6、 MySQL安全之審計管理

審計：記錄你的操作，方便以后查證據，但是生產環境數據庫本身不建議開啟，影響性能，但可以使用第三方審計

6.1 開源審計功能 mysql Audit Pluging

mysq15.7企業版自帶審計功能，需要付費 社區版可以用開源的 mysqL Audit Pluging( McAfee提供的) 下載地址： https://github.com/mcafee/mysql-audit 涉及參數： audit_json_file = on plugin-load = AUDIT=libaudit_plugin.so audit_record_cmds = 'insert,delete,update,create,drop,alter,grant,truncate' audit_json_log_file = /var/log/mysql/mysql-audit.json audit_offsets = 7824, 7872, 3632, 4792, 456, 360, 0, 32, 64, 160, 536, 7988, 4360, 3648, 3656, 3660, 6072, 2072, 8, 7056, 7096, 7080, 13464, 148, 672 不設置 audit_record_cmds 參數，所有的DDL,DML全記錄 https://github.com/mcafee/mysql-audit https://bintray.com/mcafee/mysql-audit-plugin/release/1.1.7-866 https://bintray.com/mcatee/mysql-audit-plugin/release https://github.com/mcafee/mysql-audit/wiki/Installation mysql root@localhost:auditdb> show global variables like 'plugin_dir'; +---------------+--------------------------+ | Variable_name | Value | +---------------+--------------------------+ | plugin_dir | /usr/lib64/mysql/plugin/ | +---------------+--------------------------+ https://bintray.com/mcafee/mysql-audit-plugin/release#files/ wget https://bintray.com/mcafee/mysql-audit-plugin/download_file?file_path=audit-plugin-percona-5.7-1.1.7-866-linux-x86_64.zip [root@elasticsearch 09]# unzip audit-plugin-percona-5.7-1.1.7-866-linux-x86_64.zip cd audit-plugin-percona-5.7-1.1.7-866/lib/[root@elasticsearch lib]# cp libaudit_plugin.so /usr/lib64/mysql/plugin/ [root@elasticsearch lib]# chmod +x /usr/lib64/mysql/plugin/libaudit_plugin.so [root@elasticsearch lib]# service mysqld restart Redirecting to /bin/systemctl restart mysqld.serviceinstall plugin audit soname 'libaudit_plugin.so';mysql root@localhost:(none)> show global status like 'AUDIT_version'; +---------------+-----------+ | Variable_name | Value | +---------------+-----------+ | Audit_version | 1.1.7-866 | +---------------+-----------+ mysql root@localhost:(none)> show global variables like '%audit_json%'; +---------------------------------+----------------------------------------------------+ | Variable_name | Value | +---------------------------------+----------------------------------------------------+ | audit_json_file | ON | | audit_json_file_bufsize | 1 | | audit_json_file_flush | OFF | | audit_json_file_retry | 60 | | audit_json_file_sync | 0 | | audit_json_log_file | /var/log/mysql/mysql-audit.json | | audit_json_socket | OFF | | audit_json_socket_name | /var/run/db-audit/mysql.audit__var_lib_mysql_33057 | | audit_json_socket_retry | 10 | | audit_json_socket_write_timeout | 1000 | +---------------------------------+----------------------------------------------------+ mysql root@localhost:(none)> show global variables like '%plugin%'; +-------------------------------+--------------------------+ | Variable_name | Value | +-------------------------------+--------------------------+ | audit_uninstall_plugin | OFF | | default_authentication_plugin | mysql_native_password | | plugin_dir | /usr/lib64/mysql/plugin/ | +-------------------------------+--------------------------+mysql root@localhost:(none)> show global variables like '%load%'; +------------------------------------+-------+ | Variable_name | Value | +------------------------------------+-------+ | have_dynamic_loading | YES | | innodb_buffer_pool_load_abort | OFF | | innodb_buffer_pool_load_at_startup | ON | | innodb_buffer_pool_load_now | OFF | | innodb_force_load_corrupted | OFF | | preload_buffer_size | 32768 | | slave_load_tmpdir | /tmp | +------------------------------------+-------+ [root@elasticsearch lib]# yum install jq -y [root@elasticsearch lib]# cat /var/log/mysql/mysql-audit.json |jq 有bug 記錄創建 創建開啟后，壓根沒有記錄創建的記錄

6.2 mysql 自帶的 init-connect + binlog 實現 MYSQL審計

my.cnf: init-connect 01.創建一個存放連接信息的表 create database auditdb default charset utf8;use auditdbcreate table accesslog( ID int primary key auto_increment, ConnectionID int, ConnUserName varchar(30), PrivMatchName varchar(30), LoginTime timestamp ); 02.配置權限 insert into mysql.db(host,db,user,select_priv,Insert_priv) values('%','auditdb','','Y','Y'); flush privileges; 03.配置init-connent my.cnfserver-id=1 init-connect='insert into auditdb.accesslog (ConnectionID,ConnUserName,PrivMatchName,LoginTime) values(connection_id(),user(),current_user(),now());' log_bin=/var/log/mysql/binlog log_bin_index=/var/log/mysql/binlog.index 目錄權限要對 [root@elasticsearch ~]# chown mysql.mysql /var/log/mysql/ [root@elasticsearch ~]# ls /var/log/mysqld.log -l -rw-r-----. 1 mysql mysql 458598 9月 12 19:17 /var/log/mysqld.log mysql root@localhost:auditdb> create database test; Query OK, 1 row affected Time: 0.001s mysql root@localhost:auditdb> drop database test; You're about to run a destructive command. Do you want to proceed? (y/n): y Your call! Query OK, 0 rows affected Time: 0.001s mysqlbinlog /var/log/mysql/binlog.000003 超級管理root 不會記錄日志 不記錄root用戶

總結

以上是生活随笔為你收集整理的2.3.8 mysql安全之审计的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。