資料庫審計能夠實時記錄網路上的資料庫活動，對資料庫操作進行細粒度審計的合規性管理，對資料庫遭受到的風險行為進行警告，對攻擊行為進行阻斷。它通過對使用者訪問資料庫行為的記錄、分析和彙報，用來幫助使用者時候生成合規報告、事故追根溯源，同時加強內外部資料庫網路行為記錄，提高資料資產安全。

MySQL官網的收費元件需要購買企業版才可以使用審計功能。下面利用第三方開源審計外掛 libaudit_plugin.so 在 MySQL 5.7 上完成審計工作。

解壓外掛包

# unzip audit-plugin-mysql-5.7-1.1.4-725.zip

將解壓好的外掛複製到 MySQL 的外掛目錄下

# cd audit-plugin-mysql-5.7-1.1.4-725/lib/

# cp libaudit_plugin.so /usr/local/mysql/lib/plugin/

安裝外掛

[email protected] 18:18: [(none)]> install plugin audit soname 'libaudit_plugin.so';

檢視外掛功能是否開啟

[email protected] 18:19: [(none)]> show variables like '%audit_json_file%'; +-------------------------+-------+ | Variable_name           | Value | +-------------------------+-------+ | audit_json_file

         | OFF   | | audit_json_file_bufsize | 1     | | audit_json_file_flush   | OFF   | | audit_json_file_retry   | 60    | | audit_json_file_sync    | 0     | +-------------------------+-------+ 5 rows in set (0.00 sec)

開啟外掛功能

[email protected] 18:20: [(none)]> set global audit_json_file = 1; Query OK, 0 rows affected (0.00 sec)

[email protected] 18:20: [(none)]> show variables like '%audit_json_file%'; +-------------------------+-------+ | Variable_name           | Value | +-------------------------+-------+ | audit_json_file         | ON    | | audit_json_file_bufsize | 1     | | audit_json_file_flush   | OFF   | | audit_json_file_retry   | 60    | | audit_json_file_sync    | 0     | +-------------------------+-------+ 5 rows in set (0.00 sec)

OK，現在在 MySQL 目錄下會多出一個審計日誌

# ls /usr/local/mysql/data/mysql-audit.json

檢視 mysql-audit.json 檔案，可以找到操作SQL語句的使用者名稱、主機地址。這可以讓在資料庫上做了壞事又不認賬的人無法賴賬，起到了對操作資料庫很好的監控效果。

比如現在有一個傢伙，對 scott 庫下的 emp 表，做了 select * from emp; 的操作，現在來看下審計日誌中的記錄。

# cat /usr/local/mysql/data/mysql-audit.json {"msg-type":"activity","date":"1537352639624","thread-id":"3","query-id":"20","user":"root","priv_user":"root","ip":"","host":"localhost","connect_attrs":{"_os":"Linux","_client_name":"libmysql","_pid":"2201","_client_version":"5.7.18","_platform":"x86_64","program_name":"mysql"},"pid":"2201","os_user":"root","appname":"mysql","rows":"1","cmd":"select","query":"SELECT DATABASE()"} {"msg-type":"activity","date":"1537352639624","thread-id":"3","query-id":"21","user":"root","priv_user":"root","ip":"","host":"localhost","connect_attrs":{"_os":"Linux","_client_name":"libmysql","_pid":"2201","_client_version":"5.7.18","_platform":"x86_64","program_name":"mysql"},"pid":"2201","os_user":"root","appname":"mysql","rows":"1","cmd":"Init DB","objects":[{"db":"scott","obj_type":"DATABASE"}],"query":"Init DB"} {"msg-type":"activity","date":"1537352640539","thread-id":"3","query-id":"22","user":"root","priv_user":"root","ip":"","host":"localhost","connect_attrs":{"_os":"Linux","_client_name":"libmysql","_pid":"2201","_client_version":"5.7.18","_platform":"x86_64","program_name":"mysql"},"pid":"2201","os_user":"root","appname":"mysql","rows":"14","cmd":"select","objects":[{"db":"scott","name":"emp","obj_type":"TABLE"}],"query":"select * from emp"}