在MySQL中使用init-connect与binlog来实现用户操作追踪记录

分类: MySQL

前言:

测试环境莫名其妙有几条重要数据被删除了,由于在binlog里面只看到是公用账号删除的,无法查询是那个谁在那个时间段登录的,就考虑怎么记录每一个MYSQL账号的登录信息,在MYSQL中,每个连接都会先执行init-connect,进行连接的初始化,我们可以在这里获取用户的登录名称和thread的ID值。然后配合binlog,就可以追踪到每个操作语句的操作时间,操作人以及客户端的连接进程信息等。实现审计。

,在mysql服务器db中建立单独的记录访问信息的库

set names utf8;

create database access_log;

CREATE TABLE `access_log`

(

  `id` int() NOT NULL AUTO_INCREMENT,

  `thread_id` int() DEFAULT NULL, -- 线程ID,这个值很重要

  `log_time` timestamp NOT NULL DEF AULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, -- 登录时间

  `localname` varchar() DEFAULT NULL, -- 登录名称

  `matchname` varchar() DEFAULT NULL, -- 登录用户

  PRIMARY KEY (`id`)

) ENGINE=InnoDB AUTO_INCREMENT= DEFAULT CHARSET=utf8 comment '录入用户登录信息';

,在配置文件中配置init-connect参数。登录时插入日志表。如果这个参数是个错误的SQL语句,登录就会失败。

vim /usr/local/mysql/my.cnf

init-connect='INSERT INTO access_log.access_log VALUES(NULL,CONNECTION_ID(),NOW(),USER(),CURRENT_USER());'

然后重启数据库

,创建普通用户,不能有super权限,而且用户必须有对access_log库的access_log表的insert权限,否则会登录失败。

给登录用户赋予insert权限,但是不赋予access_log的insert、select权限,

GRANT INSERT,DELETE,UPDATE,SELECT ON test.* TO audit_user@'%' IDENTIFIED BY 'cacti_user1603';

mysql> GRANT CREATE,DROP,ALTER,INSERT,DELETE,UPDATE,SELECT ON test.* TO audit_user@'%' IDENTIFIED BY 'cacti_user1603';

Query OK,  rows affected (0.00 sec)

mysql> exit

然后去用新的audit_user登录操作

[root@db_server ~]# /usr/local/mysql/bin/mysql  -uaudit_user -p -S /usr/local/mysql/mysql.sock

Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is

Server version: 5.6.-log

Copyright (c) , , Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> lect * from access_log.access_log;

ERROR  (HY000): MySQL server has gone away

No connection. Trying to reconnect...

Connection id:

Current database: *** NONE ***

ERROR  (08S01): Aborted connection  to db: 'unconnected' user: 'audit_user' host: 'localhost' (init_connect command failed)

mysql>

看到报错信息 (init_connect command failed),再去错误日志error log验证一下:

tail -fn  /usr/local/mysql/mysqld.log

-- ::  [Warning] Aborted connection  to db: 'unconnected' user: 'audit_user' host: 'localhost' (init_connect command failed)

-- ::  [Warning] INSERT command denied to user ''@'localhost' for table 'access_log'

-- ::  [Warning] Aborted connection  to db: 'unconnected' user: 'audit_user' host: 'localhost' (init_connect command failed)

-- ::  [Warning] INSERT command denied to user ''@'localhost' for table 'access_log'

看到必须要有对access_log库的access_log表的insert权限才行。

,赋予用户access_log的insert、select权限,然后重新赋予权限:

GRANT SELECT,INSERT ON access_log.* TO audit_user@'%';

mysql>

mysql> GRANT SELECT,INSERT ON access_log.* TO audit_user@'%';

Query OK,  rows affected (0.00 sec)

mysql> exit

Bye

再登录,报错如下:

[root@db_server ~]# /usr/local/mysql/bin/mysql  -uaudit_user -p -S /usr/local/mysql/mysql.sock

Enter password:

ERROR  (): Access denied for user 'audit_user'@'localhost' (using password: YES)

[root@db_server ~]# 

去查看error日志:

-- ::  [Warning] INSERT command denied to user ''@'localhost' for table 'access_log'

-- ::  [Warning] Aborted connection  to db: 'unconnected' user: 'audit_user' host: 'localhost' (init_connect command failed)

-- ::  [Warning] INSERT command denied to user ''@'localhost' for table 'access_log'

