關於MySQL AUDIT(審計)那點事
2017年06月02日MySQL社群版本最新版為MySQL_5.7.18,但是該版本不帶AUDIT功能(MySQL Enterprise Edition自帶AUDIT功能),
因此需要載入plugin(第三方外掛),當前外掛有以下幾種:
1、MySQL Enterprise Audit Plugin – This plugin is not open source and is only available with MySQL Enterprise, which has a significant cost attached to it. It is the most stable and robust.
備註:MySQL企業版本才能使用這個audit外掛哦,MySQL社群版慢慢等著吧
2、Percona Audit Log Plugin – Percona provides an open source auditing solution that installs with Percona Server 5.5.37+ and 5.6.17+. This plugin has quite a few output features as it outputs XML, JSON and to syslog. Percona’s implementation is the first to be a drop-in replacement for MySQL Enterprise Audit Plugin. As it has some internal hooks to the server to be feature-compatible with Oracle’s plugin, it is not available as a standalone for other versions of MySQL. This plugin is actively maintained by Percona.
備註:人家說了,我這個外掛只能給Percona_sever使用,我Percona來維護
3、McAfee MySQL Audit Plugin – Around the longest and has been used widely. It is open source and robust, while not using the official auditing API. It isn’t updated as often as one may like. There hasn’t been any new features in some time. It was recently updated to support MySQL 5.7
下載地址:http://dl.bintray.com/mcafee/mysql-audit-plugin/
部署可參考:http://blog.csdn.net/bzfys/article/details/53695855
個人發現該外掛貌似不支援審計日誌自動切割,而且日誌格式為JSON格式,個人感覺不易檢視,以及時間格式需要轉換
eg:"msg-type":"header","date":"1494935783266","audit-version":"1.1.4-707","audit-protocol-version":"1.0","hostname":"salt-master","mysql-version":"5.7.18-log","mysql-program":"/usr/sbin/mysqld","mysql-socket":"/data/mysql/mysql.sock","mysql-port":"3306","server_pid":"43480"}
4、MariaDB Audit Plugin – The only plugin that claims to support MySQL, Percona Server and MariaDB. It is open source and constantly upgraded with new versions of MariaDB. Versions starting at 1.2 are
most stable, and it may be risky to use versions below that in your production environment. Versions below 1.2 may be unstable and I have seen it crash production servers. Older versions also log clear text passwords.
下載地址:https://mariadb.com/kb/en/mariadb/about-the-mariadb-audit-plugin/ (可以直接下載MariaDB對應的版本後,解壓後在plugin目錄下有server_audit.so外掛)
MariaDB_5.5.37版本和MariaDB_10.0.10以後版本的audit外掛支援MariaDB, MySQL、Percona Server使用
備註:MariaDB_5.x.x和MariaDB_10.x.x區別
MariaDB_5.x.x:相容MySQL5.x.x的,介面幾乎一致,只限於社群版
MariaDB_10.x.x:10.x.x使用新技術,介面會與mysql逐漸區別開來。目標就是以後想MariaDB新介面過渡
因此綜合以上,我個人選擇了MariaDB Audit Plugin按安裝到我的MySQL_5.7.18上,以下為具體部署操作:
1、下載mariadb-5.5.56-linux-x86_64.tar.gz解壓獲取server_audit.so外掛
2、登入MySQL,執行命令獲取MySQL的plugin目錄
mysql> SHOW GLOBAL VARIABLES LIKE 'plugin_dir';
+---------------+--------------------------+
| Variable_name | Value |
+---------------+--------------------------+
| plugin_dir | /usr/lib64/mysql/plugin/ |
+---------------+--------------------------+
1 row in set (0.02 sec)
3、將server_audit.so上傳到 /usr/lib64/mysql/plugin/下
4、在命令下安裝server_audit.so
