shared_preload_libraries = 'pgaudit,pg_stat_statements'
$ sudo /etc/init.d/postgresql restart
$ psql
psql (9.6.8)
Type "help" for help.
postgres=#
postgres=# select * from pg_available_extensions where name like '%audit%';
name | default_version | installed_version | comment
---------+-----------------+-------------------+---------------------------------
pgaudit | 1.1.1 | | provides auditing functionality
(1 row)
postgres=#
postgres=# create extension pgaudit;
至此
pgaudit 的参数
postgres=# select name,setting from pg_settings where name like 'pgaudit%';
name | setting
----------------------------+---------
pgaudit.log | none
pgaudit.log_catalog | on
pgaudit.log_client | off
pgaudit.log_level | log
pgaudit.log_parameter | off
pgaudit.log_relation | off
pgaudit.log_statement_once | off
pgaudit.role |
(8 rows)
$ vi /etc/postgresql/9.6/main/postgresql.conf
pgaudit.log = 'all, -misc'
pgaudit.log_catalog = on
pgaudit.log_client = on
pgaudit.log_level = log
pgaudit.log_parameter = on
pgaudit.log_relation = on
pgaudit.log_statement_once = on
仔细看下这几个参数代表的含义。
查看生成的日志
set create table insert into select
$ psql
psql (9.6.8)
Type "help" for help.
postgres=#
postgres=# set pgaudit.log = 'all, -misc';
postgres=# create table account
(
id int,
name text,
password text,
description text
);
postgres=# insert into account (id, name, password, description)
values (1, 'user1', 'HASH1', 'blah, blah');
postgres=# select * from account;
对应的日志
2018-12-19 15:20:29.386 CST,"postgres","postgres",10371,"[local]",5c19f087.2883,6,"idle",2018-12-19 15:17:27 CST,2/36,0,LOG,00000,"statement: set pgaudit.log = 'all, -misc';",,,,,,,,,"psql"
2018-12-19 15:20:41.707 CST,"postgres","postgres",10371,"[local]",5c19f087.2883,7,"idle",2018-12-19 15:17:27 CST,2/37,0,LOG,00000,"statement: create table account
(
id int,
name text,
password text,
description text
);",,,,,,,,,"psql"
2018-12-19 15:20:41.748 CST,"postgres","postgres",10371,"[local]",5c19f087.2883,8,"CREATE TABLE",2018-12-19 15:17:27 CST,2/37,454353307,LOG,00000,"AUDIT: SESSION,2,1,DDL,CREATE TABLE,TABLE,public.account,""create table account
(
id int,
name text,
password text,
description text
);"",<none>",,,,,,,,,"psql"
2018-12-19 15:20:49.530 CST,"postgres","postgres",10371,"[local]",5c19f087.2883,9,"idle",2018-12-19 15:17:27 CST,2/38,0,LOG,00000,"statement: insert into account (id, name, password, description)
values (1, 'user1', 'HASH1', 'blah, blah');",,,,,,,,,"psql"
2018-12-19 15:20:49.530 CST,"postgres","postgres",10371,"[local]",5c19f087.2883,10,"INSERT",2018-12-19 15:17:27 CST,2/38,0,LOG,00000,"AUDIT: SESSION,3,1,WRITE,INSERT,TABLE,public.account,""insert into account (id, name, password, description)
values (1, 'user1', 'HASH1', 'blah, blah');"",<none>",,,,,,,,,"psql"
2018-12-19 15:20:57.948 CST,"postgres","postgres",10371,"[local]",5c19f087.2883,11,"idle",2018-12-19 15:17:27 CST,2/39,0,LOG,00000,"statement: select * from account;",,,,,,,,,"psql"
2018-12-19 15:20:57.948 CST,"postgres","postgres",10371,"[local]",5c19f087.2883,12,"SELECT",2018-12-19 15:17:27 CST,2/39,0,LOG,00000,"AUDIT: SESSION,4,1,READ,SELECT,TABLE,public.account,select * from account;,<none>",,,,,,,,,"psql"
查找 AUDIT 字眼
update create index delete truncate drop table
postgres=# update account set name='user2' where id=1;
postgres=# create index idx_account_x1 on account(id);
postgres=# delete from account where id=1;
postgres=# truncate table account;
postgres=# drop table account;