-- ::  [Warning] Aborted connection  to db: 'unconnected' user: 'audit_user' host: 'localhost' (init_connect command failed)

-- ::  [Warning] INSERT command denied to user ''@'localhost' for table 'access_log'

需要用root用户登录进去,清空掉用户为''的用户记录。

 mysql> select user,host,password from mysql.user;

+----------------+-----------+-------------------------------------------+

| user           | host      | password                                  |

+----------------+-----------+-------------------------------------------+

| root           | localhost |                                           |

| root           | db_server   |                                           |

| root           | 127.0.0.1 |                                           |

| root           | ::       |                                           |

|                | localhost |                                           |

|                | db_server   |                                           |

| cacti_user     | %         | *EB9E3195E443D577879101A35EF64A701B35F949 |

| cacti_user     |          | *D5FF9B53A78232DA13D3643965A5961449B387DB |

| cacti_user     |          | *D5FF9B53A78232DA13D3643965A5961449B387DB |

| test_user      | .%     | *8A447777509932F0ED07ADB033562027D95A0F17 |

| test_user      |          | *8A447777509932F0ED07ADB033562027D95A0F17 |

| weakpwd_user_1 | .%      | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |

| weakpwd_user_2 | .%      | *B1461C9C68AFA1129A5F968C343636192A084ADB |

| weakpwd_user_3 | .%      | *DCB7DF5FFC82C441503300FFF165257BC551A598 |

| audit_user     | %         | *AEAB1915B137FAFDE9B949D67A9A42DDB68DD8A2 |

+----------------+-----------+-------------------------------------------+

 rows in set (0.00 sec)

mysql> drop user ''@'localhost';

Query OK,  rows affected (0.00 sec)

mysql> drop user ''@'db_server';

Query OK,  rows affected (0.00 sec)

mysql> 

再用已经分配了access_log表的Insert权限的audit_user登录

mysql> select * from access_log.access_log;

+----+-----------+---------------------+---------------------------+--------------+

| id | thread_id | log_time            | localname                 | matchname    |

+----+-----------+---------------------+---------------------------+--------------+

|   |         | -- :: | audit_user@localhost      | audit_user@% |

|   |         | -- :: | audit_user@localhost      | audit_user@% |

|   |         | -- :: | audit_user@localhost      | audit_user@% |

+----+-----------+---------------------+---------------------------+--------------+

 rows in set (0.00 sec)

mysql> show full processlist;

+----+------------+-----------+------+---------+------+-------+-----------------------+

| Id | User       | Host      | db   | Command | Time | State | Info                  |

+----+------------+-----------+------+---------+------+-------+-----------------------+

|  | audit_user | localhost | NULL | Query   |     | init  | show full processlist |

+----+------------+-----------+------+---------+------+-------+-----------------------+

 row in set (0.00 sec)

mysql> 

,再用另外一个用户登录建表,录入测试数据。

建表录入数据记录

mysql> use test;

Database changed

mysql> create table t1 select  as a, 'wa' as b;

Query OK,  row affected (0.01 sec)

Records:   Duplicates:   Warnings: 

查看跟踪用户行为记录。

mysql> select * from access_log.access_log;

+----+-----------+---------------------+---------------------------+--------------+

| id | thread_id | log_time            | localname                 | matchname    |

+----+-----------+---------------------+---------------------------+--------------+

|   |         | -- :: | audit_user@localhost      | audit_user@% |

|   |         | -- :: | audit_user@localhost      | audit_user@% |

|   |         | -- :: | audit_user@localhost      | audit_user@% |

|   |         | -- :: | audit_user@192.168.3.62    | audit_user@% |

|   |         | -- :: | audit_user@192.168.3.62    | audit_user@% |

+----+-----------+---------------------+---------------------------+--------------+

 rows in set (0.00 sec)

去mysql db服务器上查看binlog 内容,解析完后,没有insert语句,怎么回事,去看my.cnf

#binlog-ignore-db=mysql                         # No sync databases

#binlog-ignore-db=test                          # No sync databases

#binlog-ignore-db=information_schema            # No sync databases

#binlog-ignore-db=performance_schema

原来是对test库有binlog过滤设置,全部注释掉。重启mysql库,重新来一遍,可以在看到binlog

在MySQL客户端上重新执行。

mysql> use test;

Database changed

mysql> insert into test.t1 select ,'t5';