mysql> INSTALL PLUGIN server_audit SONAME 'server_audit.so';
5、檢視變數開啟設定情況,預設貌似都是關閉的
mysql> show variables like '%audit%';
6、編輯my.cnf,新增配置
server_audit_events='CONNECT,QUERY,TABLE,QUERY_DDL,QUERY_DML,QUERY_DCL'
備註:指定哪些操作被記錄到日誌檔案中
server_audit_logging=on
server_audit_file_path =/data/mysql/auditlogs/
備註:審計日誌存放路徑,該路徑下會生成一個server_audit.log檔案,就會記錄相關操作記錄了
server_audit_file_rotate_size=200000000
server_audit_file_rotations=200
server_audit_file_rotate_now=ON
7、重啟服務,service mysqld restart
登入MySQL後發現,在MySQL環境下執行的任何命令都被記錄到/data/mysql/auditlogs/server_audit.log,如果日誌檔案達到指定的大小,會自動切割
mysql> show variables like '%audit%';
+-------------------------------+---------------------------------------------------+
| Variable_name | Value |
+-------------------------------+---------------------------------------------------+
| server_audit_events | CONNECT,QUERY,TABLE,QUERY_DDL,QUERY_DML,QUERY_DCL |
| server_audit_excl_users | |
| server_audit_file_path | /data/mysql/auditlogs/ |
| server_audit_file_rotate_now | ON |
| server_audit_file_rotate_size | 200000000 |
| server_audit_file_rotations | 200 |
| server_audit_incl_users | |
| server_audit_loc_info | |
| server_audit_logging | ON |
| server_audit_mode | 1 |
| server_audit_output_type | file |
| server_audit_query_log_limit | 1024 |
| server_audit_syslog_facility | LOG_USER |
| server_audit_syslog_ident | mysql-server_auditing |
| server_audit_syslog_info | |
| server_audit_syslog_priority | LOG_INFO |
+-------------------------------+---------------------------------------------------+
日誌為:
20170516 23:21:23,salt-master,audit_log_user,localhost,4,19,QUERY,,'show variables like \'%audit%\'',0
8、引數說明:
詳細請參考:https://mariadb.com/kb/en/mariadb/server_audit-system-variables/
server_audit_output_type:指定日誌輸出型別,可為SYSLOG或FILE
server_audit_logging:啟動或關閉審計
server_audit_events:指定記錄事件的型別,可以用逗號分隔的多個值(connect,query,table),如果開啟了查詢快取(query cache),查詢直接從查詢快取返回資料,將沒有table記錄
server_audit_file_path:如server_audit_output_type為FILE,使用該變數設定儲存日誌的檔案,可以指定目錄,預設存放在資料目錄的server_audit.log檔案中
server_audit_file_rotate_size:限制日誌檔案的大小
server_audit_file_rotations:指定日誌檔案的數量,如果為0日誌將從不輪轉
server_audit_file_rotate_now:強制日誌檔案輪轉
server_audit_incl_users:指定哪些使用者的活動將記錄,connect將不受此變數影響,該變數比server_audit_excl_users優先順序高
server_audit_syslog_facility:預設為LOG_USER,指定facility
server_audit_syslog_ident:設定ident,作為每個syslog記錄的一部分
server_audit_syslog_info:指定的info字串將新增到syslog記錄
server_audit_syslog_priority:定義記錄日誌的syslogd priority
server_audit_excl_users:該列表的使用者行為將不記錄,connect將不受該設定影響
server_audit_mode:標識版本,用於開發測試
9、解除安裝server_audit
mysql> UNINSTALL PLUGIN server_audit;
mysql> show variables like '%audit%';
Empty set (0.00 sec)
防止server_audit 外掛被解除安裝,需要在配置檔案中新增:
[mysqld]
server_audit=FORCE_PLUS_PERMANENT
重啟MySQL生效
值得注意的是,應該在server_audit外掛被安裝好,並且已經執行之後新增這些配置,否則過早在配置檔案新增這個選項,會導致MySQL發生啟動錯誤!
mysql> UNINSTALL PLUGIN server_audit;
ERROR 1702 (HY000): Plugin 'server_audit' is force_plus_permanent and can not be unloaded