mysql audit審計插件
mysql審計功能一直都是弱項:
1.之前有人藉助於init-connect和binlog實現變相審計,不過比較悲劇的是不能對root用戶(超級權限的用戶)進行審計!可以參考:http://bbs.chinaunix.net/forum.php?mod=viewthread&tid=3632588
2.Oracle公司在5.5的企業版也增加了mysql-audit plugin,問題是該插件類似於general-log,而且僅僅存在於企業版!可以參考:http://www.cnblogs.com/cenalulu/archive/2012/11/12/mysql_audit_plugin_test.html
3.macfee公司基於percona開發的mysql audit 插件。
macfee的mysql audit插件雖然日誌信息比較大,對性能影響大,但是如果想要開啓審計,那也應該忍受了。介紹幾個參考地址:
wiki首頁:https://github.com/mcafee/mysql-audit/wiki
二進制包下載:https://bintray.com/mcafee/mysql-audit-plugin/release包含了5.1,5.5,5.6對應的二進制包
使用非常簡單!可以在線開啓,也可以使用plugin-load=AUDIT = libaudit_plugin.so重新啓動!
在線開啓非常簡單!
1. 下載對應版本的二進制包
2. 查看mysql插件目錄
mysql> SHOW GLOBAL VARIABLES LIKE 'plugin_dir';
+---------------+--------------------------------+
| Variable_name | Value |
+---------------+--------------------------------+
| plugin_dir | /usr/local/mysql55/lib/plugin/ |
+---------------+--------------------------------+
1 row in set (0.01 sec)
3. 複製下載的so文件至plugin_dir
4. INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';
5. 查看對應版本
mysql> SHOW GLOBAL STATUS LIKE 'AUDIT_version';
+---------------+-----------+
| Variable_name | Value |
+---------------+-----------+
| Audit_version | 1.0.4-459 |
+---------------+-----------+
1 row in set (0.00 sec)
安裝成功
6.開啓audit功能
SET GLOBAL audit_json_file=ON;
7.執行任何語句(默認會記錄任何語句),然後去mysql數據目錄查看mysql-audit.json文件(默認爲該文件)
當然,我們還可以通過命令查看audit相關的命令
mysql> SHOW GLOBAL VARIABLES LIKE '%audi%';
+---------------------------------+----------------------------+
| Variable_name | Value |
+---------------------------------+----------------------------+
| audit_checksum | |
| audit_delay_cmds | |
| audit_delay_ms | 0 |
| audit_json_file | ON |
| audit_json_file_flush | OFF |
| audit_json_file_sync | 0 |
| audit_json_log_file | mysql-audit.json |
| audit_json_socket | OFF |
| audit_json_socket_name | /tmp/mysql-audit.json.sock |
| audit_offsets | |
| audit_offsets_by_version | ON |
| audit_record_cmds | |
| audit_record_objs | |
| audit_uninstall_plugin | OFF |
| audit_validate_checksum | ON |
| audit_validate_offsets_extended | ON |
| audit_whitelist_users | |
+---------------------------------+----------------------------+
其中我們需要關注的參數有:
1. audit_json_file
是否開啓audit功能
2. audit_json_log_file
記錄文件的路徑和名稱信息
3. audit_record_cmds
audit記錄的命令,默認爲記錄所有命令
可以設置爲任意dml、dcl、ddl的組合
如:audit_record_cmds=select,insert,delete,update
還可以在線設置set global audit_record_cmds=NULL
(表示記錄所有命令)
4. audit_record_objs
audit記錄操作的對象,默認爲記錄所有對象,
可以用SET GLOBAL audit_record_objs=NULL設置爲默認
也可以指定爲下面的格式
audit_record_objs=,test.*,mysql.*,information_schema.*
5. audit_whitelist_users
用戶白名單
另外還有offsets參數的設置,如果開啓audit_offsets_by_version=ON,則必須設置audit_offsets = 6136, 6184, 3816, 4312, 88, 2592, 96, 0, 32, 104(數字爲工具計算出來的結果,各種版本不一樣)。如果設置不當,在mysql錯誤日誌中將會有如下錯誤內容
[Note] Audit Plugin: setup_offsets audit_offsets: (null) validate_checksum: 1 offsets_by_version: 1
[ERROR] Couldn't load plugin named 'AUDIT ' with soname ' libaudit_plugin.so'.
可以通過計算offsets,並分配適當值
1 Download the offset-extract.sh script from: https://raw.github.com/mcafee/mysql-audit/master/offset-extract/offset-extract.sh
2 ensure gdb is installed
3 chmod +x offset-extract.sh
4 ./offset-extract.sh /data/app/mysql/mysql/bin/mysqld
//offsets for: /data/app/mysql/mysql/bin/mysqld (5.5.29)
{"5.5.29","53eea146441ed02575184b11f95283a1", 6032, 6080, 3784, 4208, 88, 2568},
5 add to the configuration file the following under the [mysqld] section
# audit var
plugin-load=AUDIT=libaudit_plugin.so
audit_offsets=6032, 6080, 3784, 4208, 88, 2568
offsets具體可以參考https://github.com/mcafee/mysql-audit/wiki/Troubleshooting
按行數進行日誌切割
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
export
PATH
file=
"mysql-audit.json"
newfile=
"${file}_`date
'+%Y%m%d%H%M%S'`"
max=50000
cd
/data/mysql/
num=`cat
${file}|wc -l`
if
[ ${num} -gt ${max} ]; then
split
-l ${max} ${file} ${newfile}
chown
mysql:mysql ${newfile}ab
chmod
660 ${newfile}ab
mysql
-uroot -pxxx -Pxxx -e
"SET
GLOBAL audit_json_file=OFF;"
mv
${newfile}ab ${file}
mysql
-uroot -pxxx -Pxxx -e
"SET
GLOBAL audit_json_file=ON;"
else
echo
${num}
fi