Query OK,  row affected (0.00 sec)

Records:   Duplicates:   Warnings: 

mysql> select * from access_log.access_log;

+----+-----------+---------------------+---------------------------+--------------+

| id | thread_id | log_time            | localname                 | matchname    |

+----+-----------+---------------------+---------------------------+--------------+

|   |         | -- :: | cacti_user@192.168.171.71 | cacti_user@% |

|   |         | -- :: | cacti_user@192.168.171.71 | cacti_user@% |

|   |         | -- :: | cacti_user@192.168.171.71 | cacti_user@% |

|   |         | -- :: | audit_user@localhost      | audit_user@% |

|   |         | -- :: | audit_user@localhost      | audit_user@% |

|   |         | -- :: | audit_user@localhost      | audit_user@% |

|   |         | -- :: | audit_user@192.168.3.62    | audit_user@% |

|   |         | -- :: | audit_user@192.168.3.62    | audit_user@% |

|   |         | -- :: | audit_user@192.168.1.12    | audit_user@% |

|  |          | -- :: | audit_user@192.168.3.62    | audit_user@% |

+----+-----------+---------------------+---------------------------+--------------+

 rows in set (0.00 sec)

看到thread_id为1

,如何查看何跟踪用户行为记录。

去mysql数据库服务器上查看binlog,应该thread_id=1的binlog记录。

[root@db_server binlog]# /usr/local/mysql/bin/mysqlbinlog  --base64-output=DECODE-ROWS  mysql-bin. -v>.log

[root@db_server binlog]# vim .log

# at

# :: server id   end_log_pos  CRC32 0xa323c00e        Query   thread_id=     exec_time=     error_code=

SET TIMESTAMP=/*!*/;

BEGIN

/*!*/;

# at

# :: server id   end_log_pos  CRC32 0xbb8ca914        Table_map: `access_log`.`t1` mapped to number

# at

# :: server id   end_log_pos  CRC32 0x8eed1450        Write_rows: table id  flags: STMT_END_F

### INSERT INTO `access_log`.`t1`

### SET

###   @=

###   @='w0'

# at

# :: server id   end_log_pos  CRC32 0x72b26336        Xid =

COMMIT/*!*/;

看到thread_id=,然后,就可以根据thread_id=1来判断执行这条insert命令的来源,还可以在mysql服务器上执行show full processlist;来得到MySQL客户端的请求端口,

mysql> show full processlist;

+----+------------+-------------------+------+---------+------+-------+-----------------------+

| Id | User       | Host              | db   | Command | Time | State | Info                  |

+----+------------+-------------------+------+---------+------+-------+-----------------------+

|   | audit_user | 192.168.3.62: | test | Sleep   |   |       | NULL                  |

|   | root       | localhost         | NULL | Query   |     | init  | show full processlist |

+----+------------+-------------------+------+---------+------+-------+-----------------------+

 rows in set (0.00 sec)

mysql>

看到Id为1的线程,端口是44657。

我们切换回mysql客户端,去查看端口是44657的是什么进程,如下所示:

[tim@db_client ~]$ netstat -antlp |grep

(Not all processes could be identified, non-owned process info

 will not be shown, you would have to be root to see it all.)

tcp               192.168.3.62:           192.168.1.12:            ESTABLISHED /mysql

[tim@db_client ~]$ 

获取到该进程的PID ,再通过ps -eaf得到该进程所执行的命令,如下所示:

[tim@db_client ~]$ ps -eaf|grep

tim       : pts/    :: mysql -uaudit_user -p -h 192.168.1.12 -P3307

tim        : pts/    :: grep

[tim@db_client ~]$

最后查到是通过mysql客户端登陆连接的。加入这个6335是某个web工程的,那么,也可以根据ps -eaf命令查询得到web工程的进程信息。

参考文章地址:http://blog.chinaunix.net/uid-24086995-id-168445.html
 

在MySQL中使用init-connect与binlog来实现用户操作追踪记录的更多相关文章

  1. 0816关于MySQL的审计 init-connect+binlog实现用户操作追踪

    转自:http://blog.sina.com.cn/s/blog_605f5b4f01013xkv.html mysql 用init-connect+binlog实现用户操作追踪 做access 的 ...

