MySQL审计工具Audit插件使用

一、介绍MySQL AUDIT

MySQL AUDIT Plugin是一个 MySQL安全审计插件，由McAfee提供，设计强调安全性和审计能力。该插件可用作独立审计解决方案，或配置为数据传送给外部监测工具。支持版本为MySQL (5.1, 5.5, 5.6, 5.7)，MariaDB (5.5, 10.0, 10.1) ，Platform (32 or 64 bit)。从Mariadb 10.0版本开始audit插件直接内嵌了，名称为server_audit.so，可以直接加载使用。

源码地址：https://github.com/mcafee/mysql-audit/

WIKI地址：https://github.com/mcafee/mysql-audit/wiki

二进制地址：https://bintray.com/mcafee/mysql-audit-plugin/release

macfee的mysql audit插件虽然日志信息比较大，对性能影响大，但是如果想要开启审计，那也应该忍受了。

二、安装使用MySQL AUDIT

从Mariadb 10.0版本开始audit插件直接内嵌了，名称为server_audit.so，可以直接加载使用，关于Mariadb audit插件安装使用自信Google。

$ ll /usr/lib64/mysql/plugin/server_audit.so 
-rwxr-xr-x 1 root root 240725 Aug  6  2015 /usr/lib64/mysql/plugin/server_audit.so

1 2	$ ll /usr/lib64/mysql/plugin/server_audit.so -rwxr-xr-x 1 root root 240725 Aug 6 2015 /usr/lib64/mysql/plugin/server_audit.so

MySQL安装如下：

$ unzip audit-plugin-mysql-5.7-1.1.1-660-linux-x86_64.zip 
Archive:  audit-plugin-mysql-5.7-1.1.1-660-linux-x86_64.zip
   creating: audit-plugin-mysql-5.7-1.1.1-660/
   creating: audit-plugin-mysql-5.7-1.1.1-660/lib/
  inflating: audit-plugin-mysql-5.7-1.1.1-660/lib/libaudit_plugin.so  
  inflating: audit-plugin-mysql-5.7-1.1.1-660/COPYING  
  inflating: audit-plugin-mysql-5.7-1.1.1-660/THIRDPARTY.txt  
  inflating: audit-plugin-mysql-5.7-1.1.1-660/README.txt

$ unzip audit-plugin-mysql-5.7-1.1.1-660-linux-x86_64.zip

Archive: audit-plugin-mysql-5.7-1.1.1-660-linux-x86_64.zip

creating: audit-plugin-mysql-5.7-1.1.1-660/

creating: audit-plugin-mysql-5.7-1.1.1-660/lib/

inflating: audit-plugin-mysql-5.7-1.1.1-660/lib/libaudit_plugin.so

inflating: audit-plugin-mysql-5.7-1.1.1-660/COPYING

inflating: audit-plugin-mysql-5.7-1.1.1-660/THIRDPARTY.txt

inflating: audit-plugin-mysql-5.7-1.1.1-660/README.txt

MySQL的插件目录为：

mysql> show global variables like 'plugin_dir';
+---------------+--------------------------+
| Variable_name | Value                    |
+---------------+--------------------------+
| plugin_dir    | /usr/lib64/mysql/plugin/ |
+---------------+--------------------------+
1 row in set (0.00 sec)

mysql> show global variables like 'plugin_dir';

+---------------+--------------------------+

| Variable_name | Value |

+---------------+--------------------------+

| plugin_dir | /usr/lib64/mysql/plugin/ |

+---------------+--------------------------+

1 row in set (0.00 sec)

复制库文件到MySQL库目录下

$ cp audit-plugin-mysql-5.7-1.1.1-660/lib/libaudit_plugin.so /usr/lib64/mysql/plugin/
$ chmod a+x /usr/lib64/mysql/plugin/libaudit_plugin.so

1 2	$ cp audit-plugin-mysql-5.7-1.1.1-660/lib/libaudit_plugin.so /usr/lib64/mysql/plugin/ $ chmod a+x /usr/lib64/mysql/plugin/libaudit_plugin.so

加载Audit插件

mysql> INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';

1	mysql> INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';

查看版本

mysql> show global status like '%audit%';
+------------------------+-----------+
| Variable_name          | Value     |
+------------------------+-----------+
| Audit_protocol_version | 1.0       |
| Audit_version          | 1.1.1-660 |
+------------------------+-----------+
2 rows in set (0.01 sec)

mysql> show global status like '%audit%';

+------------------------+-----------+

| Variable_name | Value |

+------------------------+-----------+

| Audit_protocol_version | 1.0 |

| Audit_version | 1.1.1-660 |

+------------------------+-----------+

2 rows in set (0.01 sec)

开启Audit功能

mysql> SET GLOBAL audit_json_file=ON;
Query OK, 0 rows affected (0.00 sec)

1 2	mysql> SET GLOBAL audit_json_file=ON; Query OK, 0 rows affected (0.00 sec)