2018-12-19 15:27:01.672 CST,"postgres","postgres",10963,"[local]",5c19f2c5.2ad3,2,"authentication",2018-12-19 15:27:01 CST,3/111,0,LOG,00000,"connection authorized: user=postgres database=postgres",,,,,,,,,""
2018-12-19 15:27:01.673 CST,"postgres","postgres",10963,"[local]",5c19f2c5.2ad3,3,"idle",2018-12-19 15:27:01 CST,3/112,0,LOG,00000,"statement: select pg_is_in_recovery(); ",,,,,,,,,"psql"
2018-12-19 15:27:01.674 CST,"postgres","postgres",10963,"[local]",5c19f2c5.2ad3,4,"SELECT",2018-12-19 15:27:01 CST,3/112,0,LOG,00000,"AUDIT: SESSION,1,1,READ,SELECT,,,select pg_is_in_recovery(); ,<none>",,,,,,,,,"psql"
2018-12-19 15:27:01.674 CST,"postgres","postgres",10963,"[local]",5c19f2c5.2ad3,5,"idle",2018-12-19 15:27:01 CST,,0,LOG,00000,"disconnection: session time: 0:00:00.003 user=postgres database=postgres host=[local]",,,,,,,,,"psql"
2018-12-19 15:27:08.112 CST,"postgres","postgres",10371,"[local]",5c19f087.2883,13,"idle",2018-12-19 15:17:27 CST,2/40,0,LOG,00000,"statement: update account set name='user2' where id=1;",,,,,,,,,"psql"
2018-12-19 15:27:08.112 CST,"postgres","postgres",10371,"[local]",5c19f087.2883,14,"UPDATE",2018-12-19 15:17:27 CST,2/40,0,LOG,00000,"AUDIT: SESSION,5,1,WRITE,UPDATE,TABLE,public.account,update account set name='user2' where id=1;,<none>",,,,,,,,,"psql"
2018-12-19 15:27:13.902 CST,"postgres","postgres",10371,"[local]",5c19f087.2883,15,"idle",2018-12-19 15:17:27 CST,2/41,0,LOG,00000,"statement: create index idx_account_x1 on account(id);",,,,,,,,,"psql"
2018-12-19 15:27:13.908 CST,"postgres","postgres",10371,"[local]",5c19f087.2883,16,"CREATE INDEX",2018-12-19 15:17:27 CST,2/41,454353310,LOG,00000,"AUDIT: SESSION,6,1,DDL,CREATE INDEX,INDEX,public.idx_account_x1,create index idx_account_x1 on account(id);,<none>",,,,,,,,,"psql"
2018-12-19 15:27:19.215 CST,"postgres","postgres",10371,"[local]",5c19f087.2883,17,"idle",2018-12-19 15:17:27 CST,2/42,0,LOG,00000,"statement: delete from account where id=1;",,,,,,,,,"psql"
2018-12-19 15:27:19.215 CST,"postgres","postgres",10371,"[local]",5c19f087.2883,18,"DELETE",2018-12-19 15:17:27 CST,2/42,0,LOG,00000,"AUDIT: SESSION,7,1,WRITE,DELETE,TABLE,public.account,delete from account where id=1;,<none>",,,,,,,,,"psql"
2018-12-19 15:27:24.831 CST,"postgres","postgres",10371,"[local]",5c19f087.2883,19,"idle",2018-12-19 15:17:27 CST,2/43,0,LOG,00000,"statement: truncate table account;",,,,,,,,,"psql"
2018-12-19 15:27:24.851 CST,"postgres","postgres",10371,"[local]",5c19f087.2883,20,"TRUNCATE TABLE",2018-12-19 15:17:27 CST,2/43,454353312,LOG,00000,"AUDIT: SESSION,8,1,WRITE,TRUNCATE TABLE,,,truncate table account;,<none>",,,,,,,,,"psql"
2018-12-19 15:27:30.207 CST,"postgres","postgres",10371,"[local]",5c19f087.2883,21,"idle",2018-12-19 15:17:27 CST,2/44,0,LOG,00000,"statement: drop table account;",,,,,,,,,"psql"
2018-12-19 15:27:30.238 CST,"postgres","postgres",10371,"[local]",5c19f087.2883,22,"DROP TABLE",2018-12-19 15:17:27 CST,2/44,454353313,LOG,00000,"AUDIT: SESSION,9,1,DDL,DROP TABLE,TABLE,public.account,drop table account;,<none>",,,,,,,,,"psql"
2018-12-19 15:27:30.238 CST,"postgres","postgres",10371,"[local]",5c19f087.2883,23,"DROP TABLE",2018-12-19 15:17:27 CST,2/44,454353313,LOG,00000,"AUDIT: SESSION,9,1,DDL,DROP TABLE,INDEX,public.idx_account_x1,<previously logged>,<previously logged>",,,,,,,,,"psql"
https://github.com/pgaudit/pgaudit
https://github.com/pgaudit/pgaudit/blob/master/README.md