  2. mysql 用init-connect+binlog实现用户操作追踪做access的ip的log记录

    在MYSQL中,每个连接都会先执行init-connect,进行连接的初始化.我们可以在这里获取用户的登录名称和thread的ID值.然后配合binlog,就可以追踪到每个操作语句的操作时间,操作人等 ...

  3. mysql中如何不重复插入满足某些条件的重复的记录的问题

    最近在项目中遇到了这样的一个问题“: 在mysql数据库中需要每次插入的时候不能插入三个字段都相同的记录.在这里使用到了 insert into if not exists  和insert igno ...

  4. mysql中Can't connect to MySQL server on 'localhost' (10061)

    Can't connect to MySQL server on 'localhost' (10061) 第一问题有两个解决方案: 1)没有启动sql服务,以下是具体步骤: 右键-计算机-管理-服务和 ...

  5. mysql中更改字段属性实际上都做了哪些操作

     mysql> set profiling=1; Query OK, 0 rows affected (0.00 sec) mysql> alter table test modify n ...

  6. ORACLE与mysql中查询第n条到第m条的数据记录的方法

    ORACLE: SELECT * FROM             (                  SELECT 表名.*, ROWNUM AS CON FROM 表名 WHERE ROWNUM ...

  7. mySQL中如何给某一IP段的用户授权?

    给一个用用户use ip: 192.168.0.1 语句是: grant all on *.* to root@192.168.0.1 identified by 'pass' 来授权 其中:root ...

  8. 探究MySQL中SQL查询的成本

    成本 什么是成本,即SQL进行查询的花费的时间成本,包含IO成本和CPU成本. IO成本:即将数据页从硬盘中读取到内存中的读取时间成本.通常1页就是1.0的成本. CPU成本:即是读取和检测是否满足条 ...

  9. 【MySQL】centos6中/etc/init.d/下没有mysqld启动文件,怎么办

    如果/etc/init.d/下面没有mysqld的话,service mysqld start也是不好使的,同样,chkconfig mysqld on也是不能用 解决办法: 将mysql的mysql ...

随机推荐

  1. ARM你必须知道的事儿——为啥“PC = PC + 8”?

    为啥是“PC = PC + 8”: “PC = PC + 8”其实这样写容易让人蒙了.“PC = PC + 8”真正含义应该是: 执行处代码地址 = PC - 8: 也就是说,”PC指向的地址“领先“ ...

  2. think in java 第四版读书笔记 第一章对象导论

    很久没有碰过java了,为了项目需要以及以后找工作,还是有必要将think in java通读一遍.欢迎大家一起讨论学习 1.1抽象过程 面向对象语言的5个特性: 1.万物皆对象 任何事物都可以抽象为 ...

  3. 【leetcode】367. Valid Perfect Square

    题目描述: Given a positive integer num, write a function which returns True if num is a perfect square e ...

  4. JDK 与 JRE (转)

    很多程序员已经干了一段时间java了依然不明白jdk与jre的区别.JDK就是Java Development Kit.简单的说JDK是面向开发人员使用的SDK,它提供了Java的开发环境和运行环境. ...

  5. shiro错误No SecurityManager accessible to the calling code

    Shire在Web.xml中shiroFilter的Mapping配置错误 org.apache.shiro.UnavailableSecurityManagerException: No Secur ...

  6. javascript中for-in的用法

    for(var 变量名 in object) alert(变量名[第n个]) : 如果object是josn对象的话,变量名就是属性名 如果object是数组的话,变量名就是数字下标 例子:JOSN对 ...

  7. [DevExpress]ChartControl之时间轴示例

    关键代码: using System; using System.Data; using System.Windows.Forms; using DevExpress.XtraCharts; name ...

  8. php生成圆形图片

    http://files.cnblogs.com/files/adtuu/circle_image.zip

  9. [大牛翻译系列]Hadoop(9)MapReduce 性能调优:理解性能瓶颈,诊断map性能瓶颈

    6.2 诊断性能瓶颈 有的时候作业的执行时间会长得惊人.想靠猜也是很难猜对问题在哪.这一章中将介绍如何界定问题,找到根源.涉及的工具中有的是Hadoop自带的,有的是本书提供的. 系统监控和Hadoo ...

  10. CLR via C# 混合线程同步构造

    1. 自旋,线程所有权和递归 2. 混合构造 a.ManualResetEventSlim b.SemaphoreSlim c.Monitor d.ReaderWriterLockSlim 3.条件变 ...