mysql审计插件

Audit Plugin安装使用

原文：

https://www.cnblogs.com/waynechou/p/mysql_audit.html#_label0   #有卸载方法

下载地址:

https://bintray.com/mcafee/mysql-audit-plugin/release/1.1.6-784#files

安装、配置、测试

查看mysql插件目录：
mysql> SHOW GLOBAL VARIABLES LIKE 'plugin_dir';
+---------------+------------------------+
| Variable_name | Value                  |
+---------------+------------------------+
| plugin_dir    | /opt/mysql/lib/plugin/ |
+---------------+------------------------+
 row in set (0.00 sec)

复制下载的so文件至plugin_dir，创建日志目录
cd /opt/tools/audit-plugin-mysql-5.6-1.1.-/lib
cp libaudit_plugin.so /opt/mysql/lib/plugin/
mkdir /home/mysql//audit_log/
chown mysql.mysql /home/mysql//audit_log/

下载offset脚本，根据版本计算
wget https://raw.github.com/mcafee/mysql-audit/master/offset-extract/offset-extract.sh
chmod +x offset-extract.sh
[root@docker1 /opt/tools ::&&]#./offset-extract.sh /opt/mysql/bin/mysqld
//offsets for: /opt/mysql/bin/mysqld (5.6.35)
{"5.6.35","c48fe13e444883af96c7f134cd0c952b", , , , , , , , , , , , , , , , , , , , , , , , , },

配置my.cnf，在mysqld块里面加入以下内容：
plugin-load=AUDIT=libaudit_plugin.so
audit_offsets=, , , , , , , , , , , , , , , , , , , , , , , ,
audit_json_file=ON
audit_json_log_file=/home/mysql/3306/audit_log/mysql-audit.json
audit_record_cmds=insert,delete,update,create,drop,revoke,alter,grant,set #针对这些语句来审计

重启mysql数据库
service mysql restart

验证是否生效:
SHOW GLOBAL STATUS LIKE 'AUDIT_version';   #查看版本
SHOW GLOBAL VARIABLES LIKE 'audit_json_file';  #查看是否开启

show plugins;  #查看安装的插件

重要的参数说明： 

. audit_json_file #是否开启audit功能 

. audit_json_log_file #记录文件的路径和名称信息 

. audit_record_cmds #audit记录的命令,默认为记录所有命令可以设置为任意dml、dcl、ddl的组合 如：audit_record_cmds=select,insert,delete,update 还可以在线设置set global audit_record_cmds=NULL(表示记录所有命令) 

4.audit_record_objs

audit记录操作的对象，默认为记录所有对象，可以用SET GLOBAL audit_record_objs=NULL设置为默认。也可以指定为下面的格式：audit_record_objs=,test.*,mysql.*,information_schema.*。

其他配置参数参考： https://github.com/mcafee/mysql-audit/wiki/Configuration  
测试： 
CREATE TABLE `t1` ( `id` int() NOT NULL AUTO_INCREMENT, `age` tinyint() NOT NULL DEFAULT '', `name` varchar() NOT NULL DEFAULT '', PRIMARY KEY (`id`) )DEFAULT CHARSET=utf8; 
INSERT INTO `test`.`t1` (`age`, `name`) VALUES ('', ''); 
INSERT INTO `test`.`t1` (`age`, `name`) VALUES ('', ''); 
INSERT INTO `test`.`t1` (`age`, `name`) VALUES ('', ''); 
INSERT INTO `test`.`t1` (`age`, `name`) VALUES ('', ''); 
update t1 set name='' where age=''; 
delete from t1 where age=''; select * from t1; 

