简介
数据库审计(简称DBAudit)能够实时记录网络上的数据库活动,对数据库操作进行细粒度审计的合规性管理,对数据库遭受到的风险行为进行告警,对攻击行为进行阻断。它通过对用户访问数据库行为的记录、分析和汇报,用来帮助用户事后生成合规报告、事故追根溯源,同时加强内外部数据库网络行为记录,提高数据资产安全。
MySQL Audit plugin主要有如下几种:
1. MySQL Enterprise Audit Plugin:This plugin is not open source and is only available with MySQL Enterprise, which has a significant cost attached to it. It is the most stable and robust.
2. Percona Audit Log Plugin:Percona provides an open source auditing solution that installs with Percona Server 5.5.37+ and 5.6.17+. This plugin has quite a few output features as it outputs XML, JSON and to syslog. Percona’s implementation is the first to be a drop-in replacement for MySQL Enterprise Audit Plugin. As it has some internal hooks to the server to be feature-compatible with Oracle’s plugin, it is not available as a standalone for other versions of MySQL. This plugin is actively maintained by Percona.
3. McAfee MySQL Audit Plugin:Around the longest and has been used widely. It is open source and robust, while not using the official auditing API. It isn’t updated as often as one may like. There hasn’t been any new features in some time. It was recently updated to support MySQL 5.7.
4. MariaDB Audit Plugin:The only plugin that claims to support MySQL, Percona Server and MariaDB. It is open source and constantly upgraded with new versions of MariaDB. Versions starting at 1.2 are most stable, and it may be risky to use versions below that in your production environment. Versions below 1.2 may be unstable and I have seen it crash production servers. Older versions also log clear text passwords.
总结一下,官方的审计插件不开源,Percona有自己的审计插件,McAfee的插件基本不更新,MariaDB可以兼容MySQL。
安装
以Percona Audit Plugin为例,Percona Server从5.5.37/5.6.17后支持audit。
安装步骤:
1. 获取plugin安装位置:show global variables like 'plugin_dir';
2. 若该位置存在audit_log.so,则继续安装,若不存在,则去Percona官网下载对应版本;
3. 安装plugin:install plugin audit_log soname 'audit_log.so';
4. 查看audit parameter: show global variables like 'audit%',默认参数如下:
参数说明
• audit_log_format:日志格式,支持XML、Json、CSV三种格式;
• audit_log_buffer_size:日志缓存,单位为Kb;
• audit_log_file:日志文件存储位置,默认在数据目录;
• audit_log_flush:刷新日志缓存;
• audit_log_policy:记录日志策略,支持all、login、query、none;
• audit_log_handler:日志输出位置,支持file和syslog;
• audit_log_rotate_on_size:组合参数,audit_log_handler为file时可使用,每个日志文件分割的大小,单位为Kb,最好为audit_log_buffer_size的整数倍;
• audit_log_rotations:组合参数,保留的日志文件个数;
• audit_log_strategy:组合参数,audit_log_handler为file时可使用。日志刷新策略,支持ASYNCHRONOUS、PERFORMANCE、SEMISYNCHRONOUS、SYNCHRONOUS;
Json格式的日志示例如下:
{
"audit_record": {
"name": "Query",
"record": "7656447233_2018-06-25T10:50:30",
"timestamp": "2018-07-08T17:11:17 UTC",
"command_class": "select",
"connection_id": "48174660",
"status": 0,
"sqltext": "select * from test.test;",
"user": "root[root] @ [localhost]",
"host": "",
"os_user": "",
"ip": "",
"db": "test"
}
}
部署策略
为了方便存储与分析日志,审计日志采用Json格式。
• 修改MySQL配置文件,添加:
[mysqld]
### AUDIT ###
audit_log_format=JSON
audit_log_rotate_on_size=10485760000 --单个日志文件大小为1G
audit_log_rotations=10 --保留10个日志文件
• 安装plugin:
install plugin audit_log soname 'audit_log.so';(audit_log_format为静态参数,install plugin后不能更改,所以事先写配置文件)
性能损耗
根据官方统计,开启audit后,性能损耗大概在3%~5%(测试方式未给出,测试环境为Xeon、32G Ram、Samsung PRO SSD)。Tpcc 128线程测试结果为,响应时间增加0.7ms,事务数减少7%。
局限性
• 审计文件不能加密;
• 对存储过程和触发器不做审计;
• 对load data infile等操作不做审计;
社区版MySQL审计
社区版MySQL审计可采用MySQL的另一分支--MariaDB自带的server_audit.so,MariaDB_5.5.37版本和MariaDB_10.0.10以后版本的audit插件支持MariaDB, MySQL、Percona Server使用。
备注:MariaDB_5.x.x和MariaDB_10.x.x区别:
• MariaDB_5.x.x:兼容MySQL5.x.x的,接口几乎一致,只限于社区版;
• MariaDB_10.x.x:10.x.x使用新技术,接口会与mysql逐渐区别开来。目标就是以后想MariaDB新接口过渡;
安装
插件安装方式同上,配置文件的修改与之前不同,详情如下:
• server_audit_events='CONNECT,QUERY,TABLE,QUERY_DDL,QUERY_DML,QUERY_DCL'
• server_audit_logging=on
• server_audit_file_path =/data/log/audit.log
• server_audit_file_rotate_size=200000000
• server_audit_file_rotations=200
• server_audit_file_rotate_now=ON
MariaDB的审计插件不支持热修改,需要重启MySQL服务
参数说明
• server_audit_output_type:指定日志输出类型,可为SYSLOG或FILE
• server_audit_logging:启动或关闭审计
• server_audit_events:指定记录事件的类型,可以用逗号分隔的多个值(connect,query,table),如果开启了查询缓存(query cache),查询直接从查询缓存返回数据,将没有table记录
• server_audit_file_path:如server_audit_output_type为FILE,使用该变量设置存储日志的文件,可以指定目录,默认存放在数据目录的server_audit.log文件中
• server_audit_file_rotate_size:限制日志文件的大小
• server_audit_file_rotations:指定日志文件的数量,如果为0日志将从不轮转
• server_audit_file_rotate_now:强制日志文件轮转
• server_audit_incl_users:指定哪些用户的活动将记录,connect将不受此变量影响,该变量比server_audit_excl_users优先级高
• server_audit_syslog_facility:默认为LOG_USER,指定facility
• server_audit_syslog_ident:设置ident,作为每个syslog记录的一部分
• server_audit_syslog_info:指定的info字符串将添加到syslog记录
• server_audit_syslog_priority:定义记录日志的syslogd priority
• server_audit_excl_users:该列表的用户行为将不记录,connect将不受该设置影响
• server_audit_mode:标识版本,用于开发测试
卸载
插件卸载方式同上,需要注意的是,防止server_audit插件被卸载,需要在配置文件中添加如下选项,重启生效:
[mysqld]
server_audit=FORCE_PLUS_PERMANENT