执行任何语句(默认会记录任何语句)，然后去mysql数据目录查看mysql-audit.json文件(默认为该文件)。

当然，我们还可以通过命令查看audit相关的命令。

mysql> SHOW GLOBAL VARIABLES LIKE '%audit%';
+---------------------------------+-----------------------------------------------------------------------------------------+
| Variable_name                   | Value                                                                                   |
| audit_checksum                  |                                                                                         |
| audit_client_capabilities       | OFF                                                                                     |
| audit_delay_cmds                |                                                                                         |
| audit_delay_ms                  | 0                                                                                       |
| audit_force_record_logins       | OFF                                                                                     |
| audit_header_msg                | ON                                                                                      |
| audit_json_file                 | ON                                                                                      |
| audit_json_file_bufsize         | 1                                                                                       |
| audit_json_file_flush           | OFF                                                                                     |
| audit_json_file_retry           | 60                                                                                      |
| audit_json_file_sync            | 0                                                                                       |
| audit_json_log_file             | mysql-audit.json                                                                        |
| audit_json_socket               | OFF                                                                                     |
| audit_json_socket_name          | /var/run/db-audit/mysql.audit__data_mysql_3306_data_3306                                |
| audit_json_socket_retry         | 10                                                                                      |
| audit_offsets                   |                                                                                         |
| audit_offsets_by_version        | ON                                                                                      |
| audit_password_masking_cmds     | CREATE_USER,GRANT,SET_OPTION,SLAVE_START,CREATE_SERVER,ALTER_SERVER,CHANGE_MASTER       |
| audit_password_masking_regex    | identified(?:/\*.*?\*/|\s)*?by(?:/\*.*?\*/|\s)*?(?:password)?(?:/\*.*?\*/|\s)*? | ..... |
| audit_record_cmds               |                                                                                         |
| audit_record_objs               |                                                                                         |
| audit_sess_connect_attrs        | ON                                                                                      |
| audit_uninstall_plugin          | OFF                                                                                     |
| audit_validate_checksum         | ON                                                                                      |
| audit_validate_offsets_extended | ON                                                                                      |
| audit_whitelist_cmds            | BEGIN,COMMIT                                                                            |
| audit_whitelist_users           |                                                                                         |
+---------------------------------+-----------------------------------------------------------------------------------------+

mysql> SHOW GLOBAL VARIABLES LIKE '%audit%';

+---------------------------------+-----------------------------------------------------------------------------------------+

| Variable_name | Value |

| audit_checksum | |

| audit_client_capabilities | OFF |

| audit_delay_cmds | |

| audit_delay_ms | 0 |

| audit_force_record_logins | OFF |

| audit_header_msg | ON |

| audit_json_file | ON |

| audit_json_file_bufsize | 1 |

| audit_json_file_flush | OFF |

| audit_json_file_retry | 60 |

| audit_json_file_sync | 0 |

| audit_json_log_file | mysql-audit.json |

| audit_json_socket | OFF |

| audit_json_socket_name | /var/run/db-audit/mysql.audit__data_mysql_3306_data_3306 |

| audit_json_socket_retry | 10 |

| audit_offsets | |

| audit_offsets_by_version | ON |

| audit_password_masking_cmds | CREATE_USER,GRANT,SET_OPTION,SLAVE_START,CREATE_SERVER,ALTER_SERVER,CHANGE_MASTER |

| audit_password_masking_regex | identified(?:/\*.*?\*/|\s)*?by(?:/\*.*?\*/|\s)*?(?:password)?(?:/\*.*?\*/|\s)*? | ..... |

| audit_record_cmds | |

| audit_record_objs | |

| audit_sess_connect_attrs | ON |

| audit_uninstall_plugin | OFF |

| audit_validate_checksum | ON |

| audit_validate_offsets_extended | ON |

| audit_whitelist_cmds | BEGIN,COMMIT |

| audit_whitelist_users | |

+---------------------------------+-----------------------------------------------------------------------------------------+

其中我们需要关注的参数有：

1. audit_json_file

是否开启audit功能。

2. audit_json_log_file

记录文件的路径和名称信息。

3. audit_record_cmds

audit记录的命令，默认为记录所有命令。可以设置为任意dml、dcl、ddl的组合。如：audit_record_cmds=select,insert,delete,update。还可以在线设置set global audit_record_cmds=NULL。(表示记录所有命令)

4. audit_record_objs

audit记录操作的对象，默认为记录所有对象，可以用SET GLOBAL audit_record_objs=NULL设置为默认。也可以指定为下面的格式：audit_record_objs=,test.*,mysql.*,information_schema.*。

5. audit_whitelist_users

用户白名单。

三、查看审计数据

插入一些数据，查看一下mysql-audit.json文件信息（json格式），如下：

$ cat /data/mysql/3306/data/mysql-audit.json
{"msg-type":"activity","date":"1484735457403","thread-id":"6","query-id":"69","user":"root","priv_user":"root","ip":"","host":"localhost",
"connect_attrs":{"_os":"Linux","_client_name":"libmysql","_pid":"21284","_client_version":"5.7.17","_platform":"x86_64","program_name":"mysql"},
"cmd":"insert","objects":[{"db":"test","name":"tt","obj_type":"TABLE"}],"query":"insert into test.tt(count) values('1')"}