#查看审计日志 
[root@docker1 /opt/tools ::&&]#cat /home/mysql//audit_log/mysql-audit.json 
{"msg-type":"header","date":"","audit-version":"1.1.6-784","audit-protocol-version":"1.0","hostname":"docker1","mysql-version":"5.6.35-log","mysql-program":"/opt/mysql/bin/mysqld","mysql-socket":"/tmp/my3306.sock","mysql-port":"","server_pid":""} {"msg-type":"activity","date":"","thread-id":"","query-id":"","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"","status":"","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `t1` (`age`, `name`) VALUES ('2', '2')"} {"msg-type":"activity","date":"","thread-id":"","query-id":"","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"","status":"","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES ('1', '1')"} {"msg-type":"activity","date":"","thread-id":"","query-id":"","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"","status":"","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES ('3', '3')"} {"msg-type":"activity","date":"","thread-id":"","query-id":"","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"","status":"","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES ('4', '4')"} {"msg-type":"activity","date":"","thread-id":"","query-id":"","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"","status":"","cmd":"insert","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"INSERT INTO `test`.`t1` (`age`, `name`) VALUES ('5', '5')"} {"msg-type":"activity","date":"","thread-id":"","query-id":"","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"","status":"","cmd":"update","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"update t1 set name='6' where age='5'"} {"msg-type":"activity","date":"","thread-id":"","query-id":"","user":"root","priv_user":"","ip":"192.168.159.1","host":"192.168.159.1","rows":"","status":"","cmd":"delete","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"delete from t1 where age='1'"}

MariaDB server_audit 审计插件

下载:

http://ftp.kaist.ac.kr/mariadb/

原文：

https://www.cnblogs.com/waynechou/p/mysql_audit.html#_label0

安装、配置、测试

复制插件文件
cp -av /opt/tools/mariadb-5.5.-linux-glibc_214-x86_64/lib/plugin/server_audit.so /opt/mysql/lib/plugin/
chmod a+x /opt/mysql/lib/plugin/server_audit.so

安装插件
INSTALL PLUGIN server_audit SONAME 'server_audit.so';

配置my.cnf
server_audit_events='CONNECT,QUERY,TABLE,QUERY_DDL,QUERY_DML,QUERY_DCL'
server_audit_logging=on
server_audit_file_path =/home/mysql//audit_log/
server_audit_file_rotate_size=
server_audit_file_rotations=
server_audit_file_rotate_now=ON
值得注意的是，应该在server_audit插件被安装好，并且已经运行之后添加这些配置，否则过早在配置文件添加这个选项，会导致MySQL发生启动错误！

参数说明：
server_audit_output_type：指定日志输出类型，可为SYSLOG或FILE
server_audit_logging：启动或关闭审计
server_audit_events：指定记录事件的类型，可以用逗号分隔的多个值(connect,query,table)，如果开启了查询缓存(query cache)，查询直接从查询缓存返回数据，将没有table记录
server_audit_file_path：如server_audit_output_type为FILE，使用该变量设置存储日志的文件，可以指定目录，默认存放在数据目录的server_audit.log文件中
server_audit_file_rotate_size：限制日志文件的大小
server_audit_file_rotations：指定日志文件的数量，如果为0日志将从不轮转
server_audit_file_rotate_now：强制日志文件轮转
server_audit_incl_users：指定哪些用户的活动将记录，connect将不受此变量影响，该变量比server_audit_excl_users优先级高
server_audit_syslog_facility：默认为LOG_USER，指定facility
server_audit_syslog_ident：设置ident，作为每个syslog记录的一部分
server_audit_syslog_info：指定的info字符串将添加到syslog记录
server_audit_syslog_priority：定义记录日志的syslogd priority
server_audit_excl_users：该列表的用户行为将不记录，connect将不受该设置影响
server_audit_mode：标识版本，用于开发测试

重启mysql
/opt/mysql/scripts/my3306.sh restart

测试：
测试同Audit Plugin

卸载 server_audit
mysql> UNINSTALL PLUGIN server_audit;
mysql> show variables like '%audit%';
Empty set (0.00 sec)

防止 server_audit 插件被卸载，需要在配置文件中添加：
[mysqld]
server_audit=FORCE_PLUS_PERMANENT

重启MySQL生效